User Controls

Hidden Services

  1. #1
    Sophie Pedophile Tech Support
    Hey guys, so i want to have my own personal paste site or gitlab on a hidden service. I have a VPS, but it's for other things. So i was thinking i just live boot into a hardened distro and host all my hidden service related stuff on an external encrypted HDD.

    Now, i've never really hosted a website, but i am am reasonably comfortable with web development. And with the added security of using a live OS and an encrypted HDD as place where my hidden service will live i think i could manage. I am not planning to host any CP or whatever, so i am not worried about the FBI. I just think it would be neat to have this type of infrastructure.

    Do you have any experience with something similar? And even if you don't i'd love to hear about how you would go about it, things i should be aware of, that sort of thing. If you could help me get a general sense before i commit that would be great, and also greatly appreciated.

    Thanks in advance.
  2. #2
    Octavian motherfucker
    What goodies would be on this site. Anything of interest to us all would most likely have to be illegal.
  3. #3
    Sophie Pedophile Tech Support
    Originally posted by Octavian What goodies would be on this site. Anything of interest to us all would most likely have to be illegal.

    Mostly malicious code, prototypes for malware command and control systems. And other cool cyborg stuff.
    The following users say it would be alright if the author of this post didn't die in a fire!
  4. #4
    Nonce asking for help hiding CP alert

    Alert!

    Most of us wouldn't even think of "do we or do we not put CP on this"

    But a nonce does and will mention it to throw us off the track

    Doesn't work tho

    Im on to you, nonce
    The following users say it would be alright if the author of this post didn't die in a fire!
  5. #5
    POLECAT POLECAT is a motherfucking ferret [my presentably immunised ammonification]
    pc is less trouble than cp
  6. #6
    Star Trek VI: The Undiscovered Country Dark Matter [my scoffingly uncritical tinning]
    I have a Raspberry Pi 4 set up with Ubuntu server and an encrypted hard drive as a file store.

    The encryption is kinda pointless imo as the Raspberry Pi is a bigger attack surface than the hard drive, and I have auto mount on, but whatever.

    And before everyone goes "nonce" at me for using encryption, full disk encryption is the standard in companies like mine nowadays, and if you aren't using it you're either stupid or lazy.

    I can access it from anywhere using SSH/SFTP and my static IP address.

    I am trying to figure out how to put it online, to access it via web, but the options I have seen, like NextCloud, are kind of a pain in the ass.

    Also I can't figure out how to install Samba on it as the repos for Ubuntu Server for Arm are broken, or were last I checked.

    If getting an IP or dealing with NAT is a problem, I'd probably recommend ngrok or similar.
    The following users say it would be alright if the author of this post didn't die in a fire!
  7. #7
    Sophie Pedophile Tech Support
    Originally posted by MexicanMasterRace Nonce asking for help hiding CP alert

    Alert!

    Most of us wouldn't even think of "do we or do we not put CP on this"

    But a nonce does and will mention it to throw us off the track

    Doesn't work tho

    Im on to you, nonce

    Can you fuck off? I'll ask Lanny to remove any further posts of you that aren't directly related to my original question,

    Originally posted by Star Trek VI: The Undiscovered Country I have a Raspberry Pi 4 set up with Ubuntu server and an encrypted hard drive as a file store.

    The encryption is kinda pointless imo as the Raspberry Pi is a bigger attack surface than the hard drive, and I have auto mount on, but whatever.

    And before everyone goes "nonce" at me for using encryption, full disk encryption is the standard in companies like mine nowadays, and if you aren't using it you're either stupid or lazy.

    I can access it from anywhere using SSH/SFTP and my static IP address.

    I am trying to figure out how to put it online, to access it via web, but the options I have seen, like NextCloud, are kind of a pain in the ass.

    Also I can't figure out how to install Samba on it as the repos for Ubuntu Server for Arm are broken, or were last I checked.

    If getting an IP or dealing with NAT is a problem, I'd probably recommend ngrok or similar.

    How did you come to the conclusion that i'm not using full disk encryption from what i said in the OP? Because i am. If i wanted a clearnet website i would use Ngrok. The point of having an external HDD that is encrypted is so that any data i receive through the hidden service will be saved there. It would also have the files related to the website. All i'd have to do to shut it down would be to dismount my external HDD. Any trace that i had been hosting a deepweb site would be instantly inaccessible and safe.

    I have box that will be hardened and would be dedicated to this, with full disk encryption and a filesystem on an encrypted external HDD.

    Also it sucks you can't figure out how Samba works, but posting about it doesn't help me either.
  8. #8
    Sophie Pedophile Tech Support
    The External HDD is also a must if i decide to go with a Live OS, BTW. Which i did mention in the OP.
  9. #9
    Misterigh Houston
    Originally posted by Star Trek VI: The Undiscovered Country I have a Raspberry Pi 4 set up with Ubuntu server and an encrypted hard drive as a file store.

    The encryption is kinda pointless imo as the Raspberry Pi is a bigger attack surface than the hard drive, and I have auto mount on, but whatever.

    And before everyone goes "nonce" at me for using encryption, full disk encryption is the standard in companies like mine nowadays, and if you aren't using it you're either stupid or lazy.

    I can access it from anywhere using SSH/SFTP and my static IP address.

    I am trying to figure out how to put it online, to access it via web, but the options I have seen, like NextCloud, are kind of a pain in the ass.

    Also I can't figure out how to install Samba on it as the repos for Ubuntu Server for Arm are broken, or were last I checked.

    If getting an IP or dealing with NAT is a problem, I'd probably recommend ngrok or similar.

    This is how I had mine set-up. You can use a flash drive on the rPI for the OS and storage as well.

    How much are you needing in storage?

    I know code does not take up much space.
  10. #10
    Sophie Pedophile Tech Support
    Originally posted by Misterigh This is how I had mine set-up. You can use a flash drive on the rPI for the OS and storage as well.

    How much are you needing in storage?

    I know code does not take up much space.

    That will depend on the success of my project. However i am expecting to receive small amounts of data as encrypted text files. 20 gigs should be well enough for the foreseeable future.

    Oh and i will have a couple binaries there as well, but that should be no issue.
  11. #11
    Lanny Bird of Courage
    I don't know anything in-depth about the security implications (e.g. is it a good idea to run as an exit node when hosting a hidden service? My guess is no but not really sure). For setup it looks like it's actually really simple, just add two lines to your torrc:


    HiddenServiceDir /var/lib/tor/hidden_service/
    HiddenServicePort 80 127.0.0.1:8080


    And run a webserver that binds to 8080. You could stand up nginx to serve some static files just as a test. The rest of it should be the same as standing up any other web service. I'm not sure how CORS rules work in onionland but people are probably running with JS off anyway so it probably doesn't matter.

    Originally posted by Star Trek VI: The Undiscovered Country I have a Raspberry Pi 4 set up with Ubuntu server and an encrypted hard drive as a file store.

    The encryption is kinda pointless imo as the Raspberry Pi is a bigger attack surface than the hard drive, and I have auto mount on, but whatever.

    And before everyone goes "nonce" at me for using encryption, full disk encryption is the standard in companies like mine nowadays, and if you aren't using it you're either stupid or lazy.

    I can access it from anywhere using SSH/SFTP and my static IP address.

    I am trying to figure out how to put it online, to access it via web, but the options I have seen, like NextCloud, are kind of a pain in the ass.

    Also I can't figure out how to install Samba on it as the repos for Ubuntu Server for Arm are broken, or were last I checked.

    If getting an IP or dealing with NAT is a problem, I'd probably recommend ngrok or similar.

    If you can SSH in against a static IP you should be able to set up a webserver and have it just work, right?
    The following users say it would be alright if the author of this post didn't die in a fire!
  12. #12
    Lanny Bird of Courage
    P.S. technical forum, tropical thread, etc keep it on topic
    The following users say it would be alright if the author of this post didn't die in a fire!
  13. #13
    Sophie Pedophile Tech Support
    I am in physical possession of the box that will become the server, so accessing it shouldn't be a problem from my end, don't plan on using my rPi, i could even host it on my heavily customized Android if i wanted to. But for security reasons i won't. I'll have my static web resources in a directory i will serve through Tor, all i need is to be able to receive text files and host a few binaries and serve some pages with some type of submission form. I think i will run TAILs Live, since it's basically minimalist Debian with Tor stuff built in and ready to go and i'll have persistent storage of the things that require it on an encrypted external HDD. I've written a script that cycles through a few cracked AP's every so often. Which might change the onion address on the ledger(Although i don't know that for sure) but only me and the Tor network need to know that short term. Although i have no clue how long the Tor equivalent of "DNS propagation" takes. It should be fine.

    Going to set up later tonight and run a couple of tests. After thinking about it for a bit, i think i can use Ngrok to tunnel through the Tor network also, i am going to test that as well. But i suspect it would be a security risk even if i tunnel into the network and the exit node is what Ngrok will see the data coming in and out of i'd still be dependent on their servers and the tunnel works both ways. It's better to have six hops than three as well which should be the case if i set up a hidden service. The hidden service will take three hops and any clients connecting will take three hops as well where they will meet in the middle.

    The more security the better, the point is that the server will be hard to find for anyone trying to mess with it. I am also thinking of adding a mechanism whereby, should i have bots/clients that need to establish a connection to my prototype C2, they must request a separate web resource with the appropriate credentials or identifiers, in order to get the onion address to deposit any data that i instruct them to send me.

    What i want is a hard to find and hard to disrupt C2 server that receives data securely, stores data securely and can be taken offline, in a secure manner at a moments notice. I will expand upon this later by creating a gitlab type set up on a different server later, with more features. Ideally i'd have an overlord node, to which 5 master nodes report. With redundancies built it, so as not to have a single point of failure.
  14. #14
    Misterigh Houston
    What you are trying to do is extremely easy. I would suggest a rPi Zero and a USB flash drive to store your files on. Make a small server that hosts your webpage that has links to download your files. You will have to do your own security.
  15. #15
    gadzooks Dark Matter [keratinize my mild-tasting blossoming]
    Originally posted by Star Trek VI: The Undiscovered Country I have a Raspberry Pi 4.

    We actually have RPi 4 now?

    Damn.
  16. #16
    gadzooks Dark Matter [keratinize my mild-tasting blossoming]
    Also, to remain somewhat on topic...

    I use AWS these days for just about anything.

    If it's straight up file storage, there's S3 (leagues cheaper than dropbox and so on).

    If you need to actually execute any logic, they got both EC2 and Lambda.

    Fuck, Amazon should just hire me as a shill, I'd do that shit.
  17. #17
    gadzooks Dark Matter [keratinize my mild-tasting blossoming]
    And they don't care what in particular you're doing, as long as you don't violate the TOS.
  18. #18
    Sophie Pedophile Tech Support
    Originally posted by Misterigh What you are trying to do is extremely easy.

    Alright no need to flex on a nigga, i never hosted a hidden service, i figured i'd ask before i got to it.

    Originally posted by Misterigh I would suggest a rPi Zero and a USB flash drive to store your files on.

    No i have multiple boxes here, why would i buy an rPi 4? I don't plan on hiding it in my wall or whatever.


    Originally posted by Misterigh Make a small server that hosts your webpage that has links to download your files.

    Yes this is what i'm doing.

    Originally posted by Misterigh You will have to do your own security.

    You don't say?

    Originally posted by gadzooks Also, to remain somewhat on topic…

    I use AWS these days for just about anything.

    If it's straight up file storage, there's S3 (leagues cheaper than dropbox and so on).

    If you need to actually execute any logic, they got both EC2 and Lambda.

    Fuck, Amazon should just hire me as a shill, I'd do that shit.

    Yee. I come across malicious AWS all the time. But i don't think i will.
    The following users say it would be alright if the author of this post didn't die in a fire!
  19. #19
    Misterigh Houston
    I did not mean to sound like a dick.

    If you do not need to hide it inside an appliance and already have devices you can run it on then yes use those.

    You could just use an old phone as well.
  20. #20
    Sophie Pedophile Tech Support
    Originally posted by Misterigh I did not mean to sound like a dick.

    If you do not need to hide it inside an appliance and already have devices you can run it on then yes use those.

    You could just use an old phone as well.

    That's alright, and yeah i got so many laptops laying around i might as well. Plus a couple of desktops. But those are kind of like my main two boxes. I run an Ubuntu derivative on one of them and Win10 on the other, the Win10 box i usually remote into to do .NET development, it also hosts some VMs for testing purposes and i am planning to put COMMANDO VM on it as well to do some deep dive stuff on the inner workings of the Windows system itself, it's oriented towards testing the internal environment, so it has a lot of utilities to really pull the OS apart. Hardly experienced with COMMANDO but it's one of my long term goals to use it to learn how to fuck with windows in a major way.

    I re-purpose my laptops all the time depending on what i am working on.

    Also, my old phone can't run certain kernels, which is why i'm worried that may pose a significant security risk, in the context of what we're discussing.

    So laptop it is.
Jump to Top