Publishing a website or files on the Deep Web using a Raspberry Pi anonymously (OnionShare).
1. Introduction and Objectives
Throughout the project, we will encounter challenges that we must mitigate to the best of our ability while upholding the principles of security and anonymity.
The main objective is to show readers how straightforward it is today for someone with basic systems knowledge to set up their own anonymous infrastructure for sharing information.
Additionally, we will outline the measures to be taken in order to detect the presence of potential “hidden” computing devices within our legitimate network that might be engaged in unauthorized activities without our consent.
2. Desirable Scenario and Required Materials
To carry out the publication of a website or other files on the Deep Web, it’s desirable to meet the following requirements:
- Have access to a public or compromised WiFi network to which you can connect the Raspberry Pi. (Defense: This highlights the importance of securing your WiFi network with the latest security updates).
- Find a discreet location to place the fully configured Raspberry Pi when it needs to connect to the WiFi network for website publication. If you plan to keep it connected permanently, it’s advised to choose a location where it can be plugged into a power source, avoiding the need for a Power Bank. This prevents frequently revealing your position as Red Teamers. (Defense: This underscores the importance of implementing robust physical security policies that ensure secure and regulated access to enclosed spaces and the electrical network).
- Possess a Raspberry Pi with its own WiFi network card. Alternatively, you can add a USB WiFi network card, but this would increase the size of the final device, which is not advisable.
- Handle physical components with gloves to avoid leaving fingerprints. This prevents potential adversaries from having clues to start analyzing the device’s origin if it falls into the wrong hands. (Defense: This emphasizes the importance of using perimeter physical security devices like cameras to have evidence beyond the reach of third parties).
It’s worth noting that the most appropriate way to anonymously publish a website on the TOR network is by using TAILS. However, TAILS is not yet available for ARM architectures, which is what the Raspberry Pi uses. See https://tails.boum.org/support/faq/index.en.html
3. Features to Implement in the System
To set up the infrastructure for hosting the website, we’ll need to ensure the following functionalities are in place:
- Auto-Elimination of RAM: Automatically clear RAM memory every 5 minutes to minimize data traces.
- Traffic Routing through TOR: Route all system traffic through the TOR network for anonymity.
- Bloquear los pings para que sistemas que escaneen la red de área local (LAN) no descubran la Raspberry.
- Ping Blocking: Block ping requests to prevent network scanners from discovering the Raspberry on the local area network (LAN).
- Encrypted Partition: Use an encrypted partition with AES256 to store the material for publication. It’s preferable to use a TAILS-equipped USB drive, as it provides an encrypted partition accessible from any system.
- SSH Access with Different Port: Enable SSH access on a different port than the default one for added security.
- Auto Shutdown on Failed Login Attempt: Configure the system to shut down after a failed login attempt. This ensures RAM elimination and disk encryption.
- Reverse Connection to Dedicated Server: Establish a reverse connection to a dedicated server for remote SSH administration of the Raspberry. (Note: This may not be advisable as it could compromise anonymity.)
With the defined characteristics to be implemented in the Raspberry, let’s proceed with the setup.
4. System Setup
First and foremost, you should install an operating system that you are comfortable with and that provides a good level of security. In our case, we have chosen to install Kali Linux. We won’t detail the installation process as it’s not the objective of this article, and there is plenty of information on the internet about how to do it. We recommend proceeding with the following article:
It’s recommended to keep the installation as simple and lightweight as possible.
Once you have graphical or SSH access to the Raspberry Pi, proceed to connect it to a WiFi network (preferably not one that could compromise you) either through its built-in antenna or via an external USB antenna.
If you connect it to your own WiFi network for initial setup, remember to remove that network from the system once the initial operations are complete, and before deploying it on the network where the website will be published.
Before proceeding, it’s advised to change the SSH connection port to make it less easily discoverable through possible scans on the local area network (LAN).
To block “pings” in order to significantly hinder the discovery of the Raspberry Pi on the LAN, execute the following command:
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
To route all network traffic through the system, we proceed to install “Torghost.” You can refer to the following article:
To carry out the publication of the website on the TOR network, we install “onionshare.” This tool can be installed in various ways, but to install the command-line interface (CLI) part of the tool and manage it entirely from the command line without needing a graphical environment, it’s recommended to install it using the command:
To monitor failed login attempts and trigger a system shutdown for RAM elimination and encryption of partitions containing sensitive information, we install the File Integrity Monitor tool. This tool aims to check for new changes in the “/var/log/btmp” file, which records failed login attempts. Therefore, if something or someone tries to log in to the Raspberry Pi, this file will log it and consequently change its integrity hash. Once the integrity hash changes, we initiate the shutdown command.
Regarding the storage of the files for the website to be published (or other types of material), it’s recommended to use an encrypted USB drive or hard drive, connected to the Raspberry Pi via USB. For this purpose, installing TAILS on a USB drive and using its encrypted partition is advisable.
To ensure that the system’s RAM is cleared and that the “/var/log/btmp” file is copied to the “File Integrity-Monitor” directory for monitoring failed login attempts, you need to schedule the execution of a “.sh” bash script file in the Crontab to run every 5 minutes. Let’s name this file “commands.sh,” and its content will be as follows:
The first three lines are intended to clear the RAM and SWAP. The fourth line copies the “btmp” file to the directory monitored by “File Integrity Monitor” for changes in the integrity of “btmp,” the file where failed login attempts are recorded. If the “btmp” file changes its integrity hash, the “File Integrity Monitor” tool will shut down the Raspberry Pi, thus locking the encrypted drives and clearing the system’s RAM.
Note that you need to program a minimum amount of code for the “File Integrity Monitor” tool to execute the “poweroff” command when it detects a change in the integrity of the monitored file.
The fifth line regenerates the identity in the TOR network, providing a new IP address to the system in the TOR network.
To ensure that File Integrity Monitor properly shuts down the system when it detects a change in the integrity hash of the “btmp” file, you’ll need to make the following changes in the source code of the “driver.py” file:
In order for the “commands.sh” file to execute every five minutes in the system, you need to grant it execution permissions using the “chmod +x” command, and then write the following lines in the Crontab after executing “crontab -e”. The second line will handle the execution of the specified commands after the system restart.
*/5 * * * * /opt/commands.sh
@reboot service tor start && torghost -s && iptables -A INPUT -p icmp –icmp-type 8 -j DROP
To launch the website, which should be located on an encrypted USB drive, navigate to the directory where the website files you want to publish are located (“/media/Tails/Persistence/Web/”) using the terminal, and execute the following command:
- onionshare-cli –persistent /root/anon-web.session –website –public .
After executing the above command, you will see how the website is published with an “onion” type link.
5. Discovering Hidden Devices on Our Network and Filtering Suspicious Connections
As we’ve seen in the previous paragraphs, the connected device has been hidden using the technique of “not responding to ping scans.” But how can we detect if such devices exist on our network?
Well, if we access the configuration of our router, we can observe all the connected devices, as they are identified by their physical addresses (MAC addresses).
This way, we can conduct passive scans on that IP address with the confidence that a device is present and attempting to hide.
To mitigate the risk of unauthorized devices being connected to our network, it’s advisable to set up a whitelist in the router for devices identified by their MAC addresses that are permitted to connect.
It is advisable to read the following article:
It’s important to note that while implementing MAC filtering as a whitelist is a significant step for network security, it’s not completely foolproof. A malicious actor could monitor devices connected to the WiFi network and intercept their MAC addresses, as illustrated below.
Subsequently, the criminal would only need to clone the MAC address of an authorized device on the WiFi network, enabling them to connect while impersonating the identity of the authorized device. This is why it’s crucial to ensure that the WiFi network is properly secured with a strong password and the latest security updates. Additionally, limiting physical access to the router is also advisable.
In this article, we’ve briefly explored how to publish a website on the Deep Web using a Raspberry Pi, ensuring security and anonymity.
Through this, we’ve demonstrated how individuals with basic systems knowledge can establish their own secure and anonymous presence on the Deep Web, publishing information through the TOR network.
Given the above, it’s crucial for network administrators to regularly perform checks to ensure that all devices (routers, switches, etc.) are properly updated with the latest security patches, that access passwords maintain appropriate security standards, and that all connected devices are legitimate and properly identified. Among the recommended measures to implement are MAC filtering security policies whenever feasible for the business’s operations, as well as physical access security policies for network devices.
If you’re interested in acquiring introductory knowledge in ethical hacking, you can enroll in our basic ethical hacking course. Alternatively, if you’re looking for more advanced knowledge in offensive cybersecurity, you can explore our advanced course.