Start your Own Darknet Market: How to Create a .Onion Website on the Dark Web

code-for-onion-site

This part is all about: How to create a .onion website on the dark web

The article is a bit complex, you need to know some code and servers, or at least – to have the wheel to learn.

It is assumed that about 95% of www content is delivered over the dark web. Just 5% of the web is visible to us via Google and other search engines. The rest is hidden on the dark web where one can only access it using a special browser called Tor. In this tutorial I will teach you how to start a .onion website, a website only accessible on the Tor network.

Technically speaking creating a dark web site, or a .onion website, isn’t much different than creating a regular, open web website.

You can use any programming language or web framework to create it, however there are a few things to keep in mind. Dark web services never request for a visitor’s email address in order for him to create a member account. Upon registration, users select their desired password and are given a unique identifier in the form of a PIN code or a mnemonic to reset their password. Dark web sites will also never link to css or a javascript library, nor use javascript code as part of their website. Creating an .onion web site is therefore similar to creating regular web sites, except that some security and privacy issues need to be thought of when creating them.

To summarise, running a .onion site raises some unique challenges:

  • You need to make sure you pay for your site’s hosting anonymously, using a credit card or pay pal to pay for your hosting is out of the question!
  • Your site should avoid using Javascript, Flash or Java – therefore you should disable them on your .onion site.
  • You cannot afford any security holes on your server.
  • Your site might attract questionable user content that might go against certain legalities.
  • Your server should never send any emails. It is a common practice on .onion sites not to ask for one’s email.
  • Your site should only be served over https, never over http.

Sites on the Tor network use a .onion domain names .onion.

Unlike the regular, visible web domain name system, you don’t have to purchase or register a domain name to set up a dark web site. Anyone can create a .onion address. Basically each hidden service generates a public and private key pair in the process of setting up the service. The onion address is simply a hash of your service’s public key. Since only the administrator should have the private key, kept in private for himself, no other onion service can impersonate your hidden service. I will explain in details how this is done further down in this tutorial.

I recommend using Debian linux to host your onion site. From here under, I will assume a basic knowledge of linux OS.

What you will need:

code-runing-onion-website

  1. A dedicated web server hosting service paid in bitcoin. Up to 100 USD monthly costs.
  2. An anonymous VPN account to further mask your identity. 2-9 USD monthly costs.
  3. A uniform server package consisting of PHP, MySQL and Apache. Free!
  4. Tor browser bundle. Free!

Start with a fresh install on the web server. Make sure you never give personal information to the hosting company so you maintain your privacy 100%.

We will use nginx as the web server to serve the web site and configure it to only listen for tor connections.

[indicator label=”Starting the Proces” value=”10″]

Install the web server (nginx) for your .Onion Site

[code]
$ sudo apt-get install nginx
[/code]

By default nginx is broadcasting what version it is running. Let’s set server_tokens to off on /etc/nginx/nginx.conf:

[code]

http {

server_tokens off;


[/code]

On /etc/nginx/nginx.conf, make sure we also disable logging:

[code]
http {

##
# Logging Settings
##

#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log;

error_log /dev/null crit;
[/code]

[indicator label=”You are getting close to your first .onion site” value=”35″]

Configure your server to listen on port 8080

Your web site files default location would be placed in /usr/share/nginx/www (Debian default), so this is the complete contents of your sites-available/default file:

[code]
server {
listen 127.0.0.1:8080 default_server;
server_name localhost;

root /usr/share/nginx/www;
index index.html index.htm;

location / {
allow 127.0.0.1;
deny all;

}
}
[/code]

[indicator label=”allmost there!” value=”55″]

Restart your web server

[code]

$ sudo service nginx restart

[/code]

Disable server logging:

[code]
$ sudo apt-get remove –purge rsyslog
[/code]

Disable any service on the server that might send out emails:

[code]
$ sudo apt-get remove –purge sendmail
$ sudo apt-get remove –purge exim
$ sudo apt-get remove –purge postfix
[/code]

Make sure you remove wget, so if your server is compromised, it can’t be used to identify your host through malicious scripts:
[code]
$ sudo apt-get remove wget
[/code]

In /etc/ssh/sshd_config file (If allowing ssh), make sure to disable the Debian banner which can be used to identify the Debian version from the public ip:
[code]
DebianBanner no
[/code]

[indicator label=”Just 2 more clicks and you there” value=”85″]

Install Tor on your web server

Head on to torproject.org docs to add the Debian repo so you can sudo apt-get install tor from the tor project repository.

[code]
sudo apt-get install tor
[/code]

Edit /etc/tor/torrc

[code]
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080
[/code]

Restart the tor service

[code]
$ sudo service tor start
[/code]

Now, after Tor is started, it will create a private/public key pair in your HiddenServiceDir, from which your site’s unique .onion domain name will be created.

To view those key files, run:
[code]
cd /var/lib/tor/hidden_service/
[/code]

and…

[code]
ls
[/code]

if you would run the below command it would show you your site’s newly generated .onion domain name, e.g: ghyt14wfhbkk3gzv.onion:
[code]
cat hostname
[/code]

Now open your Tor browser, if you head on to ghyt14wfhbkk3gzv.onion you should see your nginx default site page:

[indicator label=”Boom! you manage your own .Onion site” bg=”#5bc668″ value=”100″]

A few things to keep in mind:

  • Once your site is built and running, check its html source code, make sure you don’t use any javascript files nor link to any google fonts or 3rd party css files that might reveal your server’s public IP address.
  • Make sure you install https and always serve your site over https.
  • Never share your site’s private key with anyone. If you do so someone else can impersonate your server. You must get a new domain name or .onion address.
  • Always keep your server software up to date
  • For extra security and your identity masking, always access the dark web over VPN. Pay for your VPN & Hosting service using bitcoin. As an extra precaution, use a Bitcoin Tumbler before transferring bitcoin to your bitcoin wallet to fund your dark web venture. Use that wallet for any payments related to this venture.

Good luck and stay anonymous even when talking to friends or family members. Remember, social hacking is a super useful hacking tool.

3 Comments on "Start your Own Darknet Market: How to Create a .Onion Website on the Dark Web"

  1. David Taylor | April 23, 2017 at 5:03 pm | Reply

    That was really helpful.Thank you for a most detailed description on how to start my own .onion website.You’ve been a great help.Thanx!

  2. can you help me to create one please email me

  3. “It is assumed that about 95% of www content is delivered over the dark web. Just 5% of the web is visible to us via Google and other search engines. The rest is hidden on the dark web”

    Bullshit. You are confusing “DeepWeb” (=content behind uncrawlable deeplinks or password protected) with “DarkWeb” (=onion). These have nothing to do with each other.

Leave a comment

Your email address will not be published.


*