Ichidan homepage

Two days ago, Bleeping Computer came across a new Dark Web portal that allows users to search Tor Onion sites in the same way users utilize Shodan to discover Internet-exposed services [1, 2].

Named Ichidan — the Japanese word for "first stage/step" — the service is located at ichidanv34wrx7m7.onion, and, in the long run, can prove a useful tool for anyone investigating Dark Web services.

Researcher: This search engine is gold

"This search engine is gold," said Victor Gevers, after Bleeping Computer asked the researcher for an opinion. "There is so much we didn't know about many .onion addresses. I am just amazed at things I see."

Using Ichidan, Gevers was able to identify security lapses with a Dark Web service in a matter of minutes.

The researchers pointed Bleeping Computer to an Onion site that was exposing a large number of ports.

Ichidan results on exposed service

This particular website had all sorts of services exposed to external connections, opening the underlying server to brute-force or dictionary (password guessing) attacks.

This Onion site, which hosted an email server, was exposing Telnet, SSH, and vsftpd services. In addition, one port/service stood out.

According to Gevers, the port was associated with the web server included with Fritzbox routers, meaning someone was either intentionally hosting the Tor website on the router's web server or had hijacked someone else's router to host the site. If you find it peculiar that someone can host a Tor service on a modem/router, it's not really that novel, as you can even host a Tor relay on a QNAP NAS.

Ichidan leading to Fritz!Box router

Under normal circumstances, Tor sites should not be exposing such wealth of information, as they could reveal the whereabouts and identity of the website's owner.

While this much data is good news when tracking down cyber-criminals and other crooks, this might not be good news if you're running a secret news portal in a country with an oppressive regime.

Details like the above aren't secret, and you don't need a service like Ichidan to discover such data. Nonetheless, having a web-accessible service to quickly run basic diagnostics of an Onion site is much easier than using cumbersome command-line pen-testing tools.

Confirmed: The Dark Web has shrunk

A side effect of our and Gevers' interest in Ichidan is that we managed to confirm research carried out last year. An OnionScan report stated that the Dark Web had shrunk by 85%, from around 30,000 websites down to only 4,400.

Running a "* " [asterisk + space] query in Ichidan returned 5,635 results, close to the number of the previous research. A search of a popular Onion Tor directory returned a similar number, of 6,109 entries.

Ichidan search results