[[TOR cheat sheet]] ### pre notes iaca-darkweb-tools.com inteltechniques.com/tools/search.html Onion Links - darkweblinks.com # Tor Node Encryption Process (3-node circuit) Tor uses layered encryption: like an onion. Client encrypts data 3 times (Exit → Middle → Entry). Each node peels off one layer: - Entry Node: decrypts outer layer, forwards to Middle. - Middle Node: decrypts second layer, forwards to Exit. - Exit Node: decrypts last layer, sends to destination. Response is encrypted at each hop in reverse and sent back to client. # Node Knowledge and Routing (Daisy Chain Model) Each node only knows: - Its previous and next hop. - Never sees the full circuit. - Entry Node: knows client IP, not destination. - Exit Node: knows destination, not client IP. - Middle Node: only connects Entry ↔ Exit. # If All 3 Nodes Are Compromised Full deanonymization is possible: Client IP → Entry Destination + content (if HTTP) → Exit Path linking via Middle Rare in practice; very hard to achieve. HTTPS mitigates content inspection. # Using Tor Browser for Normal Websites Still routes through Tor's 3-node system. Hides your IP from websites. Encrypts traffic between nodes. ### With HTTPS: - Traffic content is encrypted end-to-end. - Exit Node can't read the data. ### With HTTP: - Exit Node can see and modify data. # .onion Sites vs Normal Sites ### .onion sites: - Don't use Exit Nodes. - Provide end-to-end encryption inside Tor. - Offer mutual anonymity (client and server). ### Normal sites: - Still benefit from Tor's routing and anonymity. - Use HTTPS for full protection.