Is it possible to find a Tor page based on the 512-bit hash?

Question

On the internet there is unsolved mystery called 3301/Cicada where decrypted text says:

"AN END. WITHIN THE DEEP WEB TH

ERE EXISTS A PAGE THAT HA

SHES TO:

36367763ab73783c7af284446c
59466b4cd653239a311cb7116
d4618dee09a8425893dc7500b
464fdaf1672d7bef5e891c6e227
4568926a49fb4f45132c2a8b4

IT IS THE DUTY OF EUERY PILGR

IM TO SEEK OUT THIS PAGE."

This potentially can be interpreted as the hash of an onion page.

Anyone of you know what this might refer to? Any way to find an onion/i2p address by hash rather than hashing the address and comparing it with the given hash?

Read more:

• CICADA 3301 2014 PUZZLE FACTS PART 9

Related:

• How do you get a specific .onion address for your hidden service?
• .onion at Wikipedia

Answer 1

First, you need to know what kind of hash it is.

Read more:

• How to determine what type of encoding/encryption has been used?
• What algorithm is used for 1024 bit hash which appears on 56th page of Cicada puzzle runes?
• How long to brute force a salted SHA-512 hash? (salt provided)

Assuming it's 512-bit SHA unsalted hash, then it'll be a bit tricky and it can take a lot of time, because it's not possible to decrypt the hashes - you've to crack them.

You may use dictionary attack or brutal force method to recover the original text from the Hash code.

Because the attack is very time consuming, you may consider to restrict as many possibilities you can by using dictionary attack.

By using a targeted technique (dictionary attack), you need to investigate or guess the expected output. Assuming it's in .onion format, you would expect the 16-character alpha-semi-numeric hash + a pseudo-top-level .onion domain. Read more: Where I can find, export or download the biggest list of all .onion addresses?.

Read the example:

• How to define 80-bit long variable in Python to generate random .onion addresses?

Further more you can restrict the list by creating list of every page that has been online (e.g. some search engines, etc.). E.g. Ahmia.fi is gathering .onion addresses using various methods by crawling the hidden services, downloading visited page data from the Tor2web nodes, and users can use an HTML form to add new addresses.

So you can create a kind of script that reads a list of .onions, saves those into the text file. Then write the script to use the dictionary attack to crack the hash.

To increase the time, you may consider to run the attach in parallel (e.g. ask your friends or use the cloud computing).

---

Example of random attack in shell using Python (change 1234 to your hash):

while true; do python -c "import random,base64,codecs; print base64.b32encode(codecs.decode(codecs.encode('{0:020x}'.format(random.getrandbits(80))),'hex_codec')).lower() + '.onion';" | sha512sum; done | grep 1234

More examples, see: How to define 80-bit long variable in Python to generate random .onion addresses?

Example of dictionary attack in bash:

time cat sites.txt | xargs -L1 -I% -P4 sh -c "printf % | sha512sum" | grep 123

Where sites.txt is your file containing list of all onion addresses.

Answer 2

I placed

36367763ab73783c7af284446c59466b4cd653239a311cb7116d4618dee09a8425893dc7500b464fdaf1672d7bef5e891c6e2274568926a49fb4f45132c2a8b4

into DDG and came across md5hashing.net.

Which when I decrypt the (whirlpool) hash I get a pastebin account with this downloadable file uRkNsGsa.htm.

The info from this file I can't get past the recapture on the md5hashing site but when I run the file normally, I get a site with a recapture that won't load so I am stuck.

Answer 3

So I cracked the hash in the seeker message here are two links one for the union site and the other to a cryptic video perhaps you will have more luck than I did - W dxwd42hgpd7qrccm.onion < onion site in reference in the Primus and the corestponding link the onion takes you to https://1711141131131.xyz/

Answer 4

The Onion address landing page produced from the hash [dxwd42hgpd7qrccm.onion] shows Lat/Long coordinates 51°29'56.4"N 0°09'41.0"W which resolves to the Ecuadorian Embassy in London where Julian Assange was held. The vault reference is likely to Wikileaks vault. Date is to left [4-7/19] is right around the time Wikileaks discovered the subterfuge.

The video at https://1711141131131.xyz/ needs to be downloaded and viewed frame by frame because there is a LOT of embedded/subliminal imagery there. Too much to describe here but is classic Cicada3301. The video "cicada_317.mp4" autoloads from index.html and can be saved from the console.