Tor on Windows: installing the service, creating a hidden service, using it by browsers and for pentesting

11 May 2023 11 minutes Author: D2-R2

What you should know before using Tor

Tor Browser runs on the Tor network, which runs on Free and Open Source Software (FLOSS) and is designed to provide anonymity and circumvent censorship on the Internet. The Tor network consists of thousands of servers run by volunteers around the world, each server is a relay of the Tor network. Each time Tor Browser creates a new connection, it selects three of these Tor relays and connects to the Internet through them. It encrypts each part of this path in such a way that the relays themselves do not know the full path by which they send and receive data. When you use Tor Browser, your internet traffic will come from a different IP address, often even from another country. As a result, the Tor browser hides your IP address from the websites you access. Also hides your browsing history from third parties who may try to monitor your traffic.

The Tor network system ensures that no Tor relay will be able to determine either your location on the Internet or the websites you visit (although some of them will know some of both). Tor also takes steps to encrypt messages on the network. However, this protection does not apply to sites accessible through unencrypted channels (i.e. sites that do not support HTTPS). Because the Tor browser hides the connection between you and the websites you visit, you browse the web anonymously and are immune from online tracking. This is useful for bypassing network filters, you can access content (or publish content) on websites that would otherwise be inaccessible to you.

Where to get Tor for Windows

If you need the Tor browser, that is. if it is enough for you that you can have a different IP when surfing the Internet or want to visit a blocked site, you need Tor Browser, download it from the official website. It already has everything you need to visit sites anonymously and everything is already set up.

If you want to install Tor as a service on Windows, you need the Expert Bundle. It can be downloaded from the official website. Further we will talk only about the Expert Bundle. From the downloaded archive (in my case, the file is called, unpack the Tor folder to the root of the C drive.

Running Tor on Windows

Tor can be run once, or installed as an NT service that will start every time the computer boots. Consider a one-time launch. Open the Windows command prompt, press Win+x and select “Command Prompt (Administrator)”.

In the window that opens, enter

Wait for Tor to complete its business:

Tor is already working! But it will end if you close the window. For Tor to run permanently, it must be installed as a service.

Installing Tor as a Windows service

To install the service, just run the command:

You can install the service using various Tor command line options. We will need a configuration file, so create it in the directory C:Tor, this file should be named torrc:

You can check if the service is running with the settings file (does it contain errors) with the following command:

Now let’s install the Tor service that will read the settings from the file C:Tortorrc:

Remember that options can be specified after the -options flag, otherwise they will be ignored.

Use commands to start and stop the service:

To remove the service:

Please note that you must first stop the service and then delete it. By default, the Tor service listens on port 9050, so you can check if it is running with the command that shows if port 9050 is listening:

You can also use the following command:

Now that the Tor service is installed and running, a few recipes will be shown on how it can be used.

Using Tor to download files from blocked sites

Some sites with media content allow you to view it, but do not allow you to download files to your hard drive. An example of such a website is YouTube. YouTube (for now) is not blocked in Ukraine, but I think there are those of you who have to go to your favorite blocked site through the Tor browser, but from which you cannot download the video because the downloader does not use Tor and, of course, cannot access it.

I will show on the example of JDownloader (free, open source, supports a huge number of sites and file exchangers, cross-platform), but this instruction will work for any similar programs if they support SOCKS 5 or SOCKS 4. JDownloader site, direct download link . In JDownloader, go to Preferences, then the Connection Manager tab and click Add. Change the type to Socks5, enter localhost and 9050 in the Host/port field:

Click OK to save the settings and close the window. JDownloader rotates connections. Therefore, if you download from a blocked site, uncheck the No proxy connection:

Now you can not only browse, but also download from blocked sites again!

Setting up a hidden Windows service

The essence of the hidden service is that a web server is running on your computer (it can be a rented VPS or a home computer). Your computer must have access to the Tor network. Through this network, any address of your hidden service (a domain like *.onion) can access your site, which is served by your web server. You do not need to worry about purchasing a domain name (given for free), DNS, white IPs, etc. – Tor itself will take care of that. You only need two things to run a hidden service:

  • working web server
  • connection to the Tor network

If you are running Linux, you may want to read “Setting up a hidden Tor service in Arch Linux / BlackArch”. If you want to run the hidden service from Windows, then below is how to do it. By the way, you may be interested in the article “How to get a good domain name for a hidden Tor service”. We need to have a working web server. To configure it, refer to the instructions “Installing a web server (Apache 2.4, MySQL 5.7, PHP 7, phpMyAdmin) on Windows 10”.

Now that the web server has been installed and its performance has been checked, let’s start configuring the hidden Windows service. Your site for the hidden service should already work and be opened from the localhost. I will create a stub page to demonstrate the work. In the folder C:Serverdatahtdocs I create a new folder hidden, and in it the file index.htm with the following connector:

So, this file is available from the local server at http://localhost/hidden/:

Now open the Apache configuration file C:ServerbinApache24confhttpd.conf and add there:

Basically, you only need to edit the DocumentRoot line “C:/Server/data/htdocs/hidden/” – it shows the path to your website, which will be hidden by the Tor service.
Restart the Apache web server for the changes to take effect:

Now your site for the hidden service should be accessible from a local computer at http://localhost:9475

Let’s move on to setting up Tor. Open the file C: Tor/torrc and copy into it:

Notice how we wrote C:Torhidden_service – instead of we use /. Also be sure to use quotation marks.

Restart the Tor service:

The hidden_service folder and two files in it will be automatically generated. In the file C:Torhidden_servicehostname you will see the domain name for your hidden service:

In my case it is 77pam5zhvzu5jhst.onion, trying to open in Tor browser:

It may take a few minutes before the hidden service opens in the browser. If you generated your own hidden Tor service name, replace the contents of hostname and private_key and then restart the Tor service for the changes to take effect:

Using Tor by browsers on Windows

If you want to surf the Internet anonymously, it is recommended to use the Tor browser. It not only reroutes traffic through the Tor network, but also has a number of patches and settings that promote privacy. However, if you want to browse the Internet through the Tor network using Google Chrome, Firefox, Opera or Internet Explorer, it is also possible.

You must have the Tor service installed (or running as shown at the beginning of the article). Google Chrome, Opera and Internet Explorer browsers use the same settings. That is, the changes will apply to all three browsers at once. In any of them, go to the Proxy settings, the following window will open:

In the window that opens, click “Network settings”. In the new window that opens, check the box “Use proxy server for local connections…”:

If the “More” button becomes active, click it. In the Socks field, enter, and in the Port field, enter 9050:

Click OK in all windows to save the settings. You can check the current IP, for example, on the page

To change the settings in Firefox, go to Settings -> Additional -> Network -> Customize. In the window that opens, set the switch to Manual proxy server configuration. Enter in the SOCKS Node field and 9050 in the Port field. Set the SOCKS switch 5. Click OK to save the settings.

System-wide proxy settings in Windows

Windows has a WinHTTP proxy program. It allows you to set proxy parameters for the system as a whole. Logically, it is expected that all applications should use system-wide settings, but this is not the case. Windows uses WinHTTP for certain services, such as downloading Windows updates and performing checks for revoked certificates. Nevertheless, you may find an application for this.

With the help of the team:

You can import settings from Internet Explorer.

And with the following commands you can view/reset the use of system-wide settings:

Access to Tor from PHP program

If you have installed the Tor service and you have set up a web server to configure the hidden service, you can also retrieve data from the Tor network in your PHP program (using cURL). An example of working code:

How to prevent DNS leak in Windows

To connect to sites and hosts on the Internet, your computer constantly makes DNS queries. The essence of these requests is as follows:

In addition, these requests are transmitted in unencrypted form. If someone sniffs your traffic when you use the Tor network through a regular web browser, they can indirectly find out from DNS requests coming out of your computer which sites you visit. By the way, since these DNS queries and answers are not encrypted, an attacker can modify the answers that come to you. As a result, one of the variants of man-in-the-middle attacks may be performed, or you may be blocked from accessing certain sites. Also, knowing which DNS server you are using can suggest which country you are from and even which ISP you are using:

You can make settings so that DNS requests are sent through the Tor network. Thanks to this: these requests will be made for you from another computer, and also these requests will transmit part of the path (from your computer to the source node – Tor node) over an encrypted connection. Let’s start by checking which name server is used by default. To do this, run in the command line:

In the obtained conclusion, we need information about the DNS server, more precisely its address:

If you already have the Tor service running, stop it and remove it from autorun. To redirect DNS requests through Tor, open (or create if it is missing) the file C:Tortorrc and add a line to it:

Check if the service starts with the settings file (does not contain errors):

Now let’s install the Tor service that will read the settings from the file C:Tortorrc:

Go to the network adapter settings:

Find “Internet Protocol Version 4 (TCP/IPv4)”, check the box for the custom DNS server in the settings menu and enter the address

Save the settings. Again, we check which name server is used:

Now the information is specified as a name server:

Great, so our settings worked. The following services can be used to check anonymity settings, including DNS leaks:

By the way, please note that there is no DNS leak, the IP address is spoofed, but there is a fatal problem with anonymity: my real IP address is revealed via WebRTC:

And this is despite the fact that with the same settings shows:

Be very attentive to this! The local IP address is also leaked through WebRTC. What is peculiar is that if I switch to OpenVPN, now my real IP (which is Thai) is not revealed.

It is very difficult to overcome WebRTC (one of the drastic measures is to completely disable JavaScript) – that’s why when you really need a high degree of anonymity (and not just go to the site to bypass the blocking), it is recommended to use Tor Browser, which has additional plugins and settings for increasing anonymity

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.