Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Site Metadata Transforms

Extract and search by HTTP-level metadata from hidden servers, including page titles, detected technologies, and doppelganger fingerprints for identifying cloned or related sites.

Overview

Site metadata transforms query the HTTP response data collected from hidden servers. This includes:

  • Page Titles - HTML titles from all pages crawled on a site
  • Technology - Server software, frameworks, and libraries detected
  • Doppelganger Fingerprints - Content-based hashes that identify sites with identical or near-identical page structures

These transforms help analysts quickly understand what a site is, what it’s built with, and whether other sites share the same content.

FetchTitles

Transform Name: FetchTitles

Description

Extracts all page titles found across the crawled pages of a specified onion site.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • maltego.Phrase - Page titles

Use Cases

  • Quickly identify what a site is about without visiting it
  • Discover sub-sections or hidden pages on a site
  • Identify sites that have changed purpose over time (multiple different titles)
  • Find descriptive keywords for further investigation

Investigation Tips

  • Sites often have different titles on different pages (e.g., homepage vs. login vs. feedback)
  • Titles can reveal the site’s purpose, language, and target audience
  • Comparing titles over time can show site evolution or takeover
  • Generic titles (e.g., “Home”) are less useful than descriptive ones

FetchTechnology

Transform Name: FetchTechnology

Description

Extracts all detected web technologies from a specified onion site, including server software, frameworks, CMS platforms, and libraries.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • maltego.BuiltWithTechnology - Detected technologies

Use Cases

  • Identify the technology stack used by a hidden server
  • Find sites using the same framework or CMS (potential shared operator)
  • Assess the technical sophistication of a site operator
  • Identify vulnerable technologies for threat assessment

Investigation Tips

  • Sites using the same uncommon technology stack may be related
  • Outdated technologies can indicate abandoned or neglected sites
  • Custom or unusual stacks can be strong fingerprinting signals
  • Technology detection is based on HTTP headers, response content, and known signatures

FetchDoppelganger

Transform Name: FetchDoppelganger

Description

Extracts the doppelganger title fingerprint from a specified onion site. The doppelganger fingerprint is a SHA-256 hash of the site’s title content, used to identify sites with identical page structures.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.doppelganger - Doppelganger title fingerprint (SHA-256 hash)

What is a Doppelganger Fingerprint?

The doppelganger system generates content-based hashes from a site’s title. Sites that produce the same hash have identical title content, which can indicate:

  • Cloned or copied sites
  • Mirror sites operated by the same entity
  • Sites built from the same template
  • Scam sites impersonating legitimate services

Use Cases

  • Detect cloned or copycat sites
  • Identify official mirror domains
  • Find sites using the same template or framework
  • Track site migrations to new onion addresses
  • Detect phishing/impersonation attempts

Investigation Tips

  • A matching doppelganger hash is a strong indicator of related sites, but should be confirmed with other transforms
  • Template-based matches (many sites with same hash) indicate shared templates rather than direct relationships
  • Combine with FetchSHV for stronger infrastructure correlation

SearchByDoppelganger

Transform Name: SearchByDoppelganger

Description

Finds all onion sites that share the same doppelganger title fingerprint. This reveals sites with identical page content structure.

Input Entity

  • hades.v2.doppelganger - A doppelganger title fingerprint

Output Entities

  • hades.v2.onion - Onion site addresses

Use Cases

  • Find all clones or mirrors of a specific site
  • Identify networks of sites built from the same template
  • Discover scam sites impersonating a legitimate marketplace
  • Track an operator’s portfolio of identical sites
  • Monitor for unauthorized copies of a site

What Shared Doppelganger Hashes Mean

Strong Indicators:

  • 2-5 sites with same hash - Likely mirrors, clones, or closely related operations
  • Same hash + same SHV - Very high confidence same operator or template
  • Same hash + same crypto wallets - Confirmed same operator

Moderate Indicators:

  • Many sites (10+) with same hash - Likely a popular template or framework default page
  • Same hash but different content - Hash collision (rare) or template match

Investigation Required:

  • Cross-reference with infrastructure transforms (SHV, SSH)
  • Check cryptocurrency addresses for financial links
  • Review communication channels for operator overlap

Investigation Workflow Examples

Site Identification and Profiling

  1. Quick site assessment

    • Input: targetsite123abc.onion
    • Run: FetchTitles
    • Result: Page titles reveal site purpose (e.g., “Automated PayPal and Credit Card Market”)

  2. Technology profiling

    • Run: FetchTechnology
    • Result: Technology stack (e.g., nginx, PHP, WordPress)
    • Assess operator sophistication and potential vulnerabilities

  3. Clone detection

    • Run: FetchDoppelganger
    • Result: Doppelganger fingerprint hash
    • Run: SearchByDoppelganger on the hash
    • Result: All sites with identical content structure

Clone and Mirror Network Discovery

  1. Get doppelganger fingerprint

    • Input: Known marketplace or service
    • Run: FetchDoppelganger
    • Result: Content fingerprint hash

  2. Find all matching sites

    • Input: Doppelganger hash
    • Run: SearchByDoppelganger
    • Result: All sites with identical title content

  3. Classify the matches

    • Official mirrors - Same operator, same crypto wallets, same contacts
    • Scam clones - Different wallets, attempting to steal funds
    • Template matches - Unrelated sites using same framework

  4. Verify with other transforms

    • Run FetchBitcoinAddresses on each match
    • Run FetchSSHFingerprints to check infrastructure
    • Run FetchSHV for JavaScript fingerprint comparison

Technology-Based Correlation

  1. Identify unusual technology

    • Run: FetchTechnology on target site
    • Note any uncommon frameworks or configurations

  2. Cross-reference

    • Sites using the same uncommon technology stack may share:
      • Same developer or operator
      • Same hosting provider
      • Same site template or builder tool

  3. Combine with doppelganger

    • Same technology + same doppelganger = strong relationship
    • Same technology + different doppelganger = possible shared developer
    • Different technology + same doppelganger = unlikely (investigate further)

© 2026 © Aikos Technologies Limited - All Rights Reserved.