There are 2^80 possible onion domains and only ~10,000 are currently used. Simply brute-forcing the entire namespace isn't effective, especially because the verification step is a web service that has to try and fetch an onion service descriptor to see if it's online.<p>Also, onion domains are Base32-encoded, which means that they aren't case sensitive and they don't use the digits 0, 1, 8, and 9.
Scallion (<a href="https://github.com/lachesis/scallion" rel="nofollow">https://github.com/lachesis/scallion</a>) works really good for this. It uses OpenCL to leverage your GPU's to make cracking really fast.
Better to run an HSDir! <a href="http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf" rel="nofollow">http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf</a>