Zed99_Blog

Crawlers can extract a diverse array of data, each serving a specific purpose in the reconnaissance process:

• Links (Internal and External): These are the fundamental building blocks of the web, connecting pages within a website (internal links) and to other websites (external links). Crawlers meticulously collect these links, allowing you to map out a website’s structure, discover hidden pages, and identify relationships with external resources.
• Comments: Comments sections on blogs, forums, or other interactive pages can be a goldmine of information. Users often inadvertently reveal sensitive details, internal processes, or hints of vulnerabilities in their comments.
• Metadata: Metadata refers to data about data. In the context of web pages, it includes information like page titles, descriptions, keywords, author names, and dates. This metadata can provide valuable context about a page’s content, purpose, and relevance to your reconnaissance goals.
• Sensitive Files: Web crawlers can be configured to actively search for sensitive files that might be inadvertently exposed on a website. This includes backup files (e.g., .bak, .old), configuration files (e.g., web.config, settings.php), log files (e.g., error_log, access_log), and other files containing passwords, API keys, or other confidential information. Carefully examining the extracted files, especially backup and configuration files, can reveal a trove of sensitive information, such as database credentials, encryption keys, or even source code snippets.

Robots.txt:

Take robots.txt as an example. Imagine you’re invited to a party at a luxurious mansion. You’re free to walk around many areas, such as the gardens, the main hall, the living room,… Nevertheless, some rooms are marked as private, and the owner would prefer that guests do not enter them. The robots.txt file works in a similar way. It provides instructions to web crawlers and search engines about which areas of a website they are allowed to access and which areas the site owner would prefer them not to crawl.

Technically, robots.txt is a simple text file placed in the root directory of a website (e.g., www.example.com/robots.txt). It adheres to the Robots Exclusion Standard, guidelines for how web crawlers should behave when visiting a website. This file contains instructions in the form of “directives” that tell bots which parts of the website they can and cannot crawl.

The directives in robots.txt typically target specific user-agents, which are identifiers for different types of bots. For example, a directive might look like this:

User-agent: *
Disallow: /critical/

This directive tells all user-agents (* is a wildcard) that they are not allowed to access any URLs that start with /critical/. Other directives can allow access to specific directories or files, set crawl delays to avoid overloading a server or provide links to sitemaps for efficient crawling.

robots.txt Structure:

The robots.txt file is a plain text document that lives in the root directory of a website. It follows a straightforward structure, with each set of instructions, or “record,” separated by a blank line. Each record consists of two main components:

• User-agent: This line specifies which crawler or bot the following rules apply to. A wildcard (*) indicates that the rules apply to all bots. Specific user agents can also be targeted, such as “Googlebot” (Google’s crawler) or “Bingbot” (Microsoft’s crawler).
• Directives: These lines provide specific instructions to the identified user-agent.

Common directives include:

• Disallow: Specifies paths or patterns that the bot should not crawl. For example, Disallow: /admin/ (disallow access to the admin directory)
• Allow: Explicitly permits the bot to crawl specific paths or patterns, even if they fall under a broader Disallow rule. For instance, Allow: /public/ (allow access to the public directory).
• Crawl-delay: Sets a delay (in seconds) between successive requests from the bot to avoid overloading the server. For example, Crawl-delay: 10 (10-second delay between requests).
• Sitemap: Provides the URL to an XML sitemap for more efficient crawling. 

While robots.txt is not strictly enforceable (a rogue bot could still ignore it), most legitimate web crawlers and search engine bots will respect its directives. This is important for several reasons:

• Avoiding Overburdening Servers: By limiting crawler access to certain areas, website owners can prevent excessive traffic that could slow down or even crash their servers.
• Protecting Sensitive Information: Robots.txt can shield private or confidential information from being indexed by search engines.
• Legal and Ethical Compliance: In some cases, ignoring robots.txt directives could be considered a violation of a website’s terms of service or even a legal issue, especially if it involves accessing copyrighted or private data.

robots.txt serves as a valuable source of intelligence. While respecting the directives outlined in this file, security professionals can glean crucial insights into the structure and potential vulnerabilities of a target website:

• Uncovering Hidden Directories: Disallowed paths in robots.txt often point to directories or files the website owner intentionally wants to keep out of reach from search engine crawlers. These hidden areas might house sensitive information, backup files, administrative panels, or other resources that could interest an attacker.
• Mapping Website Structure: By analyzing the allowed and disallowed paths, security professionals can create a rudimentary map of the website’s structure. This can reveal sections that are not linked from the main navigation, potentially leading to undiscovered pages or functionalities.
• Detecting Crawler Traps: Some websites intentionally include “honeypot” directories in robots.txt to lure malicious bots. Identifying such traps can provide insights into the target’s security awareness and defensive measures.

Well-Known URIs:

According to Wikipedia, “A well-known URI is a Uniform Resource Identifier for URL path prefixes that start with /.well-known/. They are implemented in webservers so that requests to the servers for well-known services or information are available at URLs consistent well-known locations across servers.”

The .well-known standard, defined in RFC 8615, serves as a standardized directory within a website’s root domain. This designated location, typically accessible via the /.well-known/ path on a web server, centralizes a website’s critical metadata, including configuration files and information related to its services, protocols, and security mechanisms.

The Internet Assigned Numbers Authority (IANA) maintains a registry of .well-known URIs, each serving a specific purpose defined by various specifications and standards.

In web recon, the .well-known URIs can be invaluable for discovering endpoints and configuration details that can be further tested during a penetration test. One particularly useful URI is openid-configuration.

The openid-configuration URI is part of the OpenID Connect Discovery protocol, an identity layer built on top of the OAuth 2.0 protocol. When a client application wants to use OpenID Connect for authentication, it can retrieve the OpenID Connect Provider’s configuration by accessing the https://example.com/.well-known/openid-configuration endpoint. This endpoint returns a JSON document containing metadata about the provider’s endpoints, supported authentication methods, token issuance, and more.

Web Crawler Tools:

Web crawling is vast and intricate, but you don’t have to embark on this journey alone. A plethora of web crawling tools are available to assist you, each with its own strengths and specialties. These tools automate the crawling process, making it faster and more efficient, allowing you to focus on analyzing the extracted data.

Some popular web crawling tools such as: Burp Suite Spider, OWASP ZAP, Scarpy, Apache Nutch,…

There are a few important considerations when performing web crawling or spidering. Regardless of which tool you choose, you should always obtain proper authorization before collecting data from a website, especially when the activity may involve accessing sensitive or private information.

Another important consideration is the target website’s resources and stability. Crawlers can generate a large number of requests in a short period of time, so care should be taken to avoid overwhelming the server or negatively impacting its availability. Proper rate limiting, scope restrictions, and responsible testing practices should always be followed to minimize disruption to the target environment.

Hands-on:

I’ll use the Hackthebox lab for the hands on section,

Before we begin, ensure you have Scrapy installed on your system. If you don’t, you can easily install it using pip, the Python package installer: pip3 install scrapy

First and foremost, download the custom scrapy spider, ReconSpider, and extract it to the current working directory: wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip

With the files extracted, you can run ReconSpider.py using the following command: python3 ReconSpider.py <target_domain>

After running ReconSpider.py, the data will be saved in a JSON file, results.json. This file can be explored using any text editor. Below is the structure of the JSON file produced, Each key in the JSON file represents a different type of data extracted from the target website: