When you’re scanning websites, you want to be invisible. Not by being completely undetectable – that’s nearly impossible – but by looking like ordinary internet noise. It’s like walking down a busy street: you don’t want to wear a disguise that makes you stand out. You want to blend in with the crowd.
I recently had a student ask an interesting question about web reconnaissance tools like Eyewitness and GoWitness. These tools are useful for gathering information, but they have an obvious problem: they generate hundreds or potentially even thousands of requests in a short time. To a website administrator looking at their logs, this looks like someone mapping out their site systematically, which is exactly what you’re doing.
The natural instinct is to try to hide these requests behind proxies and VPNs. This helps, but it’s like wearing a mask while robbing a bank – it hides who you are, but it doesn’t hide that someone is robbing the bank. The requests still look suspicious, they just come from a different IP address.
There’s a better way. Instead of trying to hide the requests, you can make them look like they’re coming from something that’s supposed to be making lots of requests. The internet is constantly being scanned by services like Shodan and Census, which index everything they can find. Website administrators are used to seeing these scans. They’re background noise.
The key is to make your requests look like they’re coming from these services. The main way to do this is by changing your user agent string – the piece of text that tells websites what kind of program is making the request. When you visit a website with Chrome, your user agent string tells the site, “I’m Chrome version X running on operating system Y.” But you can make it say whatever you want.
If you change your user agent string to match Shodan’s or Census’s, your requests will look like they’re just part of the internet’s background radiation. The administrator will still see the requests, but they’ll look like routine automated scanning rather than targeted reconnaissance.
This is where proxies and VPNs still matter. Not only to hide your identity, but to make your behavior match your disguise. If you’re pretending to be Shodan, your requests should come from IP addresses that Shodan might actually use, not a residential IP address.
The best disguises aren’t perfect – they don’t need to be. They just need to be good enough that investigating them isn’t worth the effort. Website administrators see countless scans from Shodan and similar services. Unless you give them a reason to look closer, they’re unlikely to investigate yet another one.
This principle extends beyond web reconnaissance. Whenever you’re trying to hide something on the internet, consider whether invisibility is really what you want. Often, being unremarkably visible is more effective than trying to be invisible.
The student who asked about this was thinking about the problem the wrong way. The goal isn’t to prevent your requests from being seen. The goal is to prevent them from being interesting when they are seen. On the internet, like in nature, the best camouflage often isn’t hiding – it’s hiding in plain sight.
Remember: The more you try to be invisible, the more visible your attempts to hide become. But if you can make your behavior look like something common and expected, you become effectively invisible without actually hiding at all. It’s counterintuitive, but sometimes, the best way to avoid attention is to be visible in exactly the right way.
Tomorrow, we’ll look at settings we can utilize in GoWitness to help us achieve these results.
