Information gathering with BlackWidow

Jan 10, 2020 by Thibault Debatty | 1227 views

Offensive Security

BlackWidow is a python script that automatically crawls a website to gather information like phone numbers, email addresses, form URL's etc. Very useful during the reconnaissance phase!

The easiest way to use it is using the available docker image:

docker pull cylab/blackwidow:latest
docker run cylab/blackwidow

By default the docker image simply shows the help menu:

You can spider a full domain using

docker run cylab/blackwidow -d

BlackWidow will display quite a lot of debug information, and at the end (or when you hit ctrl + c) it will display the report containing the found URL's, email addresses etc.

If you add the option -s y, BlackWidow will also test all dynamic pages against some OWASP vulnerabilities like XSS, SQL injection, directory traversal, local file inclusion etc...

New ways to run Kali Linux on Windows using WSL
Some time ago I wrote a blog about Installing Linux Bash Shell (and Metasploit) on Windows 10. This is great, when we want to enjoy the best of both worlds- keep using Windows, with its out-of-the-box configuration and set-up, and still be able to use the powerful tools available for the Linux distribution. In my previous blog I went through the steps necessary for setting up WSL and installing an Ubuntu and Kali Linux distribution. Since then, a lot of advancements have been made to facilitate the use of these distributions for Windows Users.
Running and Imaging with FTK Imager from a flash device
In the process of analyzing a suspicious machine, the first thing we need to do is to actually image the machine we want to investigate. There are different tools available to do this, but the one I most often use is FTK Imager by AccessData. The FTK Imager tool is easy to use and more importantly, there is a free version.
Change the MAC address of your Linux system
Still today, some network monitoring tools and security systems rely on the MAC address of the host. However, a MAC address is not an authentication mechanism! It can be easily changed. More precisely, by default most operating systems will use the MAC address burnt into the network interface as the source MAC address for all emitted Ethernet frames. But you can easily reconfigure your system to change this behavior. Here is how to do that on a Linux computer.