Messing With Web Attackers With SpiderTrap (Cyber Deception)

Hello and welcome! My name is John Strand. In this video, we’re going to be talking about using SpiderTrap to entrap and ensnare any web application pentesters or hackers that are trying to come into your web applications.

Now, for this particular video, we’re going to be using the Active Defense Harbinger Distribution, or ADHD, which can be found at, go forward slash into projects and you’ll be able to download the same distribution that I’m using here. This is also the same distribution that we use in our Wild West Hackin’ Fest classes. You can look at that schedule at I also use it at Black Hat Training as well.

So let’s jump right in.

Now, as it is always with any of the different utilities that we use for ADHD, all of the instructions are on the desktop in a file called ADHD Usage. We’ll be using that file for everything. Now, once you’re in here, you’re going to be using the annoyance category. You’re going to be selecting SpiderTrap. Once you have selected SpiderTrap, it’s going to bring up a website that’s going to show you where you can actually download SpiderTrap, a generalized description, and usage information for SpiderTrap.

Now, I’m going to walk through these instructions very, very quickly to give you an idea of how this tool actually works. Now, the first thing that I’m going to do is I’m just going to start SpiderTrap with no options at all. Here, I’m just running Python to I hit enter and it’s listening. That’s it. It’s listening on port 8,000. Now, to see what it actually does, we’re going to open up a browser and let’s just surf to port 8,000 on my computer system. We go HTTP://, and we are going to go to port 8,000 on because there’s no place like home.

Now, once we have this, you’re going to see that as soon as we load SpiderTrap on port 8,000, it’s going to show us a series of random links. Now, those random links are somewhat important. The reason why those links are important is because if we click on any of those links, it’s going to bring us more random links and yet more random links and more random links and yet more random links.

Now, what exactly is this doing and why is this important?

When you’re looking at cyber attribution or you’re looking at cyber deception, one of the key components of what we can do is sort of fake the adversary or the hacker out.

Now, the reason why is if we’re looking at a basic algorithm of detection time plus reaction time must be less than the amount of time it takes for an attacker to break into your organization, we want to increase the amount of time it takes for the attacker to successfully identify any systems or vulnerabilities on those computer systems. By creating a bunch of different randomized links, we’re not stopping the attacker, but we are actually going through and increasing the work effort the attacker has to go through to identify the real web server pages on your web server.

What does this look like to an actual attacker or crawler? Here, I’m just going to use Wget. Now, Wget is a tool that if I use the -R, it recursively goes to a webpage and it’ll try to pull down and make a local copy of all the different HTML and JavaScript files that exist on that web server. As you can see, it just keeps going and going and going, still going, going, going, going. Then, I’m bored and I’m just going to hit control save.

Now, eventually, if an attacker was running an automated crawling tool, it would exhaust all of the memory or it would exhaust all of the disc space on the computer system.

Now, what I’m going to do is I’m going to throw in another option with SpiderTrap. SpiderTrap also has the ability to take in a dictionary file. Now, a dictionary file allows you to feed in a list of different directory names instead of it coming up with randomized directories. Now, if I run it with big.txt and ADHD, now we have real names, Cheryl, really, Nebraska, issue, SMS, Toyota, skins. If I click on any one of these, it brings up tomcat, send mail, ask, primerio, registered. We’ve got sparky, we’ve got cobra, we’ve got terrorism, we have poker, we have projects, whatever. This makes the fake web server look a little bit more realistic and, yes, it’ll still get caught in an automated crawling spider.

Now, is SpiderTrap something that you would want to do on an enterprise app? Not even close, not even close.

Is it great for articulating the different things you can do to mess with an attacker? Absolutely. It’s really, really good at that.

Also, you can use it tactically. If you think that you have an attacker that’s trying to break into your website, you can throw this up on robots.txt. You can put it in sitemap.xml. These are things that normal users would never come across, but their automated utilities would.

I hope you enjoyed this video and I’ll see you in the next video. As always, be sure to check out Wild West Hackin’ Fest, Black Hills Information Security, and Security Weekly every Wednesday with Matt Alderman, Paul Asadoorian, and myself where we talk vendors and what works and what doesn’t. Thank you so much and I’ll see you in the next video.

Want to level up your skills and learn more straight from John himself?
You can check out his classes below!

SOC Core Skills

Active Defense & Cyber Deception

Getting Started in Security with BHIS and MITRE ATT&CK

Introduction to Pentesting

Available live/virtual and on-demand