1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cloaking Explained for Beginners

Discussion in 'Cloaking and Content Generators' started by itz_styx, Jul 19, 2017.

  1. itz_styx

    itz_styx Jr. VIP Jr. VIP

    Joined:
    May 8, 2012
    Messages:
    372
    Likes Received:
    134
    Occupation:
    CEO / Admin / Developer
    Location:
    /dev/mem
    Home Page:
    Cloaking is one of the oldest blackhat methods around. The idea is simple: show users an optimized landing page and give bots SEO optimized content stuffed with markov text, keywords etc. This can be archived in multiple ways, but here are the most common methods:

    User Agent Cloaking:
    When visiting a website, every browser sends what is called a "user agent" string that shows what kind of browser a user is using, so websites can be optimized for this particular brand, as some need special handling. Its offten just called UA, so next time you know what that is :)
    Anyways so for firefox this looks something like this:
    Code:
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
    All browsers have a different one and so do bots, for example the user agent from googlebot looks like this:
    Code:
    Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    Now with simple pattern matching cloaking scripts verify the user agent to determine which version of the website to show, the real one or the cloaked one. This works best with PHP or CGI as that code is executed first before the HTML is rendered, however this cloaking method can also be archived with javascript.

    Referrer Cloaking:
    This method is similar to user agent cloaking, however this time we look at the "referer" string which is sent by the browser if you click a link. It holds the referring domain. By the way, the real writing is "referrer", however the browser sends "referer" that is because there was a typo in the original RFC (request for comments) document and so everybody used the wrong writing as it was defined like that in the protocol specification. If you don't know what that is, rfc's exist for any protocol that exists in the computing world and describe every function in detail, also the HTTP standard which all this stuff with "user agent" and "referer" is based on. so if you are every curious about how things really work, look at the rfc! anyways just as little background...back to referer cloaking: as i said, the referrer is sent by the browser once a user follows a link.

    To illustrate the point better i guess it would be a good idea to show you guys an actual header packet that is sent from the browser to the server in a so called GET request when requesting a website:

    Code:
    GET /url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved= HTTP/1.1
    Host: www.google.de
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: de,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: https://www.google.de
    Cookie: NID=73=CxfcRkEuVWqfY6ZPQ_xEsHiF0nCywwmFO7O0EZbHr8OScN-
    Connection: keep-alive
    
    So here the same pattern matching technic is applied, simply with the "referer" field. If the user is coming from google search, then redirect him, otherwise show the real site.

    IP Cloaking:
    Here we have a bit more advanced method, as it involves keeping track of known bot IPs and cloak them based on IP.
    There are existing bot lists with thousands of IP entries and there are also service providers offering updated IP lists via subscriptions,
    however there is a downside - 1 new bot IP and the whole setup is fucked and the bot won't be blocked. Don't get me wrong this method is still kinda reliable for a while with updated lists, but its a constant hunt for the latest IPs.
    How this works is simple: a script checks every visitor IP against the bot list (which can also slow down page load) and decides if its a bot or not.
    What makes this more difficult is not the code, but keeping up with the bot IPs. I wrote a cloaker called FinalCloak that solves this problem reliably, but its still in private beta. More on it once its ready for public release (Its been tested since 2014 and works well ever since). Anyways just as hint that even this problem can be dealth with..

    rDNS Checks
    This is more like an additional check to other cloaking methods. "rDNS" stands for "reverse DNS" and is simply the main hostname of an IP. Since you probably know an IP can host many virtual websites, but the IP always resolves to 1 hostname. So for google this is "googlebot.com" and its a good idea to not only check the IP if its googlebot, but also see if the rDNS entry matches. Its easy to spoof the "user agent", anybody can set it freely so you can write a script (or install a browser plugin) that advertises itself with the UA from googlebot and so circumvent the cloaking i.e. to spy on competitors. Likely manual reviewers from google might try that aswell, however if there is an additional rDNS check they would still be cloaked properly, despite the google UA.

    0day Methods
    there are a few private technics out there, but obviously i won't disclose them here in public. otherwise a lot of people would bitch at me hehe ;)

    Different Types of Cloaking:

    In addition to the main methods, there are also different types of cloaking that you might encounter like:

    - Mosaic Cloaking:
    Usually we cloak the full page, but mosaic cloaking is only cloaking parts of the website in an effort to be more stealth.
    Usually only specific parts like div's with extra content or "above the fold" ads that google doesn't like.

    - Link Cloaking:
    Cloaking of links only to avoid having too many (or at all) affiliate links on a website. So real users see the affiliate links, google doesn't.


    Ok thats it for now, hope this little introduction helps you to get started :)
     
    • Thanks Thanks x 20
  2. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    5,029
    Likes Received:
    3,205
    Location:
    Hell
    Home Page:
    Nice share, yeah you better not share everything you got.
     
    • Thanks Thanks x 2
  3. itz_styx

    itz_styx Jr. VIP Jr. VIP

    Joined:
    May 8, 2012
    Messages:
    372
    Likes Received:
    134
    Occupation:
    CEO / Admin / Developer
    Location:
    /dev/mem
    Home Page:
    hehe don't worry i'll keep my 0days ;)
     
  4. Lilgwanz

    Lilgwanz Junior Member

    Joined:
    Jun 6, 2016
    Messages:
    101
    Likes Received:
    13
    Gender:
    Male
    who else still did not understand one thing:confused:
     
  5. Panther28

    Panther28 Jr. VIP Jr. VIP

    Joined:
    May 2, 2010
    Messages:
    2,534
    Likes Received:
    3,558
    Occupation:
    Internet.
    Location:
    Internet.
    Home Page:
    great right up, thanks for taking the time, didn't know about the referer misspelling, interesting fact.
     
  6. blackh4t

    blackh4t Registered Member

    Joined:
    Jan 30, 2009
    Messages:
    70
    Likes Received:
    27
    This is you:
    [​IMG]
     
    • Thanks Thanks x 3
  7. Lilgwanz

    Lilgwanz Junior Member

    Joined:
    Jun 6, 2016
    Messages:
    101
    Likes Received:
    13
    Gender:
    Male
    lol
     
    • Thanks Thanks x 1
  8. amsteve1

    amsteve1 Newbie

    Joined:
    Feb 4, 2015
    Messages:
    25
    Likes Received:
    4
    Awesome write up -- appreciate it!
     
  9. bozzo

    bozzo Newbie

    Joined:
    Jun 10, 2010
    Messages:
    22
    Likes Received:
    5
    i did understand the concept of cloaking but fail to understand the application of this , any one care to explain this please
     
    • Thanks Thanks x 1
  10. whiteogreguy

    whiteogreguy Registered Member

    Joined:
    Apr 27, 2017
    Messages:
    71
    Likes Received:
    40
    Gender:
    Male
    Say you have an affiliate deal to get leads. Say you run a facebook campaign to drive traffic to it. Facebook's TOS forbids such tactics thus you use cloaked links so when facebook's bots crawl your ad they see a regular site but when regular users click on it they get your desired landing page.
     
    • Thanks Thanks x 4
  11. itz_styx

    itz_styx Jr. VIP Jr. VIP

    Joined:
    May 8, 2012
    Messages:
    372
    Likes Received:
    134
    Occupation:
    CEO / Admin / Developer
    Location:
    /dev/mem
    Home Page:
    the most used form of cloaking is for SEO purposes. that way you can create sites optimized for search engine bots only, while redirecting real users to an affiliate lander.
    or like whiteogreguy already mentioned, you can get ads approved that would normally be against the ToS.
     
  12. mnunes532

    mnunes532 Supreme Member

    Joined:
    Jan 21, 2014
    Messages:
    1,352
    Likes Received:
    418
    Gender:
    Male
    Location:
    Portugal
    Awesome share :)
     
  13. Minnehaha

    Minnehaha Jr. VIP Jr. VIP

    Joined:
    Apr 26, 2017
    Messages:
    139
    Likes Received:
    41
    Gender:
    Male
    Occupation:
    Trying methods
    Thanks for this, its a really cool area of blackhat Seo.
    How can you see if a competitor is cloaking? Can I pretend to be a bot and see their cloaked stuff?
     
  14. Scraper9

    Scraper9 Jr. VIP Jr. VIP

    Joined:
    Feb 8, 2015
    Messages:
    589
    Likes Received:
    697
    Location:
    Evropa bro
  15. itz_styx

    itz_styx Jr. VIP Jr. VIP

    Joined:
    May 8, 2012
    Messages:
    372
    Likes Received:
    134
    Occupation:
    CEO / Admin / Developer
    Location:
    /dev/mem
    Home Page:
    there are different methods, if its a shitty cloaker just fake the googlebot user agent. i won't give any details on how to properly detect it since i have no interest in noobs sniffing around. everybody skilled enough will find a way, others are shit out of luck ;)

    LOL, good one ..
     
  16. rafark

    rafark Regular Member

    Joined:
    Jan 15, 2013
    Messages:
    403
    Likes Received:
    189
    Gender:
    Male
    Occupation:
    Moderador
    Location:
    Noble and Heroic MC
    Great post, I perfectly understand cloaking but what about ad-words cloaking?
     
  17. itz_styx

    itz_styx Jr. VIP Jr. VIP

    Joined:
    May 8, 2012
    Messages:
    372
    Likes Received:
    134
    Occupation:
    CEO / Admin / Developer
    Location:
    /dev/mem
    Home Page:
    what about it ?
     
  18. rafark

    rafark Regular Member

    Joined:
    Jan 15, 2013
    Messages:
    403
    Likes Received:
    189
    Gender:
    Male
    Occupation:
    Moderador
    Location:
    Noble and Heroic MC
    Why people do it? Cloaking in SEO is for getting better rankings, but why do they do it in Adwords for?
     
  19. itz_styx

    itz_styx Jr. VIP Jr. VIP

    Joined:
    May 8, 2012
    Messages:
    372
    Likes Received:
    134
    Occupation:
    CEO / Admin / Developer
    Location:
    /dev/mem
    Home Page:
    for adsense people offten do it to get a site approved that would otherwise not be accepted.
    in advertising people to do it if they cant or dont want to meet the guidelines of the advertisers (they might want to promote something that is against the ToS of an advertiser).
    for example some don't allow adult, so by cloaking u show the network some innocent site and once the ad is active, you cloak the site to a different landing page.
     
  20. phatzilla

    phatzilla Jr. VIP Jr. VIP

    Joined:
    Apr 9, 2009
    Messages:
    1,383
    Likes Received:
    1,023
    And what if you get audited with a resedential proxy service, like luminati for instance?