The Unofficial Web Hack FAQ - Section 06

by Simple Nomad [Published on 16 Oct. 2002 / Last Updated on 24 Jan. 2013]

WWW as an InfoWar Tool

06-1. What are some good search engines?
06-2. What "vulnerable" files can I find?
06-3. What is Internet vs. Intranet servers?
06-4. I want to hack a site. How can the web help me?
06-5. Where does the "social engineer" look on the web?

06-1. What are some good search engines?

The best search engine in my opinion is the AltaVista site, located at http://www.altavista.digital.com/. This site is mainly a promotional search engine to sell copies of the AltaVista search engine to Intranets. It is the most popular search site of hackers the world over. Others include search.com and Yahoo.


06-2. What "vulnerable" files can I find?

AltaVista got rid of these, but you USED to be able to search on keywords like "root:" and "0:0", allowing you to collect password files from misconfigured web servers. You can still do searches with keywords like this to turn up interesting info (on AltaVista, use the advanced option) -

        url:etc AND link:passwd

        proprietary AND copyright AND confidential

Another couple of fun AltaVista searches are these:

        url:.htaccess

        url:.htpasswd

The first one will sometimes reveil interesting info, like the location of the password file, where the restricted directories are, etc. The second one is really fun, since often it will return a username and an encrypted password. Once the encrypted password is retrieved, it can be cracked using Crack or CrackerJack or any number of freely available cracking tools. And it is entirely possible that this encrypted password used to protect a section or page is the exact same password of a valid account on that server, either accessible via telnet or ftp.


06-3. What is Internet vs. Intranet servers?

An Internet server is a server specifically set up for access by users across the Internet. An Intranet server is a server set up by a company for access across the local network for its employees, but traditional Internet technology is used. Most typically an Intranet server is a Web server.

Obviously there are Web servers that are both -- typically these are found at universities. Sometimes an Intranet server is set up, but due to misconfiguration either at the firewall or by some other means, the server's documents can be accessed via the Internet. These are rare and hard to find, but they can be gold mines -- especially if the IS department has decided to place all of their procedures online. On an even rarer occassion one will be indexed by a spider, so that during a Lycos search you discover a page or two from this server.

This DOES happen. I have personally found over a dozen via AltaVista. Many companies are so eager to embrace new Internet technology that security is either an afterthought or they have no idea exactly how all of their new technology works. Couple one of these servers with tidbits from other sections of this FAQ and well, you get the idea...


06-4. I want to hack a site. How can the web help me?

This is the most important section to me. What is the most important thing you need to know when attacking a site? What's on the other side of the fence, that's what! And the Internet makes it all possible. We turn to our friend, AltaVista, and begin trawling...

If your target is The XYZ Company, then Web and USENET searches on "XYZ Company" can reveil much. Often a tech or sys admin is posting questions or answers regarding various technologies, so you can see what OSes are being used, what is being upgraded, whether certain security technology is being used, backup software and their schedules, types of equipment being used for remote access, and on and on.

Remember, most popular mailing lists, especially those with computer-related topics are often archived and searchable on some web site. And these archive sites themselves are often indexed on a search engine site like AltaVista.

Other techniques include searching on just the domain name. For example if XYZ Company's domain is xyz.com, try searching for all of their Web pages by using url:xyz.com in AltaVista. Or just search on "xyz.com" on USENET posts in AltaVista -- every post from that domain is there since this information is included in the header, and every header gets indexed since the entire article is indexed.

Social engineers, listen up. The information in sig files attached to posts is often very reveiling. Let's say a guy just posted to the Firewalls mailing list from The XYZ Company, your target. He states that they have Gauntlet for their firewall, but is concerned because too many people are attaching modems to internal equipment, and is asking about how other companies handle this. Hmm, look at that sig file. You have a name, a day phone, and a fax phone. Hmm, the day phone and fax phone have the same prefix. Guess what prefix you should point your wardialer at? And now you have a name and phone of a guy responsible for some level of security, a guy that MIGHT possibly call someone up and have them "type in your login one character at a time, yes, say each letter out loud, yes, that looks good on the sniffer, thank you for helping me solve this problem, okay now the password, each letter out loud..."


06-5. Where does the "social engineer" look on the web?

Simple. The social engineer has a bookmark for The Stalker's Home Page at http://pages.ripco.com:8080/~glr/stalk.html. My favorite item on there right now (as of 01-11-97) is the Yahoo reverse phone number lookup.

It seems that the search page at http://www.yahoo.com/search/people caused concern because of the reverse lookup -- that is, you could enter a phone number and search to see who belonged to it. Well, Yahoo discontinued it (see http://www.yahoo.com/docs/info/people_faq.html#numbers for the Yahoo blurb), but they did so by changing the search form. Just submit your own form with the right variables and it still works. You can access The Stalker's Home Page, or you can simply build a page yourself and include the following:

<form method=post action="http://email.yahoo.com/cgi-bin/Four11?YahooPhone
Results">  
Input Number (eg. 817-555-1212): <INPUT TYPE=text NAME="p" SIZE=13><br>
<input type="submit" value="Search" name="Enter">
<INPUT TYPE=hidden value="y" name="z"></form>

All Glen Roberts (the person who put out this page) has done is just collect all privacy-invading resources that are online, and then couple it with various privacy-related topics and links. But he has received a lot of grief because of it. Oh well, I keep a locate cover in case his page ever disappears because I will mirror every link the day that happens!

There are many other online searches and privacy-related links on this page. I have found it valuable in protecting my own privacy, as I know where information can be found on me and I have made adjustments.

But to get back to the question, this is THE PLACE for the social engineer.

See Also

Featured Links