---------------------------------------------------------------------------



Section 06



WWW as an InfoWar Tool



---------------------------------------------------------------------------



06-1. What are some good search engines?



The best search engine in my opinion is the AltaVista site, located at

http://www.altavista.digital.com. This site is mainly a promotional search

engine to sell copies of the AltaVista search engine to Intranets. It is

the most popular search site of hackers the world over. Others include

search.com and Yahoo.



---------------------------------------------------------------------------



06-2. What "vulnerable" files can I find?



AltaVista got rid of these, but you USED to be able to search on keywords

like "root:" and "0:0", allowing you to collect password files from

misconfigured web servers. You can still do searches with keywords like

this to turn up interesting info (on AltaVista, use the advanced option) -



        url:etc AND link:passwd



        proprietary AND copyright AND confidential



Another couple of fun AltaVista searches are these:



        url:.htaccess



        url:.htpasswd



The first one will sometimes reveil interesting info, like the location of

the password file, where the restricted directories are, etc. The second

one is really fun, since often it will return a username and an encrypted

password. Once the encrypted password is retrieved, it can be cracked 

using Crack or CrackerJack or any number of freely available cracking

tools. And it is entirely possible that this encrypted password used to

protect a section or page is the exact same password of a valid account on

that server, either accessible via telnet or ftp.



---------------------------------------------------------------------------



06-3. What is Internet vs. Intranet servers?



An Internet server is a server specifically set up for access by users

across the Internet. An Intranet server is a server set up by a company

for access across the local network for its employees, but traditional

Internet technology is used. Most typically an Intranet server is a Web

server.



Obviously there are Web servers that are both -- typically these are found 

at universities. Sometimes an Intranet server is set up, but due to 

misconfiguration either at the firewall or by some other means, the 

server's documents can be accessed via the Internet. These are rare and

hard to find, but they can be gold mines -- especially if the IS 

department has decided to place all of their procedures online. On an

even rarer occassion one will be indexed by a spider, so that during a 

Lycos search you discover a page or two from this server.



This DOES happen. I have personally found over a dozen via AltaVista. Many

companies are so eager to embrace new Internet technology that security

is either an afterthought or they have no idea exactly how all of their

new technology works. Couple one of these servers with tidbits from other

sections of this FAQ and well, you get the idea...



---------------------------------------------------------------------------



06-4. I want to hack a site. How can the web help me?



This is the most important section to me. What is the most important thing

you need to know when attacking a site? What's on the other side of the 

fence, that's what! And the Internet makes it all possible. We turn to

our friend, AltaVista, and begin trawling...



If your target is The XYZ Company, then Web and USENET searches on "XYZ 

Company" can reveil much. Often a tech or sys admin is posting questions 

or answers regarding various technologies, so you can see what OSes are 

being used, what is being upgraded, whether certain security technology is

being used, backup software and their schedules, types of equipment being 

used for remote access, and on and on.



Remember, most popular mailing lists, especially those with 

computer-related topics are often archived and searchable on some web 

site. And these archive sites themselves are often indexed on a search

engine site like AltaVista.



Other techniques include searching on just the domain name. For example

if XYZ Company's domain is xyz.com, try searching for all of their Web

pages by using url:xyz.com in AltaVista. Or just search on "xyz.com"

on USENET posts in AltaVista -- every post from that domain is there since

this information is included in the header, and every header gets indexed

since the entire article is indexed.



Social engineers, listen up. The information in sig files attached to

posts is often very reveiling. Let's say a guy just posted to the 

Firewalls mailing list from The XYZ Company, your target. He states that

they have Gauntlet for their firewall, but is concerned because too many

people are attaching modems to internal equipment, and is asking about

how other companies handle this. Hmm, look at that sig file. You have a

name, a day phone, and a fax phone. Hmm, the day phone and fax phone

have the same prefix. Guess what prefix you should point your wardialer

at? And now you have a name and phone of a guy responsible for some

level of security, a guy that MIGHT possibly call someone up and have them

"type in your login one character at a time, yes, say each letter out

loud, yes, that looks good on the sniffer, thank you for helping me solve

this problem, okay now the password, each letter out loud..."



---------------------------------------------------------------------------



06-5. Where does the "social engineer" look on the web?



Simple. The social engineer has a bookmark for The Stalker's Home Page at

http://pages.ripco.com:8080/~glr/stalk.html. My favorite item on there

right now (as of 01-06-97) is the Yahoo reverse phone number lookup. 



It seems that the search page at http://www.yahoo.com/search/people caused

concern because of the reverse lookup -- that is, you could enter a phone

number and search to see who belonged to it. Well, Yahoo discontinued it

(see http://www.yahoo.com/docs/info/people_faq.html#numbers for the Yahoo

blurb), but they did so by changing the search form. Just submit your own

form with the right variables and it still works. You can access The

Stalker's Home Page, or you can simply build a page yourself and include

the following:



<form method=post action="http://email.yahoo.com/cgi-bin/Four11?YahooPhone

Results">  

Input Number (eg. 817-555-1212): <INPUT TYPE=text NAME="p" SIZE=13><br><input type="submit" value="Search" name="Enter">

<INPUT TYPE=hidden value="y" name="z"></form>



All Glen Roberts (the person who put out this page) has done is just 

collect all privacy-invading resources that are online, and then couple

it with various privacy-related topics and links. But he has received a

lot of grief because of it. Oh well, I keep a locate cover in case his

page ever disappears because I will mirror every link the day that 

happens! 



There are many other online searches and privacy-related links on this

page. I have found it valuable in protecting my own privacy, as I know 

where information can be found on me and I have made adjustments.



But to get back to the question, this is THE PLACE for the social 

engineer.

---------------------------------------------------------------------------