/* Hidden Secrets of the Web */ by: Screamer Chaotix Perhaps the most appealing thing to me about the internet are all the twists, turns, secret passages, and goodies you can find just by looking around long enough. Suppose you come across a university network and get a little curious. You portscan && nessus && hackbot it all you like until you know every machine, and what each of those machines are running. What you might not see at first glance though, are the things people put on this vast internet and completely forget about. Pictures, movies, files...open connections. You name it, it's out there, and it's just waiting to be snagged. My philosophy is a simple one, if you can get to it, it's fair game. What that means in a nutshell is that if you can ping it, connect to it, see it, or hear it without having to write code to crack it, then you shouldn't spend a night in jail for going to it. A lot of people disagree, claiming that their ignorance is no excuse for you to go snooping around. A real world example (bleh!) of this would be the person that leaves their blinds open. If they stand in front of their window to get dressed, why should you assume they don't want you to look? Common sense? What about the common sense that screams "Shut the damn curtains!"? My philosophy is usually not an easy one to accept, but as a person who loves to play with computers because I never know what I'll find, the idea of a world wired together electronically is an exciting one. First there were phones, tools that allowed you to hear the sounds of the world from your own home. But now we can see what's out there through our computers, and with this article, I'd like to share some of the things I've found. Hackbot, which can be found at ws.obit.nl, is an excellent tool for scanning remote machines for any services they may be running. On top of this, it also mentions which services have exploitable holes, which is great for securing your system or finding anything that might be out of place. The downside to Hackbot is that it doesn't have the most complete information available out there. If you're looking for a vulnerability checker, Nessus (www.nessus.org) is a much sounder choice. Hackbot does have an advantage of its own however, and it comes in the form of its website checks. Using a database included with the program, Hackbot will check for a number of various directories that may be open on the remote machine. And that's where our fun begins. Directories can be a dangerous thing when not used properly on a webserver. Quite often webservers will allow directory listing (which appears as nothing more than a white background with a list of files and/or subdirectories), and if not disallowed, anyone can view the contents of that directory. What this means is that ALL files and directories located beneath the one they're currently viewing are visible, which means even more directories (with listing enabled) can be entered. What Hackbot does is seek out certain directories that may be available, and the one that immediately comes to mind is /stats. The /stats directory is often utilized by sites that manage multiple users, and can allow the webmaster to check usage statistics to see where people are logging in from, how often they log in, what their username is, and so forth. And all of this directly from a webpage. The downside, from a webmaster point of view, is that if this directory is viewable to the outside world, you're putting your site in a very compromising position. Username's can be put into wordlists, then thrown into cracking programs to attack your site all day and night. And should you not be prepared for this, it's entirely possible, if not likely, that one of those username's will crack and allow the attacker to gain access. No big deal to you necessarily, unless you allow your users more "trusted" access (shell/mail accounts, etc), or if you're providing "members only" content you don't want just anyone getting their hands on. But /stats is far from the only thing Hackbot can find. Two other personal favorites of mine are /test and /temp. These directories, while possibly sounding pretty boring, might actually hold a wealth of treasure. Allow me to explain. Many sites live by "security through obscurity," and I'm sure we all know what that means by now (thanks Billy G!). They have things on their site that they believe people can never find, and to be honest, for the most part they're right! Most people out there don't realize that just because it doesn't have a link doesn't mean you can't get to it. Everything that's o+r can be seen by anyone with a browser and the means to find those hard to reach places, but for most sites that doesn't matter. Most sites will create a /temp directory that can be seen by the world, throw in some files, and then forget they're there. Case in point: I was hackbotting an, I admit it, adult site one day, just seeing what kind of stuff they had open to the world. Sure enough, I found /test and /temp. Looking inside, I saw that /test just listed some galleries, member information (like where to send the check), and other such nonsense. Inside /temp though, they had stored three 600mb movies! The most likely reason for this is the one I mentioned before, since I've never heard of a site voluntarily giving out free 600mb downloads (sans linux and other OSS stuff). They were probably moving files around, stuck those movies in the closest directory, and then left...without realizing that directory was open to everyone. Now this is the stuff I love. Sure the pr0n is cool, but the fact that pages like this are out there on that endless internet just waiting to be found amazes me. Plus this opens up all sorts of other fun possibilities, including some warez pirates and cyberpunks have been using for years. The warez folks love those dead drop FTP servers overseas that they can commandeer and then use to store/share/trade files. The cyberpunks, or those hackers that love to explore different areas of the net, can use these sites to provide information and files to people without the fear or hassel of signing up for an account somewhere. I won't argue it's the nicest thing you can do, but I think as long as no one gets hurt there's no harm, no foul. Files and directories are not the only things you can find out there though. Using nmap, or another portscanner (angry shoutz to those bitches who diss fyodor!), you can locate open services that might be much more than they seem. Quite often, people will keep X open to the world, so that anyone can connect to their computer, log their keystrokes, view their monitor, whatever they like...and all without the need of some silly trojan. Another great find are open webcams, which can be used to see the person on the other end of the connection! So if someone is attacking your machine, or just making your day that much harder, check to see if they have an open webcam port (default is usually 21). If so, you may be able to open a connection to their machine and actually see them attacking you! I've heard rumors of this happening, but so far never had the pleasure of experiencing it myself. The corridors of the internet are waiting to be explored, and their secrets waiting to be discovered. Naturally, there are a lot of people who believe that you don't have the right to see, hear, or download something "just because you can." I disagree however, because much like with bootleg videos, I don't think it's my responsibility to make assumptions day in and day out whether something is "legitimate" or not. How am I supposed to truly know, aside from guessing, whether or not someone wants me to see something? Open webcam ports allow people to see you, files in world readable directories can be read by the world (makes sense, no?), and machines with no passwords allow people to walk right in. But that's for another article, one that will get away from the WWW and focus more on the actual plumbing of the internet. Until then, never stop exploring. -screamer