~ Essays ~
(Courtesy of fravia's advanced searching lores ~ December 1998)
Kmart's 'More searching tips'
Well, oh my... another great searcher (von wegen 'humble tips') steps out of the shadows of the web...
At first I thought Kmart would have wanted to lock this info on my advanced search section, but he decided to go public with it... quite powerful tips in here:
"If you use these search techniques you can find yourself getting
quite a bit of class A, quality info"... yes, indeed. I believe we are beginning to
pump some power searchers on the web at last... let's hope you will be
real reversers and will not forget that
you should use all the power you are gathering in order
to change and ameliorate the awful world we live in.
More searching tips: by *kmart*
I am firmly convinced that Search engines, and chiefly Altavista, Hotbot and Fast are gifts
from the divine (ex cathedra eh ?), to hackers, reverser, and anyone who has a
need for information -licit or illicit- from the InterNet. Altavista has thrown
open the gates of information to the digital underground, gone are the days
(perhaps, in some ways, unfortunately) secretly trading t-philes between bbs's,
of getting NUP's for prime boards just so that you could download philes not
found anywhere else. The most elite of information lies, in plain view like a
wanton harlot just begging you to grab it. It is a telling sign of the decline
of our underground that for the first time in history Information is being
handed out in the most promiscuous fashion and we are too stupid to even notice.
Ain't we dumb... +Fravia's series of articles show a number of ways to use
altavista and other search engines to their full potentials, I hope that my
humble tips will also aid you, dear reader, in however small a way.
I am not a reverser (though the *wounderful* influence of *fravia's site has
convinced me to change these error filled ways heh heh), rather, my interests
lie in the directions of SIG and COMINT, satellite technology, phone phreaking,
RF exploration, and, some network hacking on the side (particularly x.25
networks, the Internet exploit scene mafia bores me...). To feed the
information hunger that I have I must obtain constant information of
particularly sensitive natures regarding these fields. Altavista can help me
here. Since people are not exactly beating down doors to write philes on
aspects of microwave RF communications I am left with searching for protocol and
project proposals and specs, implementation notes, and things of this nature.
.gov and .mil sites are rich sources of such information if you know where to
search for them. Now less so than 5 months ago since the army decided to
thoroughly sanitize their web sites for misplaced information, and the rest of
the DOD is following them in this, but .gov sites can still be tapped for such
material, or even other materials.
Tips, excite, despite its small size, seems to have the most number of
mis-indexed .mil sites, one of my most delightful finds was a public site on
energy weapon programs currently under development by the Army. DARPA should not
put information such as this on public sites, but its not as if I care.
On excite searching for keywords can help, throw around COMINT, SIGINT,
HF, RF, gigahertz, ghz, mhz, deployment, "proving grounds" and the like
together for interesting results.
Your mileage may vary since the last search of such a nature that I did
on Excite was about 6 months ago, I am now almost exclusively an Altavista
"crack fiend" :-)
Where Altavista lacks in the .mil department (which is not much, trust me) it
more than makes up for in it's .gov indexing. Take advantage of sloppy mis
configuration of apache and NCSA servers and do searches for:
"domain:gov " .pdf" ".doc" ".ps" [insert keywords here ] "
throw in "index of" to nab mistakenly indexed directories. Frequently
web bots will index the contents of a particular directory if a link on a page
it was indexing happens to lead to a document in there, and if that directory
does not have an index/Welcome/default.html file there.
By searching for document types you weed out fluff, serious research
results will be saved and distributed as as postscript files, dvi files,
Micro$oft word files (blech), and on .mil sites both PDF and, oddly enough, as
POWERPOINT SLIDE SHOWS. It is strange but DOD types love powerpoint (it seams).
Military briefings have always traditionally incorporated slide shows,
Powerpoint and other Groupware apps bring this method into the 1990's. If you
reverse/crack serious commercial Groupware applications, you are doubtlessly
aware of file endings for some specialized Electronic Whiteboard applications,
search for files with these endings (do research, order product literature,
order demo copies of these programs or if you work for a corporation that uses
real computer aided electronic whiteboards then fiddle around with them and
read their manuals.
For corporate searches use "domain:com" (or gte.com) or narrow the searches down
to specific hosts.
Also corporate types do not use postscript (too stupid ?), search for
microsoft word documents and powerpoint slides (".doc" etc ).
Some .gov and .com sites will be smart enough to use the oh so secure
practice of digital encryption, through microsoft word :-) There are enough
programs out there that will attack word encryption and there are some good
commercial ones too. Do not be a cheapskate by them for God's sake.
By all means do this in as subtle a way as possible, if you milk these
searches out these sites will notice the gadzillion hits from you and close this
stuff down. No one likes to leak proprietary info, its just that most web
masters lack the time to nail down their servers properly (trust me on this
This is esp. the case with Windows NT servers running IIS(sigh) since every
time we apply a service pack it breaks something and we have 700 customers,
bosses, peons yelling at us. Oh yeah, on that note if you stumble on a IIS
site and the treasured info that you need is in a secured directory, use the
already overused but infamous ::$DATA data stream trick. Use this to nab .asp
files, examine their structure see if they make calls to dao.db or ADODB
objects, reverse the directory tree that they seem to fit into, find and then
download the access or SQL server database files that they refer to.
Sometimes the information that you are searching for is just plain
obscure, what to do then ? Check out mailing list archives. There are a
number of good web board packages out there, search for particular details
in the default file and directory structures of these packages along with
your keywords. many times you might stumble on some old and obscure archived
Listserv that happens to have had a couple of posters from NASA jpl who happen
to have written posts on the topic that you need.
In my experience I have found mailing list archives and Web
boards to have a better signal to noise ratio than usenet archives. The
downshot is that it may take considerable time to discover the right
mailing list, the right archive, with the right data that you need. Look at
.edu sites that happen to receive many DOD research grants. There will be many
Professors and Grad Students at such sites whose research lies along the lines of
your own. Read their posts, they will often contain valuable data. Here your
search is not pointed, methods like these work well for background searches,
where you are not looking for specific data but you are looking for data that
will help you narrow down future searches, or that will direct the lines that your
PLEASE remember, that there is information out there of a hair raising
nature, information that the computer underground needs to, and deserves to
BUT the last thing that anyone needs is for access to information, so
lovingly forgotten about by the establishment, to be cut off (but being the
smart gentlemen/women that we are we will simply hack, crack, and reverse our
way to it again right guys ?!). So be subtle, chain your searches through a
number of proxies and/or wingates before even hitting altavista, alternate the
times of your searches, skip days. When you retrieve your info from your target
boxes come in from different proxies and do not hit them very frequently.
Know that Altavista (as fravia+ has alluded to before) keeps logs of searches,
that is how the old trick of searching for mis-indexed root filesystems
(and thus /etc/passwd files) that was popular a few years ago got cut off,
Altavista is too good an engine sometimes... they simply noticed that
many people seemed to be searching for /etc/passwd and /etc/group etc and
hard coded these searches out of their engine. If you are very clever
in constructing your searches you can still get these results even today
(a little birdie just cracked a box in a major edu supercomputer center
this way recently :-).
In other words, do not milk the poor cow to death, if you need specific
info on a project or particular technology cast your net wide, and narrow it
down. But try not to overdo this, esp. on .mil sites since they are quite
paranoid (they have to be, its part of their job) and they will keep their
eyes on you, your IP address, the sites that you go to, and other such
things (if you are in the United States, the state of DOD Network traffic
analysis is quite advanced here. If you are European then you have other
worries). I do believe that the tips that I have given will give most
reading this a lot of millage. If you use these small, and humble, tips
along with other more powerful search techniques (use agora servers and
anon remailers to further obscure your tracks) you can find yourself getting
quite a bit of class A, quality info.
And Info is what we all crave right ?
A side benefit is that you can search for Pr0n site backdoors with ease
using similar methods. Altavista is truly the Swiss Army knife of online
tools, use it well, thoughtfully, and with care; and it will not fail you.
If you like these search tips use them, if you think they are crap well
then give me better ones :-) I can only advocate what has worked for me,
again your mileage may vary on all of this, now go out and have fun or
(c) 2000: [fravia+], all rights reserved