Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Website "Scanner"

Re: Website "Scanner"

From: Pig Monkey <pig.monkey_at_gte.net>
Date: 09 Jan 2003 15:11:34 -0800

I agree. Its like port-scanning. The scan isn't illegal, but what you
could possibly do with the information you gain might be ("The Thin Grey
Line").

If this is his site, he wouldn't want to just list the files because his
reason for doing this is most likely to see what a potential cracker
might see; the same reason you might run a security scanner on your
network.

On Thu, 2003-01-09 at 07:09, Chris Wysopal wrote:
> What does legality have to do with it? Is it technically possible or
> not? Are there tools freely available to do it or not? Plenty of
> things are illegal to do with security tools if you are not the owner of
> the system or authorized by the owner of the system. But these same
> tools can be used by penetration testers to demonstrate why a site owner
> shouldn't rely on obscurity of filenames or paths.
>
> I am also not convinced that accessing a file that is not explicitly
> linked from other published files on a web server is illegal in the
> first place. They have been cases of people guessing URLs for upcoming
> corporate press releases, finding prepublished information and sending
> it to reporters. I have never heard of charges being filed in any of
> these cases.
>
> Cheers,
>
> Chris
>
>
> Nelson Sampaio Araujo Junior wrote:
>
> >Well,
> >
> >That sounds you're not doing something legal with it. If you are the owner
> >of the server/system, just dir or list them. Another hint is that if the
> >administrator has disabled the Index option, its probably because you can't
> >do it (legally speaking).
> >
> >- Nelson
> >
> >----- Original Message -----
> >From: <backed.up.by.2048.bit.encryption_at_hushmail.com>
> >To: <sullo_at_cirt.net>
> >Cc: <webappsec_at_securityfocus.com>; <vuln-dev_at_securityfocus.com>
> >Sent: Wednesday, January 08, 2003 3:22 PM
> >Subject: Re: Website "Scanner"
> >
> >
> >
> >
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>
> >>
> >>
> >>On Wed, 08 Jan 2003 14:21:16 -0800 sullo_at_cirt.net wrote:
> >>
> >>
> >>
> >>>2) take all the files an mix them with all the directories from
> >>>the scan
> >>>database, so that:
> >>> /dir1/file1.html
> >>> /dir2/file2.html
> >>> /dir3/file3.html
> >>>turns into requests for
> >>> /dir1/file1.html
> >>> /dir1/file2.html
> >>> /dir1/file3.html
> >>> /dir2/file1.html
> >>> /dir2/file2.html
> >>> /dir2/file3.html
> >>> /dir3/file1.html
> >>> /dir3/file2.html
> >>> /dir3/file3.html
> >>>
> >>>
> >>>
> >>Yes, this is more the idea. We are not looking for vulns. or xploits,
> >>
> >>
> >rather trying to intelligently "guess" what else is in that directory.
> >Either through dictionary use or other use. For example the following is
> >publicly accessible:
> >
> >
> >>http://www.microsoft.com/new_products/bigwinner2003.html
> >>
> >>We want to find out what else might be in "new_products" so we plug in say
> >>
> >>
> >the words "big" "winner" "2003" and let our dictionary spin:
> >
> >
> >> biggerwinner2003.html - nothing
> >> bigloser2002.html - hit
> >>
> >>etc.
> >>
> >>Combining the dictionary and words from a specific site or files visible
> >>
> >>
> >publicly, we try to guess the names of whatever else might be in that
> >directory.
> >
> >
> >>You can do this manually with small time sites and obvious file names e.g.
> >>
> >>
> >index1.html...index2.html etc. Even annualreport2002.html is visible, try
> >annualreport.2003.html
> >
> >
> >>You can guess and hit on files that are not intended for public
> >>
> >>
> >consumption.
> >
> >
> >>If it can be automated with user input for obvious keywords, you probably
> >>
> >>
> >could strike many interesting and sensitive files in the directory.
> >
> >
> >>-----BEGIN PGP SIGNATURE-----
> >>Version: Hush 2.2 (Java)
> >>Note: This signature can be verified at https://www.hushtools.com/verify
> >>
> >>wnUEARECADUFAj4csi8uHGJhY2tlZC51cC5ieS4yMDQ4LmJpdC5lbmNyeXB0aW9uQGh1
> >>c2htYWlsLmNvbQAKCRDEHQGvBp4eRGE4AJ4joBLhRlZYcBX7sxnOmgYPfbtYOgCfUFun
> >>Y0PA+csb++5g+pM+c/0Bkok=
> >>=SFPk
> >>-----END PGP SIGNATURE-----
> >>
> >>
> >>
> >>
> >>Concerned about your privacy? Follow this link to get
> >>FREE encrypted email: https://www.hushmail.com/?l=2
> >>
> >>Big $$$ to be made with the HushMail Affiliate Program:
> >>https://www.hushmail.com/about.php?subloc=affiliate&l=427
> >>
> >>
> >>
> >>
> >
> >
> >
>
Received on Jan 10 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos