magicfi.htm: How to search the web, by fravia+ The art of Guessing

portal.htm → advanced.htm → magicfi.htm

The art
& lore
of

Guessing
"to arrive at
a correct conclusion
by conjecture, chance or intuition"

Version 0.47 | March 2009

Aut inveniam viam aut faciam!

Web-Guessing lore! This old but very important page is obviously related to the importance of names on the web, and to the many searching essays and more specific searching tips and advice offered on searchlores.
Let's see... here follows a more exhaustive and updated list of the possible and common names of the infamous "bingo" page, where you would land after having "paid" your tribute to the site (or database) owner... if you hadn't guessed correctly, that is :-)

Note that here we target ebooks: hence modify ('guess' what :-) for different targets...

thankyou.htm			thank-you.htm			thank_you.htm
download.htm			downloadlink.htm		downloadpage.htm
members.htm			private.htm			priv.htm
private | members | priv (without .htm will display files under the homonym folders if any)
ebook.htm			yourebook.htm			myebook.htm
target.pdf or target.chm (search on the site and replace with your target name)
acronym or shortversion_of_ebook_name.pdf (possible abbreviations for the target name)
promember.htm			thankyou1.htm			secrets.htm
hidden.htm			downlink.htm			down-link.htm
down_link.htm			downloadpage.htm		download-page.htm
verified.htm			paidmember.htm			paid-member.htm
verifiedmember.htm		verified-member.htm		verified_member.htm
alert.htm			resources.htm

The file extension can be different. Instead of .htm try out .html and .php (if the 'habitat' of your target shows other web pages in php)

.sozni's contribution •• addenda

This contribution by .sozni (an excellent ActiveX cracker) was published on my old site in October 1999, and you would have found the original, among many other goodies, on .sozni's page [http://www.mod.lv/sozni]... if only good knowledge pages would really remain on the commercial crap infested web for ever

The Art of Guessing
by .sozni (October 1999... yet far from being obsolete :-)

There are many ways to get registered software. You can buy it, you can get a copy from a friend or from the internet, you can crack a demo, you can use a serial number, etc. There are so many ways that if you really want something, you can get it.

I have noticed that many ActiveX controls are updated frequently. For example, DataDynamics has been posting a new update for ActiveReports every two weeks. If you get a pirated copy or a patch, then you never really have the most recent version. That's why I prefer licensing my software. And that's what my essays are about: licensing, not cracking software.

I have already talked about a couple of ways to get licensed. There is another way that I am starting to use more and more. That is to hack the company's web site. There are may ways to find info on the company's website. Here are some methods that I use:

- Browse their FTP site looking for hidden directories
- Browse their FTP site looking for stuff out in the open that they have forgotten about
- Use a FrontPage attack (there are many)
- Exploit weaknesses in Active Server Pages
- View the source of pages (especially registering and purchasing online pages)
- And my favorite: Guessing

I can't believe how many sites I have hacked just by guessing stuff. As I mentioned before I got all of the Winternals Software just by guessing the URL's. I got a password for a protoview install by typing random keys (I heard someone else had done the same thing). I have found serial number lists, serial number generators and validators, and user registrations.

It's all there for the taking. The trick is to be really good at guessing. The principle here is that people are predictable. If someone thinks a certain way one day, most likely they are going to think the same way the next day. Also, people are usually going to name things with the first thing that comes to mind.

For example, if you wanted to created a directory for downloads, what would you call that directory? And then if you have one directory for demos, what would you call the directory for retail products?

Do see my point? The Amazing Kreskin works on this principle. He asks people to think of a vegetable and most people will think of a carrot. He asks them to think of a shape then to think of another shape inside that shape and most of the time he knows what they are thinking. Why? Because people are predictable.

How many new computer users do you think use their logon as their password? Many. And why do you think there are so many common password lists on hacking sites? Because a lot of people use these common passwords. See? They are predictable.

Now if a company has a product named ERD Commander and the information about that product is on a page called erdcmndr.htm and the demo is named
erdcmndr.exe in the demos directory then what do you think the real product is going to be called? Yep, erdcmndr.exe (in a different directory, of course).

To get the real version of ERD Commander I looked at the demo at www.sysinternals.com then went to their retail site, www.winternals.com and downloaded erdcmdr.exe. Of course, I first had to find the download directory, but that's another story.

And guess what? I just repeated that same process for all of their products. Remember what I said? If someone thinks a certain way one day, most likely they are going to think the same way the next day. People are predictable.

Here's another one: Suppose a company has a Web page that allows you to register their software online. It is called regonline.htm. And let's suppose they are using IIS on Windows NT. And let's suppose they want all these online registrations to be saved to a text file. What would that file be named and where would it be located? These would be my first guesses for www.company.com/regonline.htm:

www.company.com/regonline.txt
www.company.com/_private/regonline.txt
www.company.com/_vti_pvt/regonline.txt

Here's another one, Janus Systems has a page to register online in the http://www.janusys.com/Support/ directory. These registrations post to a
text file. Now if your customers were registering their software and these registrations post to a text file and your company is in Mexico,
what would you call this text file?

My guesses would be:
www.janusys.com/support/registration.txt
www.janusys.com/support/register.txt
www.janusys.com/support/registracion.txt
www.janusys.com/support/registra.txt

And you know what? It's the last one (at least it used to be before I first posted this essay on my mailing list)

The key to guessing is research. Look around at their website and see what they name things and where they put things. Look at pictures and links and downloads. Do they like cryptic abbreviations? Is there a method that uses the product version number? Do you see patterns?

Then, just guess. You would be surprised how many times this works. That is, if you have really mastered the art of guessing.

Addenda
(march 2009)
Have a hunch, will guess | paypal 's your pal | images name guessing

Granted: guessing can be boring, and should almost always be used as last resort... as ultima ratio quaerentis. This method, even using a good list (or hunch) of probable names, will in fact work successfully only in few cases... probably just one or two out of ten attempts.
But this method is sound, because it is based on the very structure of our web, a structure that was MADE for sharing (and not for selling, thanks Godzilla). Much will depend from your nose and your web-experience.

What is sure, is that this approach works better if you already have a hunch!
The following will work for software or music as well (in fact for almost any target you could be looking for), but let's make now an example of guessing regarding images.
Let's say you discover a site where photos have been stored and collected. Alas not with the aim of spreading them to anyone for free, but -as unfortunately often happens on the commercial polluted web, with the shockingly repellent (quite macabre) intent to "sell" them.

Ok, you found the image you wanted applying our well-known image searching techniques. But the image is crippled, or tagged with awful watermarks, or much too small.

Often the commercial bastards let visitors see -as bait- only the smallest versions of the photos they host, or only images impaired by watermarks, patents and tags, or only low resolution photos... preposterously pretending "money" to show you bigger versions (or uncrippled and untagged versions).

Paypal's your pal :-)

Well, if they use paypal to deliver the goodies, there might be no need to guess at all.
Whenever you see a paypal payment option for your target (music, software, books, you name it), check at once the page source code!
If they don't use IPN, or other third-party processing services, you will often see in the source code of the page the line
INPUT TYPE=HIDDEN NAME="return" VALUE=
If that's the case, rejoice aloud ye seekers, rejoice!
What follows after VALUE= will be the address of the download page of your target...
...as easy as palpie.

Back to our guessing lore: if your crippled target image happens to have -say- a name like BMPD_03884_0048601T.JPG, what would you do?
For instance: http://media3.adforum.com/zrIf58670C/B/BM/BMPD_03884/BMPD_03884_0048601T.JPG, an English Volkswagen advertisement.

Alas, the clowns are not a free knowledge site. Let's see what we can do.
Let's isolate the image, and now let's play the guessing game, because we don't really want to [shudder] pay advertisers in order to see their crap, do we?
Now we notice that BMPD_03884_0048601T.JPG has a "t" inside. Could it be a "t" for "tiny"?
And if so... could we have maybe a "w" for "wide" and maybe also an "a" for "art", or maybe "all" or "amazing"... who knows? Who cares? Just try the letter/guessing game in such cases :-)
(http://media3.adforum.com/zrIf58670C/B/BM/BMPD_03884/BMPD_03884_0048601W.JPG...see? http://media3.adforum.com/zrIf58670C/B/BM/BMPD_03884/BMPD_03884_0048601AJPG... haha! q.e.d. (quod erat demonstrandum :-)