XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X X X XXXXXXXXXXXXX XXXXXXXX XXXXXXXXXX XX XX XXXXXXXX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XX XX XX XX XX XX X X XX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX X X X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (c) 2001 by TCOUC - Design by tronsHELL (tronsHELL@tcouc.com) WARNING: ########################################################################## # THIS TEXT IS AN OPEN SOURCE AND CAN BE COPIED AND PUBLISHED. # # PLEASE DON'T MODIFY THE TEXT AND LEAVE A REFERENCE TO THE AUTHOR. # ########################################################################## INFORMATION GATHERING ( May 31 2001 ): ------------------------------------- We are living in a world where information rule. This is a guide on how to gather information about people and businesses. The informations include credit card numbers, usernames and passwords, address, phone number, email, etc. I could go on forever, but that isn't the point I wanted to make with this guide. There are several ways to accomplish it: 1.) TRASH DIGGING ================= Ok, ok, it doesn't sound like typical hacking at all. It doesn't really have anything to do with hacking, but the results are enormous. Many people and companies, including ISPs or banks, do throw their or their customer's information just away. That means that yo will be able to find passwords, addresses, credit card numbers and a lot other things, in their trash baskets (inside and outside the buildings). Believe me, I once have worked at a major ISP. They did actually dispose their customer's usernames and password without shreddering in their trash baskets. I went to place at night and dug through the trash can outside, and I found several hundred names with username/password, credit card number and other infos. I didn't abuse them, but did send those infos to each person per email, and warned them that they had the wrong ISP. And this is just one of many examples. If you fear to get dirty, either wear gloves or don't do it. It is really worth the effort. 2.) SESSION IDS =============== It it so easy in those days to order your stuff online. Services like amazon, bestbuy, or other are examples of those online order services. Those services have usually their customer information (including credit card) saved in a database. Of course, you could try to get root access to the server to get the database, but they usually have strong security, that makes it almost impossible sometimes to get the information this way. An alternative and "easier" way is by using the session ids. Every time a customer creates an account, buys something, or does something else with his account, he gets a session id, a unique number/string to identify him by the script/program that is handling all the input from several customers at the same time. Examples of an URL would be in this case "http://www.online-order-service.com/script.cgi?id=2341512543&page=infos". In this case the info page of the customer current using the service with id 2341512543 would be displayed. There are many major differences between the services, how the session id is handled. Some really random, other are just counting ones. Some expire when the customers logs off, others can be valid for days or months. The attacker has to guess the right id in order to get the information, of which the amount also differs from service to service. It will be hard to hack major services like amazon, because they make sure that it will be hard to hack their cutomers account by using this method. But there are still many little unknown order services with their own order scrips/programs, that are vulnerable to this attack. If you go to some search engine ( I recommend Google.com or www.search.directnic.com ) for "online orders" or "order cart" or something related, you will easily find those services. It is left to you what you do with the information you will "get" by using this method. OF COURSE THERE ARE SEVERAL OTHER METHODS TO GATHER INFORMATION LIKE PEOPLE-SEARCH-ENGINES OR SOCIAL ENGINEERING, BUT THERE ARE ALREADY SO MANY TEXTFILES ABOUT THOSE TOPICS THAT I ONLY WANTED TO WRITE HERE ABOUT TOPICS I HAVEN'T FOUND MUCH AT ALL ON THE HACKER PAGES. GrEEtIngZ t0 aLl rEal ******* ( N0T tHe sKriPt cidDIEz ) (c) May 31 2001 by tronsHELL