~ The art of guessing ~
         to advanced    The art of
guessing
Version february 2000

The Art of Guessing


This was published on my old site in October 1999, and you'll find the original, among many other goodies, on sozni's page.


There are many ways to get registered software.  You can buy it, you can get a copy from a friend or from the internet, you can crack a demo, you can use a serial number, etc.  There are so many ways that if you really want something, you can get it.


I have noticed that many ActiveX controls are updated frequently.  For example, DataDynamics has been posting a new update for ActiveReports every two weeks.  If you get a pirated copy or a patch, then you never really have the most recent version.   That's why I prefer licensing my software.  And that's what my essays are about: licensing, not cracking software.

I have already talked about a couple of ways to get licensed.  There is another way that I am starting to use more and more.  That is to hack the company's web site. There are may ways to find info on the company's website.  Here are some methods that I use:

-  Browse their FTP site looking for hidden directories
-  Browse their FTP site looking for stuff out in the open that they have forgotten about
-  Use a FrontPage attack (there are many)
-  Exploit weaknesses in Active Server Pages
-  View the source of pages (especially registering and purchasing online pages)
-  And my favorite:  Guessing

I can't believe how many sites I have hacked just by guessing stuff.  As I mentioned before I got all of the Winternals Software just by guessing the URL's.  I got a password for a protoview install by typing random keys (I heard someone else had done the same thing).  I have found serial number lists, serial number generators and validators, and user registrations.

It's all there for the taking.  The trick is to be really good at guessing.  The principle here is that people are predictable.  If someone thinks a certain way one day, most likely they are going to think the same way the next day.  Also, people are usually going to name things with the first thing that comes to mind.

For example, if you wanted to created a directory for downloads, what would you call that directory?  And then if you have one directory for demos, what would you call the directory for retail products?

Do see my point?  The Amazing Kreskin works on this principle.  He asks people to think of a vegetable and most people will think of a carrot.  He asks them to think of a shape then to think of another shape inside that shape and most of the time he knows what they are thinking.  Why?  Because people are predictable.

How many new computer users do you think use their logon as their password?  Many.   And why do you think there are so many common password lists on hacking sites?   Because a lot of people use these common passwords.  See? They are predictable.

Now if a company has a product named ERD Commander and the information about that product is on a page called erdcmndr.htm and the demo is named
erdcmndr.exe in the demos directory then what do you think the real product is going to be called?  Yep, erdcmndr.exe (in a different directory, of course). 

To get the real version of ERD Commander I looked at the demo at www.sysinternals.com then went to their retail site, www.winternals.com and downloaded erdcmdr.exe.  Of course, I first had to find the download directory, but that's another story.

And guess what? I just repeated that same process for all of their products.   Remember what I said?  If someone thinks a certain way one day, most likely they are going to think the same way the next day. People are predictable.

Here's another one:  Suppose a company has a wep page that allows you to register their software online.  It is called regonline.htm.  And let's suppose they are using IIS on Windows NT.  And let's suppose they want all these online registrations to be saved to a text file.  What would that file be named and where would it be located?  These would be my first guesses for www.company.com/regonline.htm:

www.company.com/regonline.txt
www.company.com/_private/regonline.txt
www.company.com/_vti_pvt/regonline.txt

Here's another one, Janus Systems has a page to register online in the http://www.janusys.com/Support/ directory.  These registrations post to a
text file.  Now if your customers were registering their software and these registrations post to a text file and your company is in Mexico,
what would you call this text file?

My guesses would be:
www.janusys.com/support/registration.txt
www.janusys.com/support/register.txt
www.janusys.com/support/registracion.txt
www.janusys.com/support/registra.txt

And you know what? It's the last one (at least it used to be before I first posted this essay on my mailing list)

The key to guessing is research.  Look around at their website and see what they name things and where they put things.  Look at pictures and links and downloads.  Do they like cryptic abbreviations? Is there a method that uses the product version number?   Do you see patterns?

Then, just guess.  You would be surprised how many times this works.  That is, if you have really mastered the art of guessing.

 

Copyright ©1998 .sozni, all rights reserved. 

Petit image

(c) 2000: [fravia+], all rights reserved