How to Explore the Insides of Internet Computers -- from your Browser!
By Kumar Gaurav,B.Tech(E.C.E),New Delhi.

Figure 1: An ordinary view of a web site. But we aren't ordinary web surfers, muhahaha! To see better detail, with Windows right click on this (or any other image in your browser) and select "view image". Figure 1 shows a normal page in the directory /support/csr/software, viewing a file named csr_software.htm. Now here's how we can see everything else in this directory. Simply delete the file name and now you have the URL http://www.victimone.com/support/CSR/software/. Then hit enter in the location bar and we get:

Figure 2: Here's how us extraordinary web surfers explore web sites.

More How to Explore the Insides of Internet Computers -- from your Browser!

Figure 5: Reading the code for a CGI program on an Irix 6.2 webserver (as shown under a Netscape browser running on Windows NT).
This technique for viewing directory contents will not work on all web sites.  There are two easy ways a webmaster can keep you from viewing directory listings.  One is to put a file named index.html (or whatever the webserver is configured to use for a default page when a file is not specified) in each directory.  In that case, all you will see is the index page and not the directory.  The other way is to configure your web server to deny directory listings.
If you are lucky, you may be able to discover that one web server is actually running many web sites.  For example, something that will sometimes work is http://www.victim.com/../usr/local/apache/htdocs/. However, the webmaster may have put all the web sites elsewhere, for example http://www.victim.com/var/www/htdocs/. If you are patient, just try guessing cool directory paths and see what you get.
How to Explore beyond Web Site Directories into Hidden Parts of the Computer
Exploration using http:// attacks can get boring fast.  Ftp (file transfer protocol) comes to the rescue.  If the web site you are exploring offers downloads, chances are you can get amazing results with something like ftp://www.victim.com.
First, let's take a look at what happens if you can't get in using the ftp trick

Figure 6: A failed attempt to ftp into a webserver.

More How to Explore the Insides of Internet Computers -- from your Browser!
You are probably dying to see what's in passwd.  I'm going to be cruel and first force you to learn about group.  OK, OK, I know you can just skip ahead to passwd, but pretty please calm down and look over group first.

Figure 11. The file /etc/group, viewed with Internet Explorer 4.0.
Newbie note:  What does root::0:root mean?  Root is the name of a Unix group.  Each file and directory in a Unix computer has two owners, one a user and the other a group.  One's power to use, write and read a file or directory is dependent on under what user name you login, and on what group you are.  In this case the number zero is the numerical identification (ID) of group root.  Normally group ID 0 is reserved for group root or group wheel.  (I prefer to set up a group wheel for the uberpowerful users on my boxen.) On this computer there is only one user -- root -- in group root.  Group sys looks like another group, adm, is a member. However, only user names are members of groups.  In this case adm is both a user name and a group name.  The groups and user names sys, adm, uucp and so on are all used not by people, but by programs which need rights to use other programs. 
Evil genius tip: The only user name that looks like it is used by a human on this box is root.  This tells us that the sysadmin is careless.  You should always set up an account with lower privileges than root on any Unix computer and do most of your work from that account. The worst problem with having root as your only user account is that then you are forced to login as root.  This makes the root account vulnerable to password guessing.
What else is /etc/group good for?  Let's take a look at another group file:

Figure 12: Another /etc/group
In this case we see a group named bsdi.  This tells us the operating system this computer uses is BSDI.  You can learn more about it at http://www.bsdi.com.

More How to Explore the Insides of Internet Computers -- from your Browser!
Now you finally get to read about /etc/passwd.  

Figure 13. The file /etc/passwd shown in Netscape under Windows 98.
Don't get too excited! This is just a shadowed password file.  
Newbie note: "/etc/password" is the name of the password file under many Unix-type operating systems such as Linux or Solaris.  When you login to a shell account on this type of computer, when you give your user name and password, the operating system goes to /etc/passwd to find out whether you are allowed to login. 
Evil Genius Tip: If you get a password file that includes encrypted passwords, you can use a program such as Crack to extract passwords.  However, if the passwords have been chosen well, no program will be able to crack their encryption.  An uncrackacble password would typically be at least 8 characters long, include both upper case and lower case letters of the alphabet, numbers, and other characters such as !@#$%^&*()<>?.
You can go to jail warning!  If you crack a password file, mere possession of the cracked passwords can get you into trouble with the law.  To see what "Club Fed" (the destination for so many crackers) is all about, click here.
Evil genius tip: Even a shadowed /etc/passwd file can sometimes be used to break into a computer. With a list of all user names and the knowledge of which of these can spawn a shell, one may use password guessing.  This is often far slower than running the encrypted passwords though a program such as crack, but works surprisingly often.
What else can you do once you are inside your victim?  You can download programs!  For example:

Figure 14.  Downloading the program "ls" (list files) from a victim computer.
What is this good for?  If you are an evil genius type, you could analyze programs on victim.com for ways to break in.  In the example above, downloading "ls" won't do much good.
More How to Explore the Insides of Internet Computers -- from your Browser!

Figure 17:  We guessed that the file /etc/group exists and voila!  It turns up on our browser. 
As you can see, guessing worked! From the above very short group file we can guess it uses NIS authentication.  Under this system, many computers share the same password authentication system on a central computer.  Then only user names required to run programs on that computer will be in the password file.  We confirm this when we look at the passwd file and only find five entries.
Oh, yes, the same thing will work for guessing /etc/passwd and many other file names.
How to Break into Computers Using Only your Web Browser
You may have have already read about the PHF exploit. Just in case you are the one hacker in a million who hasn't already read about this, here's how most people try the PHF attack.  In the location window of your browser, simply insert the command
http://victim.computer.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
You can get punched in the nose warning:  While it isn't illegal to run this command, many webservers automatically email a complaint about you to your online service.  Oh, yes, they can tell who you are really easily.  Many online services will automatically terminate your account if they catch you running the PHF exploit.
Usually you will only get a response that looks like Figure 18:

Figure 18: The usual result of trying the PHF exploit. Sometimes insults and threats will appear instead. Webmasters hate people who try the PHF exploit.
Use of this command is proof of idiocy. One day, looking over the logs of attacks on the ANY web server, I was appalled to see that almost every PHF attack used the above line of code. 
If this attack had worked, these pitiful excuses for hackers would have gotten nothing of much value.  Our password file is shadowed, and in any case the passwords were all way too brutal to be extracted by any cracking program.  
The real power of the PHF attack is that if it works, you already have root control over the victim computer -- through your web browser. So why bother cracking the password file?  For example, if we were lame enough to run a webserver vulnerable to PHF attack, you could give the command: 
http://<xyz.com>/cgi-bin/phf?Qalias=x%0a/bin/rm%20<document root>index.html
If it works, this would erase the main web page of whatever web site was hosted at that particular document root. Or the command could have been echo%20”You got hacked, luser!”><document root>index.html.  (Note that %20 represents a space in the command string.)  This would add the phrase "You got hacked, luser!" to the victim web site.