Internet Analysis Course Notes

Academy of Tactics

Introduction

Having the knowledge required to analyze web sites and Internet resources today is a valuable skill. The Internet is a very sophisticated and daunting technology, but once you learn to tame it, you can use it to your advantage. This course will cover two main types of Internet Analysis, which once you master, can be used for your own purposes to hide things that wouldn't be obvious to the uninformed person.

Code Inspection

There are many types of code languages used throughout the internet, but the most common are HTML, PHP, ASP and CGI/Perl. When you "view the source" of a page (right click on the page background and click View Source), you are seeing mostly HTML. Sometimes you might see other things like DHTML, JavaScript, XML, or other client-side languages in the source. Inspecting the source is very useful when you suspect that something is strange with the HTML page. Irregular spacing is a good example of this. Viewing the source, (or sometimes just highlighting the text) may provide additional clues. For example:

IAex1.gif
Might turn out to be...
IAex2.gif

...after simply highlighting text. Another way to identify something worth taking a look at is the irregularity of the font color codes. For this example, the code would be:

<p>This<font color="#000000"> I </font>is<font color="#000000"> h </font>some<font color="#000000"> a </font>test<font color="#000000"> v </font>text<font color="#000000"> e </font>to<font color="#000000"> a </font>show<font color="#000000"> s </font>you<font color="#000000"> e </font>an<font color="#000000"> c </font>example<font color="#000000"> r </font>of<font color="#000000"> e </font>hiding<font color="#000000"> t </font>messages.</p>
This is the text hidden by using the font tag for the practical question in the exam!!!

Just looking at that should arouse some suspicion. Of course, you must be proficient at least with basic HTML skills, which this course assumes.

Another interesting way to hide data without anybody seeing it is a bit more subtle. You can effectively store a message in between a <table> and <tr> tag or between a <tr> and <td> (works also for the / tags) without it being displayed on the site. Nobody will know it exists unless they know to look in the source for it, and where. A trained agent can spot these fairly quickly with some experience.

The third way of hiding data is not as subtle as the second, but still, people will never know the data exists without looking in the source. Almost every programming language has a syntax for "commenting out" code or words - this makes the following text completely ineffective and it will not interfere when the code is run. The syntax for comments in HTML is: an opening <!-- followed by the code or words to be commented out, and then a closing -->. You can store messages inside a comment tag, which is visible in the source, but completely inexistent when you look at the page. Thus, if I put the following in the source code of a page:

<!--If you're reading this, you should know that our password is tr847d-->

It would be effective in throwing off enemy agents analyzing your page. Conversely, you must be aware of what information was and was not put there deliberately for you to see. If an enemy club puts their passwords in a comment in their HTML source, it's not very reliable; more likely, it's a trap.

New ways to hide text has emerged from the use of style sheets (CSS). There are several but I will only cover a few in this course.

Hiding a Div or Span

This is more difficult to detect because simple highlighting will not cause the hidden text to appear. To do this a division is created on a page that places it off the viewable screen of the browser. Here are few ways this is accomplished:

  1. use the position command to place the text off the viewable screen area
  2. use the "visibility : hidden" or style="display: none" commands to cause the browser to keep the text in the div hidden
  3. use the z-index command to place the text below the viewable layer.

Positioning the Div Off the Viewable Screen
Using style sheets, it is posible to absolutely or relatively position any division. Using absolute positioning, someone can simply position the text in a way to hide it any number of pixels off the screen to the left of the window. Here is some example code:

.hideme {
position : absolute;
left : -1000px;
}

The div will now display 1000 pixels to the left of the visible screen by assigning class="hideme" to a div tag - i.e., it will not appear on the screen. Example:

<div class="hideme">hidden text using class</div>

Using "Visibility: Hidden" Style Commands
An alternative to the method above is to simply use the built in features of style sheets to hide text:

.hideme {
visibility : hidden;
}

Again, assign the class "hideme" to the div, the text will not appear in the browser window, but will be visible to the search engine spiders.

Or simply set style="display: none" in your tag. Like this:

<div style="display: none">hidden text using style</div>

This is the text hidden using a div tag for the practical question in the exam!!!

Hiding the Div "Below" the Visible Layer
Another sneaky way to hide text from visitors is to put the text in a layer that is "below" or "behind" the visible layer. The horizontal and vertical dimentions of the viewable screen on a web browser are the X and Y indices. The third dimension is the Z-index. Instead of describing left to right (X) or top to bottom (Y) dimensions, it describes above and below or back to front dimensions for layers of Web pages. Think of a web page as being constructed of a stack of pages. Coding using the Z-index enables someone to keep text and images underneath or behind the viewable screen until the visitor takes some action, such as clicking a button or putting their mouse over a specific location. Then the Z-index can change, allowing the hidden content to become visible, giving the impression of interactivity.

Tracing

Sometimes you are able to access an IP address of a target, but you're not sure who it is. In this case, you can get some information from the IP address. First, you open up a DOS prompt and type tracert <IP here> where <IP here> should be replaced by the IP address you have. The first line of information is the most important, and is where you can get the information you need. It will say the following: "Tracing route to <host> [IP] over a maximum of 30 hops." [IP] will be the IP address you entered, and the host will be something like ACB50DD7.ipt.aol.com. If you don't want to wait for tracert to complete the hops, you can hit Ctrl+C to stop it. You can also resolve a host on IRC - type /dns followed by the IP you want to trace. This will give you a host now - which can be used to construct an IRC hostmask. For example, the IP address 172.181.13.215 resolves to ACB50DD7.ipt.aol.com. From this, the hostmask would be *!*@*.ipt.aol.com. Most numbers in the resolved host can be replaced with asterisks in the hostmask, since they usually represent the IP address. With the hostmask, you can now find out who the person is by doing a !seen (if there is a bot in the target's main channel) which should give you the person's nick. Of course, this won't always work, but it's useful to be able to know how to do it when you can.

I hope this course has given you some insight about web analysis. There are many more ways than just these examples to analyze internet sites and to trace IPs. You will discover more on your own as you gain experience.

Good luck, agent!

Credits:

Written by: Classified on May 2, 2002.
Additions and edits by Havok in 2011