Finding subdomains of a domain, spy sites

Let's say you want to find all the subdomains/cnames of 'lowlife.org':

user@host:/#dig lowlife.org

; <<>> DiG 8.2 <<>> lowlife.org 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      lowlife.org, type = A, class = IN

;; AUTHORITY SECTION:
lowlife.org.            1D IN SOA       ns0.demon.nl. hostmaster.demon.nl. (
                                        2000801000      ; serial
                                        6H              ; refresh
                                        30M             ; retry
                                        2W              ; expiry
                                        1D )            ; minimum

Here you can see that the authoritive nameserver is 'ns0.demon.nl'.

Oke now lets look at the subdomains/cnames:

user@host:/#dig @ns0.demon.nl lowlife.org axfr

; <<>> DiG 8.2 <<>> @ns0.demon.nl lowlife.org axfr 
; (1 server found)
$ORIGIN lowlife.org.
@                       1D IN SOA       ns0.demon.nl. hostmaster.demon.nl. (
                                        2000801000      ; serial
                                        6H              ; refresh
                                        30M             ; retry
                                        2W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        ns0.demon.nl.
                        1D IN NS        ns0.demon.co.uk.
                        1D IN MX        10 punt.mail.nl.demon.net.
                        1D IN MX        40 relay-2.mail.nl.demon.net.
                        1D IN MX        60 relay-1.mail.demon.net.
                        1D IN MX        60 relay-2.mail.demon.net.
demon                   1D IN CNAME     www
middelburg              1D IN A         212.92.68.205
freebsd                 1D IN CNAME     www
localhost               1D IN A         127.0.0.1
www                     1D IN A         195.11.225.234
                        1D IN MX        10 punt.mail.nl.demon.net.
                        1D IN MX        40 relay-2.mail.nl.demon.net.
                        1D IN MX        60 relay-1.mail.demon.net.
                        1D IN MX        60 relay-2.mail.demon.net.
project                 1D IN A         145.92.3.32
sentinel                1D IN CNAME     www
*                       1D IN MX        10 punt.mail.nl.demon.net.
                        1D IN MX        40 relay-2.mail.nl.demon.net.
                        1D IN MX        60 relay-1.mail.demon.net.
                        1D IN MX        60 relay-2.mail.demon.net.
@                       1D IN SOA       ns0.demon.nl. hostmaster.demon.nl. (
                                        2000801000      ; serial
                                        6H              ; refresh
                                        30M             ; retry
                                        2W              ; expiry
                                        1D )            ; minimum

;; Received 23 answers (23 records).
;; FROM: lowlife.support.nl.demon.net to SERVER: 194.159.73.5
;; WHEN: Thu Sep 14 10:24:28 2000


And tataaaaa: you see the subdomains: localhost, middelburg, www and project 
and the cnames: demon, freebsd and sentinel.


man dig

     Dig (domain information groper) is a flexible command line tool which can
     be used to gather information from the Domain Name System servers.  
     All query options are accessible from the command line.

     The usual simple use of dig will take the form:

                 dig @server domain query-type query-class

     query-type  is the type of information (DNS query type) that you are re-
                 questing. If omitted, the default is ``a'' (T_A = address).
                 The following types are recognized:

                 a       T_A        network address
                 any     T_ANY      all/any information about specified domain
                 mx      T_MX       mail exchanger for the domain
                 ns      T_NS       name servers
                 soa     T_SOA      zone of authority record
                 hinfo   T_HINFO    host information
                 axfr    T_AXFR     zone transfer (must ask an authoritative
                                    server)
                 txt     T_TXT      arbitrary number of strings



                 (See RFC 1035 for the complete list.)

 query-class
                 is the network class requested in the query. If omitted, the
                 default is ``in'' (C_IN = Internet). The following classes
                 are recognized:

                 in      C_IN       Internet class domain
                 any     C_ANY      all/any class information

                 (See RFC 1035 for the complete list.)

                 Note: ``Any'' can be used to specify a class and/or a type of
                 query.  Dig will parse the first occurrence of ``any'' to
                 mean query-type = T_ANY. To specify query-class = C_ANY, you
                 must either specify ``any'' twice, or set query-class using
                 the -c option (see below). 

Using host
Use host like this:

user@host:/#host -l -t any lowlife.org
lowlife.org start of authority  ns0.demon.nl hostmaster.demon.nl(
                        2000801000      ;serial (version)
                        21600   ;refresh period
                        1800    ;retry refresh this often
                        1209600 ;expiration period
                        86400   ;minimum TTL
                        )
lowlife.org name server ns0.demon.nl
lowlife.org name server ns0.demon.co.uk
lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net
lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net
lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net
lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net
demon.lowlife.org is a nickname for www.lowlife.org
middelburg.lowlife.org has address 212.92.68.205
freebsd.lowlife.org is a nickname for www.lowlife.org
localhost.lowlife.org has address 127.0.0.1
www.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net
www.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net
www.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net
www.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net
www.lowlife.org has address 195.11.225.234
project.lowlife.org has address 145.92.3.32
*.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net
*.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net
*.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net
*.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net
sentinel.lowlife.org is a nickname for www.lowlife.org
lowlife.org start of authority  ns0.demon.nl hostmaster.demon.nl(
                        2000801000      ;serial (version)
                        21600   ;refresh period
                        1800    ;retry refresh this often
                        1209600 ;expiration period
                        86400   ;minimum TTL
                        )


Oke this is allot of info if you're just interested in the cnames/subdomains try this:

user@host:/#host -l lowlife.org
lowlife.org name server ns0.demon.nl
lowlife.org name server ns0.demon.co.uk
middelburg.lowlife.org has address 212.92.68.205
localhost.lowlife.org has address 127.0.0.1
www.lowlife.org has address 195.11.225.234
project.lowlife.org has address 145.92.3.3

Which just gives you the subdomains and try this:

user@host:/#host -l -t cname lowlife.org
demon.lowlife.org is a nickname for www.lowlife.org
freebsd.lowlife.org is a nickname for www.lowlife.org
sentinel.lowlife.org is a nickname for www.lowlife.org

for the cnames.

Another way is using spy sites:
http://www.ip2country.cc/?q=##
http://##.websitetrafficspy.com/
http://spyonweb.com/##
http://webmastercoffee.com/en/site/##
http://www.mydnstats.com/index.php?a=search&q=##
http://www.robtex.com/dns/##.html
http://dns.l4x.org/##
http://uptime.netcraft.com/up/graph?site=##
http://sameip.org/ip/##
http://www.hostsearch.cc/##

Пароли в разных ОС

  Пароли в разных ОС:

A/UX 3.0s - /tcb/files/auth/?/*
FreeBSD 4.3 - /etc/master.passwd
ConvexOS 10 - /etc/shadpw
ConvexOS 11 - /etc/shadow
DG/UX - /etc/tcb/aa/user/
HP-UX - /.secure/etc/passwd
IRIX 5 - /etc/shadow
Linux 1.1 - /etc/shadow
SunOS 4.1 - /etc/security/passwd.adjunct
SunOS 5.0 - /etc/shadow
UNICOS - /etc/udb
Win 95/98 - c:windows*.pwl
AIX 3 - /etc/security/passwd или /tcb/auth/files/первый символ логина/логин
BSD4.3-Reno - /etc/master.passwd
EP/IX - /etc/shadow
OSF/1 - /etc/passwd[.dir|.pag]
SCO Unix #.2.x - /tcb/auth/files/первый символ логина/логин
System V Release 4.0 - /etc/shadow
System V Release 4.2 - /etc/security/* database
Ultrix 4 - /etc/auth[.dir|.pag]

               Пароли в различных серверах:

Samba  - /etc/samba/smbpasswd
Apache - /usr/local/apache/pwd

                           Основные виды хэшей:

e9a7656f277ba63618e20628fefad321          - md5
14FB05A326C16B2B                          - MySQL
$l$12345678$6KdMANluuNMmoxB4v4SyQ0        - MD5 (Unix)
9ABB8717D8B02F4181274D347622C6927F82725C  - SHA-1
5m84advre2a0p                             - DES

MySQL root password in Plesk, ISPmanager, DirectAdmin, Cpanel, phpMyAdmin

Plesk (Parallels)

/etc/psa/.psa.shadow

пользователь - admin

ISPManager 

/usr/local/mgr5/etc/common.conf 

root

ISPManager -> Настройки сервера -> Серверы баз данных -> MySQL -> Пароль

DirectAdmin  

/usr/local/directadmin/conf/mysql.conf

da_admin 

cPanel

/root/.my.cnf

DBACCESS="-u root -pPASSWORD"

phpMyAdmin 

/etc/phpMyAdmin/config.inc.php

$cfg['blowfish_secret'] = 'wertyfvv';

$cfg['Servers'][1]['auth_type'] = 'cookie';

$cfg['Servers'][1]['user'] = 'root';

$cfg['Servers'][1]['password'] = 'wejbmjm,n3';

blowfish_secret – это произвольная фраза, которая нужна для шифрования паролей в куках

auth_type – это тип авторизации, который может принимать 3 значения: config, cookie и http:

config – указывает на то, что логин/пароль будут браться из этого файла (две следующие строчки user и password)
cookie – указывает на то, что логин/пароль будут спрашиваться каждый раз, как кто-то переходит по адресу, где лежит phpmyadmin.