Finding A Website Url

[DomX]

This may be a weird and stupid question, but I was wondering how I would go about to find a website's link that is not directly linked to any part of the main page or without guessing.

Like finding the link to www.example.com/hmmm without knowing the hmmm part.

[digip]

This may be a weird and stupid question, but I was wondering how I would go about to find a website's link that is not directly linked to any part of the main page or without guessing.

Like finding the link to www.example.com/hmmm without knowing the hmmm part.

There are probably more ways, but here are a few I can think of

1, the owner of the site was on a hiddne page, as http refferer turned on in their browser, then visits another site such as google and it gets indexed

2, you read their site robots.txt file and they have something telling search engines to stay out of certain links, yet you can plainly go to them in your browser even though there are no direct links in their site anywhere

3, you run some sort of fuzzer to guess different combinations of names characters, etc and look for valid http 200 ok replies for good links

4, you compromise the server in some way, either logged on by ftp or ssh and list all the files and directories on the server itself exposing normally unlisted links on the www side of things

5, another comrpomise of some sort, but through the browser giving you directory traversal and listing of files. MS IIS servers used to be vulnerable to this all the time back in the day due to a defalt.asp page inclduing a vilnerable search feature that listed all files and drives on the machine.

Edited March 15, 2010 by digip

[MRGRIM]

I'd start looking at ServerSniff it will find subdomains, not so sure about actual URL's I think you'd have to brute force it or find an exploit.