This is a specific technique which is used to leverage information
from the web servers.This is based on my web penetration sessions
as most of the web servers are not restrictedto directory access that
throw ample amount of information.This technique is also useful in
web penetration too.
Lets track with Google:
inurl: index of /etc/passwd site:com
intitle:index of /etc/shadow site:org
This will try to extract the index if directory traversal is possible on
the web server. This search is very crucial in its context because it
unviels lot of information. As when you are encountered with specific
URL , try to adopt hit and trial in stripping the parameters of URL to
generate very rogue input or direct go for traversing the web servers.
This result in:
A] The permission check on the directories.
B] Helpful in banner grabbing of servers.
C] Information about the internal working of servers.
Example:
http://gray-world.net/etc/passwd/
Try to strip to look in the directory:
http://gray-world.net/etc/
Example:
http://rpmfind.net/linux/RPM/sourceforge/m/mo/mod-auth-shadow/ByName.html
Backward Stripping:
http://rpmfind.net/linux/RPM/sourceforge/m/mo/mod-auth-shadow/
http://rpmfind.net/linux/RPM/sourceforge/m/mo/
http://rpmfind.net/linux/RPM/sourceforge/m
Forward Stripping:
http://rpmfind.net/linux/RPM/sourceforge/m/mo/mod-auth-shadow/../../../
This will let you jump into three directories back.
So The Stripping Of URL's is one of the reactive web penetration
technique with minimum intervention.