Exploit nedir?
Exploit bir sistemdeki zayıflığı sömüren kodları bütününe denir.
Sistem üzerinde çalışan programların firewall ın antivirusun mail servislerinin barındırdığı zayıflıkları kullanmak için yazılırlar. C dili, perl dili, ruby, python, gibi dillerle yazılırlar. Her dil için ayrı ayrı kullanma tarzları ve programları vardır. C exploitler cygwin yada Linux işletim sistemlerinde, perl exploitler yine linuxlerde ve activeperl de çalıştırılır. Bunlar bizim konumuz değil. Ondan şimdilik geçiyorum. Exploitleri tanıyalım.
Kullanım şekline göre Exploitler 2 ye ayrılır:
1)Uzaktan Sömürücü Saldırılar ( Remote exploit Attacks)
2)Yerel Sömürücü Ataklar (Local Exploit Attacks)
Uzaktan Saldırılar: Sistemde herhangi bir acc. Olmadan herhangi bir bağlantı veya ağ içinde bir paylaşımı olmadan sadece internet ağından yapılan saldırılardır. Bu saldırılarda tamamen dışarıdan içeriye girmeye teşebbüs için yapılır. Uzaktan saldırılarda amaç içeriye girmektir ister yönteici olarak ister guest olarak ama amaç içeride olmaktır. Tabi uzaktan root olmak için yazılmış exploitlerde çokça var. Ama amaç içeriye girmektir.
Yerel Saldırılar: Yerel saldırı içeri girdikten sonra başlar. Remote exploitlerle veya herhangi bir şekilde içeri girildikten sonra yapılması gereken ilk şey yetki artırımına gitmektir. Çünkü yetkisi hiçbir işlem yapılamaz hedef sistemde. Bunun içinde local exploitsler kullanılır.
Exploitler Nasıl Derlenir ve Kullanılır?
Eğer bir Windows kullanıcısı iseniz iki yöntem var
Ya paralı bir shell hesabı alıcaksınız. Veya Windows altında gcc komutu çalıştırabilicek bir programla işiniz görüceksiniz. Ama ben ikisinide kullanımıyorum. Çünkü window alında çalışan adam gibi exploit görmedim daha. Ondan dolayı Live CD olarak Linux kullanılmasıni tavsiye ediyorum sizlere. Kesinlikle Linux bilemeyen veya kullanmayan hacker olamaz ve yoktur. O sebeble bir adet Red Hat veya Knoppix edinmenizi şiddetle tavsite ediyorum.
Buffer OverFlows:
Exploit dünyasının en can yakıcı ve en etkili sömürücüleri şüphesiz buffer overflowslardır.
BOF ların mantğı şu şekilde çalışır:
Bir çok program yapımcısı bazı codlama zayıflıkları yaparlar. Bu kodlama zayıflıkları aşırı yükleme sonucu üzerine yazdırılması sonucu sistemin içine sızmaya yol açar. BOF lar kullanılan programlara göre portlara göre farklılık gösterir.
Exploit saldırılarında yapılması gerekenler sıra ile :
1- Port Scan OS finger gibi.. keşif aşaması
2- Keşif aşamasına göre exploit bulmak
3- Linuxte exploiti derlemek veya shell hesabına bağlanıp exploiti sisteme sokmak
4- Servera bindshell kurmak...
5- Serverda root olmak...
6- Rookit bırakmak
Hemen canlı canlı örnek bir saldırı gerçekleştiriyorum
Önce port scan yapıyorum
C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\********s and Settings\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\SultanMehmed>nmap –sA –O –p 1-1024 –v xxxx.org
Interesting ports on static.212.154.37.58.netone.com.tr (212.154.37.5
:
Not shown: 1016 filtered ports
PORT STATE SERVICE
21/tcp UNfiltered ftp
22/tcp UNfiltered ssh
23/tcp UNfiltered telnet
25/tcp UNfiltered smtp
53/tcp UNfiltered domain
80/tcp UNfiltered http
110/tcp UNfiltered pop3
443/tcp UNfiltered https
Filtreli değil portlar…
Ayrıca pop3 açık 443 port açık ve ssh saldırısı yapılabilir..
Ama ben FTP kullanıcam
Başlayalım… Here We go…
FTP sürümünü öğrenmenin en güzel yolu cmd ye :>ftp site.com yazmak
(Bunu ben buldum ama başkasıda bu yöntemle öğreniyor olabilir)
C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\********s and Settings\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\SultanMehmed>ftp xxxx.org
Bağlantı xxxxx.org.
220 ProFTPD 1.2.9 Server (ProFTPD Default Installation) [212.154.37.58]
Hemde defult konfigure edilmiş… Güzel…
Hemen bi bakalım exploit varmı bu sürümle ilgili yazılmış
Evet buldum
ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit
/* proftpd 1.2.7/1.2.9rc2 remote root exploit by bkbll (bkbll#cnhonker.net, 2003/10/1)
* for FTP_ProFTPD_Translate_Overflow found by X-force
* happy birthday, China.
* this code is dirty, there are more beautiful exploits of proftpd for this vuln in the world.
* this code want to provied u a method, not finally exploit.
* using overflow _xlate_ascii_write function return address.
* because the overflow is before it connecting to our port,so I have no method for using current socket.
* and I have provied two method:bind port and connect back.
*/
Harika…..
Bundan sonrasında ben knoppix live CD mi açıyorum
Exploiti derliyorum..
Ve kullanıoyurum..
Standart kullanım bildiğiniz gibi: (SABİT KONULARDA ANLATIMI VAR)
Gcc komutu ile exploiti hazır hale getirin. Sonra ./ ile çalıştırın…
gcc -o exploitadı exploitadı.c
./exploitadı -h face=times new roman color=#0000ff [URL="http://www.kurbansite.com/"]www.kurbansite.com[/URL]
işlem bu kadar.
Perl için ise:
exp. adı 1.pl
sonra msdos a girip
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\windows>cd..
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>cd perl
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\perl>cd bin
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\perl\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\bin\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>perl 1.pl -h www.kurban.com
Exploit bir sistemdeki zayıflığı sömüren kodları bütününe denir.
Sistem üzerinde çalışan programların firewall ın antivirusun mail servislerinin barındırdığı zayıflıkları kullanmak için yazılırlar. C dili, perl dili, ruby, python, gibi dillerle yazılırlar. Her dil için ayrı ayrı kullanma tarzları ve programları vardır. C exploitler cygwin yada Linux işletim sistemlerinde, perl exploitler yine linuxlerde ve activeperl de çalıştırılır. Bunlar bizim konumuz değil. Ondan şimdilik geçiyorum. Exploitleri tanıyalım.
Kullanım şekline göre Exploitler 2 ye ayrılır:
1)Uzaktan Sömürücü Saldırılar ( Remote exploit Attacks)
2)Yerel Sömürücü Ataklar (Local Exploit Attacks)
Uzaktan Saldırılar: Sistemde herhangi bir acc. Olmadan herhangi bir bağlantı veya ağ içinde bir paylaşımı olmadan sadece internet ağından yapılan saldırılardır. Bu saldırılarda tamamen dışarıdan içeriye girmeye teşebbüs için yapılır. Uzaktan saldırılarda amaç içeriye girmektir ister yönteici olarak ister guest olarak ama amaç içeride olmaktır. Tabi uzaktan root olmak için yazılmış exploitlerde çokça var. Ama amaç içeriye girmektir.
Yerel Saldırılar: Yerel saldırı içeri girdikten sonra başlar. Remote exploitlerle veya herhangi bir şekilde içeri girildikten sonra yapılması gereken ilk şey yetki artırımına gitmektir. Çünkü yetkisi hiçbir işlem yapılamaz hedef sistemde. Bunun içinde local exploitsler kullanılır.
Exploitler Nasıl Derlenir ve Kullanılır?
Eğer bir Windows kullanıcısı iseniz iki yöntem var
Ya paralı bir shell hesabı alıcaksınız. Veya Windows altında gcc komutu çalıştırabilicek bir programla işiniz görüceksiniz. Ama ben ikisinide kullanımıyorum. Çünkü window alında çalışan adam gibi exploit görmedim daha. Ondan dolayı Live CD olarak Linux kullanılmasıni tavsiye ediyorum sizlere. Kesinlikle Linux bilemeyen veya kullanmayan hacker olamaz ve yoktur. O sebeble bir adet Red Hat veya Knoppix edinmenizi şiddetle tavsite ediyorum.
Buffer OverFlows:
Exploit dünyasının en can yakıcı ve en etkili sömürücüleri şüphesiz buffer overflowslardır.
BOF ların mantğı şu şekilde çalışır:
Bir çok program yapımcısı bazı codlama zayıflıkları yaparlar. Bu kodlama zayıflıkları aşırı yükleme sonucu üzerine yazdırılması sonucu sistemin içine sızmaya yol açar. BOF lar kullanılan programlara göre portlara göre farklılık gösterir.
Exploit saldırılarında yapılması gerekenler sıra ile :
1- Port Scan OS finger gibi.. keşif aşaması
2- Keşif aşamasına göre exploit bulmak
3- Linuxte exploiti derlemek veya shell hesabına bağlanıp exploiti sisteme sokmak
4- Servera bindshell kurmak...
5- Serverda root olmak...
6- Rookit bırakmak
Hemen canlı canlı örnek bir saldırı gerçekleştiriyorum
Önce port scan yapıyorum
C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\********s and Settings\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\SultanMehmed>nmap –sA –O –p 1-1024 –v xxxx.org
Interesting ports on static.212.154.37.58.netone.com.tr (212.154.37.5
:Not shown: 1016 filtered ports
PORT STATE SERVICE
21/tcp UNfiltered ftp
22/tcp UNfiltered ssh
23/tcp UNfiltered telnet
25/tcp UNfiltered smtp
53/tcp UNfiltered domain
80/tcp UNfiltered http
110/tcp UNfiltered pop3
443/tcp UNfiltered https
Filtreli değil portlar…
Ayrıca pop3 açık 443 port açık ve ssh saldırısı yapılabilir..
Ama ben FTP kullanıcam
Başlayalım… Here We go…
FTP sürümünü öğrenmenin en güzel yolu cmd ye :>ftp site.com yazmak
(Bunu ben buldum ama başkasıda bu yöntemle öğreniyor olabilir)
C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\********s and Settings\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\SultanMehmed>ftp xxxx.org
Bağlantı xxxxx.org.
220 ProFTPD 1.2.9 Server (ProFTPD Default Installation) [212.154.37.58]
Hemde defult konfigure edilmiş… Güzel…
Hemen bi bakalım exploit varmı bu sürümle ilgili yazılmış
Evet buldum
ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit
/* proftpd 1.2.7/1.2.9rc2 remote root exploit by bkbll (bkbll#cnhonker.net, 2003/10/1)
* for FTP_ProFTPD_Translate_Overflow found by X-force
* happy birthday, China.
* this code is dirty, there are more beautiful exploits of proftpd for this vuln in the world.
* this code want to provied u a method, not finally exploit.
* using overflow _xlate_ascii_write function return address.
* because the overflow is before it connecting to our port,so I have no method for using current socket.
* and I have provied two method:bind port and connect back.
*/
Harika…..
Bundan sonrasında ben knoppix live CD mi açıyorum
Exploiti derliyorum..
Ve kullanıoyurum..
Standart kullanım bildiğiniz gibi: (SABİT KONULARDA ANLATIMI VAR)
Gcc komutu ile exploiti hazır hale getirin. Sonra ./ ile çalıştırın…
gcc -o exploitadı exploitadı.c
./exploitadı -h face=times new roman color=#0000ff [URL="http://www.kurbansite.com/"]www.kurbansite.com[/URL]
işlem bu kadar.
Perl için ise:
exp. adı 1.pl
sonra msdos a girip
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\windows>cd..
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>cd perl
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\perl>cd bin
c:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\perl\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\bin\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>perl 1.pl -h www.kurban.com
