{"id":3534,"date":"2011-06-19T15:06:05","date_gmt":"2011-06-19T12:06:05","guid":{"rendered":"http:\/\/blog.lifeoverip.net\/?p=3534"},"modified":"2011-06-19T15:06:05","modified_gmt":"2011-06-19T12:06:05","slug":"bga-istsec-%e2%80%9911-capture-the-flag-adim-ve-cozumleri","status":"publish","type":"post","link":"http:\/\/blog.lifeoverip.net\/2011\/06\/19\/bga-istsec-%e2%80%9911-capture-the-flag-adim-ve-cozumleri\/","title":{"rendered":"BGA ISTSEC \u201911 Capture The Flag Ad\u0131m ve \u00c7\u00f6z\u00fcmleri"},"content":{"rendered":"

Farkl\u0131 y\u00f6ntem ve ara\u00e7lar denenebilir. \u00c7\u00f6z\u00fcmlerde akla ilk gelen, basit y\u00f6ntem ve ara\u00e7lar tercih edilmi\u015ftir.<\/p>\n

Ad\u0131mlara ait detaylar http:\/\/blog.bga.com.tr adresinden yay\u0131nlanacakt\u0131r<\/strong><\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

    \n
  1. Ad\u0131m: Wireshark ile SSID bulma: Verilen pcap dosyas\u0131 i\u00e7erisinde ge\u00e7erli SSID\u2019lerin bulunmas\u0131<\/li>\n<\/ol>\n

    1.1.\u00a0\u00a0\u00a0 Aircrack-ng ve baz\u015fka ara\u00e7lar da SSID bulmak i\u00e7in kullan\u0131labilir.<\/p>\n

      \n
    1. SSID bulunduktan sonra WPA anahtar\u0131n\u0131n bulunmas\u0131 i\u00e7in \u00e7al\u0131\u015fmalar yap\u0131lmas\u0131 beklenmektedir. Bu a\u015famada SSID\u00a0 ggenele bir isim olmad\u0131\u011f\u0131 i\u00e7in internetten indirilecek rainbow table\u2019lar bir i\u015fe yaramayacakt\u0131r.<\/li>\n<\/ol>\n

      2.1.\u00a0\u00a0\u00a0 WPA anahtar\u0131n\u0131n ka\u00e7 karekter oldu\u011funu tahmin etme!<\/p>\n

      2.2.\u00a0\u00a0\u00a0 Brute force y\u00f6ntemi ile WPA anahtar\u0131n\u0131 bulma<\/p>\n

      2.3.\u00a0\u00a0\u00a0 \u00d6zel rainbow table olu\u015fturarak WPA anahtar\u0131n\u0131 bulma<\/p>\n

      2.4.\u00a0\u00a0\u00a0 \u00d6zel s\u00f6zl\u00fck listesi olu\u015fturularak hedefe y\u00f6nelik \u00a0hibrid bruteforce denemeleri yapma<\/p>\n

        \n
      1. WPA Anahtar\u0131yla \u015fifreli trafi\u011fi \u00e7\u00f6z\u00fcmleme<\/li>\n<\/ol>\n

        3.1.\u00a0\u00a0\u00a0 Airdecap-ng (bu yar\u0131\u015fmada i\u015fe yaramad\u0131)<\/p>\n

        3.2.\u00a0\u00a0\u00a0 Wireshark kullanarak WPA trafi\u011fini \u00e7\u00f6z\u00fcmleme<\/p>\n

          \n
        1. \u00c7\u00f6z\u00fcmlenen trafikte analiz yaparak ipucu bulma<\/li>\n<\/ol>\n

          4.1.\u00a0\u00a0\u00a0 Trafik i\u00e7erisinde g\u00fcvenlik y\u00f6neticisinin hotmail\u2019den g\u00f6nderdi\u011fi bir mail bulunmaktayd\u0131. Bu mail i\u00e7erisinde eklenti \u015feklinde bir pdf dosyas\u0131 vard\u0131 ve ipucu bu dosyada yazmaktayd\u0131.<\/p>\n

          4.2.\u00a0\u00a0\u00a0 Networkminer kullanarak pdf dosyas\u0131n\u0131 analiz etme<\/p>\n

          4.3.\u00a0\u00a0\u00a0 Xplico kullanarak pdf dosyas\u0131n\u0131 analiz etme<\/p>\n

          4.4.\u00a0\u00a0\u00a0 Netwitness kullanarak pdf dosyas\u0131n\u0131 analiz etme<\/p>\n

          4.5.\u00a0\u00a0\u00a0 Hexedit\u00f6r kullanarak %PDF ile ba\u015flayan sat\u0131rlar\u0131 al\u0131p pdf dosyas\u0131n\u0131 yeniden olu\u015fturma.<\/p>\n

            \n
          1. L7 Filter\/IPS ile korunan sisteme eri\u015fim<\/li>\n<\/ol>\n

            5.1.\u00a0\u00a0\u00a0 Bu ad\u0131mda ipucu olarak bir URL verilmekteydi ve bir sonraki ad\u0131mlar bu URL\u2019den ula\u015f\u0131labiliyordu.<\/p>\n

            5.2.\u00a0\u00a0\u00a0 URL L7 firewall taraf\u0131ndan korunmaktayd\u0131 ve kat\u0131l\u0131mc\u0131lardan a\u015fa\u011f\u0131daki yollardan biriyle bu URL\u2019e ula\u015fmalar\u0131 beklenmekteydi<\/p>\n

            5.2.1. IP fragmentation<\/p>\n

            5.2.2. Encoding<\/p>\n

              \n
            1. Linux sistemi ele ge\u00e7irme<\/li>\n<\/ol>\n

              6.1.\u00a0\u00a0\u00a0 Linux sistemin kernel\u2019i g\u00fcncel ve bilinen herhangi bir prv.esc zaafiyeti i\u00e7ermiyordu.<\/p>\n

              6.2.\u00a0\u00a0\u00a0 Nmap ile geni\u015f port taramas\u0131, a\u00e7\u0131k port, servislerin belirlenmesi<\/p>\n

              6.3.\u00a0\u00a0\u00a0 Nessus ile sistem \u00fczerindeki bilinen zaafiyetlerin belirlenmesi<\/p>\n

              6.4.\u00a0\u00a0\u00a0 G\u00fcncel WordPress \u00fczerinde y\u00fckl\u00fc bir eklentideki zaafiyet kullan\u0131larak sisteme apache kullan\u0131c\u0131 haklar\u0131yla eri\u015fim<\/p>\n

              6.5.\u00a0\u00a0\u00a0 Tomcat bruteforce<\/p>\n

              6.6.\u00a0\u00a0\u00a0 Owasp Dirbuster ile gozukmeyen alt dizinlerin bulunmas\u0131<\/p>\n

              6.7.\u00a0\u00a0\u00a0 Tomcat default user\/pass kullanarak sisteme tomcat haklar\u0131yla eri\u015fim<\/p>\n

              6.8.\u00a0\u00a0\u00a0 Jboss default ayarlar kullan\u0131larak sisteme jboss kullan\u0131c\u0131 haklar\u0131yla eri\u015fim.<\/p>\n

              6.9.\u00a0\u00a0\u00a0 Sistemdeki kullan\u0131c\u0131lar\u0131n belirlenmesi \/etc\/passwd<\/p>\n

              6.10.SSH bruteforce ile bilinen kullan\u0131c\u0131\/parola ikililerinini denenmesi<\/p>\n

              6.10.1.\u00a0\u00a0\u00a0 Sistemde brute forc ekorumas\u0131 oldu\u011fu i\u00e7in engellenme riski var.<\/p>\n

                \n
              1. Sistemde s\u0131radan kullan\u0131c\u0131 elde edildikten sonra uname \u2013a ile kernel\u2019da a\u00e7\u0131kl\u0131k var m\u0131 incelemesi<\/li>\n
              2. Sistemde 777 olarak b\u0131rak\u0131lm\u0131\u015f dosyalar\u0131n incelenmesi<\/li>\n<\/ol>\n

                8.1.\u00a0\u00a0\u00a0 \/backup klasorunde sisteme ait yedek dosyalar\u0131n\u0131n bulunmas\u0131<\/p>\n

                8.2.\u00a0\u00a0\u00a0 Yedek dosyalar\u0131 aras\u0131nda shadow dosyas\u0131n\u0131n bulunarak JTR ile denenmesi<\/p>\n

                8.3.\u00a0\u00a0\u00a0 Yedek dosyalar\u0131 aras\u0131nda .mysql_history dosyas\u0131n\u0131n bulunmas\u0131 ve history\u2019deki kullan\u0131n\u0131c\u0131lara ait parolalar\u0131n ger\u00e7ek sistem parolas\u0131 olarak denenmesi<\/p>\n

                  \n
                1. Sistemde root parolas\u0131n\u0131n bulunmas\u0131, ya da son kullan\u0131c\u0131s\u0131na ait parolan\u0131n bulunmas\u0131<\/li>\n<\/ol>\n

                  9.1.\u00a0\u00a0\u00a0 Sisteme root olarak SSH eri\u015fimi yasak oldu\u011fu i\u00e7in root parolas\u0131 tek ba\u015f\u0131na i\u015fe yaramayacakt\u0131r.<\/p>\n

                  9.2.\u00a0\u00a0\u00a0 Expect kullan\u0131larka sshd_config ayarlar\u0131n\u0131n de\u011fi\u015ftirilmesi ya da yeni kullan\u0131c\u0131 eklenmesi ya da root olarak komut \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131<\/p>\n

                  9.3.\u00a0\u00a0\u00a0 Linux \u00fczerinde memorydump ger\u00e7ekle\u015ftirilerek daha \u00f6nce girilmi\u015f komutlar(Windows\u2019a eri\u015fim bilgileri) vs al\u0131narak yar\u0131\u015fma do\u011frudan tamamlanabilirdi.<\/p>\n

                    \n
                  1. Linux sistem \u00fczerindeki di\u011fer a\u011f arabirimi ipa dresi incelerenerek Windows sistemin ip adresinin port tarama, sniffing vs gibi y\u00f6ntemlerle bulunmas\u0131<\/li>\n
                  2. Windows sistemin ger\u00e7ek ip adresinin bulunmas\u0131<\/li>\n
                  3. Yar\u0131\u015fmac\u0131 makinesinden Linux \u00fczerinden Windows\u2019a eri\u015febilmek i\u00e7in gerekli pipe i\u015flemlerinin tamamlanmas\u0131(20 puan)<\/li>\n
                  4. Windows sisteme y\u00f6nelik port tarama, vulnerability taramas\u0131 ger\u00e7ekle\u015ftirme<\/li>\n
                  5. Windows sunucuya y\u00f6nelik bruteforce denemeleri<\/li>\n
                  6. Windows makine \u00fczerindeki Antivir\u00fcs\u2019\u00fcn atlat\u0131lmas\u0131 ve sistemde \u00e7al\u0131\u015facak shellcode\u2019un yaz\u0131lmas\u0131(Sistem \u00fczerinde bilinen Windows zaafiyetlerinin hepsi kapal\u0131 durumda)<\/li>\n
                  7. Windows makineyi ele ge\u00e7irmek ve buradaki ipucunu takip etmek<\/li>\n
                  8. Yar\u0131\u015fmay\u0131 ba\u015flatan hotmail hesab\u0131n\u0131n ele ge\u00e7irilmesi<\/li>\n<\/ol>\n

                    17.1.Klasik denemeler<\/p>\n

                    17.2.Windows memorydump<\/p>\n

                      \n
                    1. Hotmail hesab\u0131ndaki banka bilgilerinin g\u00f6nderilmesi<\/li>\n
                    2. \u0130yi bir tatil ve uykuJ<\/li>\n<\/ol>\n

                       <\/p>\n","protected":false},"excerpt":{"rendered":"

                      Farkl\u0131 y\u00f6ntem ve ara\u00e7lar denenebilir. \u00c7\u00f6z\u00fcmlerde akla ilk gelen, basit y\u00f6ntem ve ara\u00e7lar tercih edilmi\u015ftir. Ad\u0131mlara ait detaylar http:\/\/blog.bga.com.tr adresinden yay\u0131nlanacakt\u0131r<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[23],"tags":[482,156,483],"_links":{"self":[{"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/posts\/3534"}],"collection":[{"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/comments?post=3534"}],"version-history":[{"count":2,"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/posts\/3534\/revisions"}],"predecessor-version":[{"id":3537,"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/posts\/3534\/revisions\/3537"}],"wp:attachment":[{"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/media?parent=3534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/categories?post=3534"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.lifeoverip.net\/wp-json\/wp\/v2\/tags?post=3534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}