PDA

View Full Version : Exploits



RamsesXIII
02-16-2006, 06:50 AM
Hello once again! I would like to know if you guys could help me learn about exploits or if you know of any good guides of tutorials. I do not know much about them and I do not need to do anything with them but I would like to gain the knowladge. Anything about them would help me, thanks.

Ezekiel
02-16-2006, 07:16 AM
Hello once again! I would like to know if you guys could help me learn about exploits or if you know of any good guides of tutorials. I do not know much about them and I do not need to do anything with them but I would like to gain the knowladge. Anything about them would help me, thanks.

If you want a simple explanation of what exploits are, this is a good place to start:

http://en.wikipedia.org/wiki/Exploit_%28computer_security%2*

Exploits are basically bugs or vulnerabilities in software that can let the attacker control the software to do things not normally allowed, like DoS etc. It's probably how most hacking is done, they find vulnerabilities then exploit them, giving the attacker full control of whatever he's exploiting. Exploits can vary in what they affect, some may be for web scripting languages like sql injection or XSS, or they may be something like a buffer overflow. You should start by reading about some simple XSS attacks, all you have to do is usualy type in a url and you can exploit it, you don't need to compile any exploit code for stuff like that. In my post here:

http://www.all-nettools.com/forum/showthread.php?t=2**6

I give details on a specific xss exploit, but at the bottom I give instructions on how to join some good exploit mailing lists, the mailing lists are where the exploits are first announced so follow the instructions and join lists like bugtraq. Also, I posted here:

http://www.all-nettools.com/forum/showthread.php?t=24**

about an exploit for vhcs hosting control software, if you use it correctly there are >50000 servers that are vulnerable and you can gain admin access to, and it would be a good way to start learning how to use exploiits.

RamsesXIII
02-16-2006, 11:21 AM
Thanks for those, I will look into them. Do you know any tips or is there a method to finding holes or vanarabilites?

Ezekiel
02-16-2006, 12:18 PM
Thanks for those, I will look into them. Do you know any tips or is there a method to finding holes or vanarabilites?

Unless you skilled with programming/scripting languages enough to find them yourself, you will have to use a vulnerability scanner that will scan for known exploits, I recommended n-stealth before. It's not easy to find new exploits, it is done by professionals who know where to look for them, try using a vulnerability scanner.

or89921
02-16-2006, 02:02 PM
I am not professional but i know some holes/exploits you dont have to be a expert

Ezekiel
02-16-2006, 03:12 PM
I am not professional but i know some holes/exploits you dont have to be a expert

I didn't say you have to be a professional to know about and use exploits - they are freely available on the internet, I said you have to know a lot about many programming languages to find new exploits.

RamsesXIII
02-16-2006, 03:25 PM
I really would like to stay away from using programs that do things for you for now, I want to learn the real stuff. Right now I know HTML,some Java, will be learning Javascript and VB soon. I am also looking for a class on PHP and C++. What languages are needed to see holes?

Ezekiel
02-17-2006, 04:32 AM
I really would like to stay away from using programs that do things for you for now, I want to learn the real stuff. Right now I know HTML,some Java, will be learning Javascript and VB soon. I am also looking for a class on PHP and C++. What languages are needed to see holes?

It depends on what the hole is in, like for sql injections you need to know html and sql, cross site scripting you need to know html and javascript, and other stuff like buffer overflows you need to know c/c++, people that develop proof of concept code for exploits that are not for web scripting languages (like javascript/html) release their code in either c or perl, so you should learn them so you can use and understand the PoC code. Visual Basic will not help you learn to find and use exploits, I personally only program in c++ anyway, and never really use vb. Also, for cross site scripting, php is useful to know so you can create a page that will log the cookies you steal from people.


I really would like to stay away from using programs that do things for you for now, I want to learn the real stuff. What languages are needed to see holes?

Unless you have an extensive knowledge of all widely use programming languages, you will have to use programs that do things for you, and will have to use exploits that are already discovered. You can't just find new exploits, you are up against professionals who are paid to find vulnerabilities, just because you are looking for them doesn't mean you will find the vulnerabilities, there are probably thousands of people looking as well who will find them first. It's not a thing you can just decide to do, then immediately find exploits, you have to first know a lot about the language,

RamsesXIII
02-17-2006, 06:59 AM
Unless you have an extensive knowledge of all widely use programming languages, you will have to use programs that do things for you, and will have to use exploits that are already discovered. You can't just find new exploits, you are up against professionals who are paid to find vulnerabilities, just because you are looking for them doesn't mean you will find the vulnerabilities, there are probably thousands of people looking as well who will find them first. It's not a thing you can just decide to do, then immediately find exploits, you have to first know a lot about the language,


Ok, thanks for putting that in perspective for me. I know I have to use some programs but I don't like the "Click here and I will hack it for you" ones.

Ezekiel
02-17-2006, 02:13 PM
Ok, thanks for putting that in perspective for me. I know I have to use some programs but I don't like the "Click here and I will hack it for you" ones.

Yeah, if you use programs that hack for you (like trojans that are made completely user friendly), you never learn anything about what you are actually doing and never advance from being a n00b who only has the knowledge to use a GUI when it comes to hacking.