Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
BOCCHI
Search
Mr.Rabbit
November 17, 2024
0
3
BOCCHI
BOCCHIは、チャットボットを活用し、スマホのフリック操作で簡単に操作可能。LINE感覚で命令を入力するだけで、ペネトレーションテストを実行できます。
Mr.Rabbit
November 17, 2024
Tweet
Share
More Decks by Mr.Rabbit
See All by Mr.Rabbit
KaliPAKU
01rabbit
0
3
Babbly
01rabbit
0
49
P.A.K.U.R.I SECCON2019 Akihabara YOROZU
01rabbit
1
98
P.A.K.U.R.I AVTOKYO HIVE
01rabbit
0
51
The Empire Strikes Back ~MR.RABBIT 帝国の逆襲~
01rabbit
0
230
地雷探しに脆弱性を使うのは間違っているだろうか Hack a Minesweeper
01rabbit
0
180
あの日学んだ攻撃の方法を僕達はまだ知らない。
01rabbit
0
180
MR.RABBIT 聞いた事はあるけど、実際には見た事がないハッキングガジェット
01rabbit
2
7.2k
Featured
See All Featured
GraphQLとの向き合い方2022年版
quramy
44
13k
Code Review Best Practice
trishagee
65
17k
Site-Speed That Sticks
csswizardry
2
190
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.9k
Making the Leap to Tech Lead
cromwellryan
133
9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Speed Design
sergeychernyshev
25
670
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Visualization
eitanlees
146
15k
What's in a price? How to price your products and services
michaelherold
243
12k
Optimising Largest Contentful Paint
csswizardry
33
3k
The Language of Interfaces
destraynor
154
24k
Transcript
݄ 4&$$0/ 0QFO$POGFSFODF
Agenda What’s BOCCHIʁ Background Overview Feature Extra Summary
What’s BOCCHI?
What’s BOCCHI? Bot Operating Chat Communication Hacking Interface
What’s BOCCHI? ͜ͷπʔϧɺνϟοτπʔϧʢMattermostʣΛ ׆༻ͨ͠νϟοτܕϖωτϨʔγϣϯςετπʔ ϧͰ͋ΔɻϢʔβʔϘοτͱձ͢Δʢ໋ྩ ͢ΔʣࣄͰɺϖωτϨʔγϣϯςετʹ͓͚Δ ఁ׆ಈɺ੬ऑੑஅɺ؆୯ͳೝূࢼߦ߈ܸ Λ͢Δࣄ͕Ͱ͖·͢ɻ
Background
Background ࡢͷOpen conferenceͰɺKaliPAKUͱ͍ ͏ॳ৺ऀ͚ϖωτϨʔγϣϯςετ πʔϧΛൃද͠·ͨ͠ɻ ͦͷπʔϧΛ࣮ࡍʹϖωτϨʔγϣϯς ετΛֶͼ࢝ΊֶͨੜʹΘͤͯΈͯ ϑΟʔυόοΫΛΒ͍·ͨ͠ɻ
Background ϑΟʔυόοΫͷதʹʮ͍͍͢ʯʮͥͻ৬ Ͱීٴ͍ͨ͠ʯͳͲྑ͍ҙݟ͋Γ·͕ͨ͠ɺҎԼ ͷΑ͏ͳҙݟҰఆ͋Γ·ͨ͠ɻ ʮͲͷίϚϯυΛ͑ྑ͍ͷ͔Θ͔Βͳ͍ʯ ʮॳ৺ऀ͔ͩΒɺԿΛͨ͠Βྑ͍͔Θ͔Βͳ͍ʯ ʮӳޠͰॻ͔Ε͍ͯΔͱ͍ʹ͍͘ʯ ʮCUIΑΓGUIͷํ͕͍͍͢ʯ
Background ͷચ͍ग़͠ 1. ίϚϯυ͕ͨ͘͞Μ͑ΔˠબͿͷʹࠔΔ 2. ӳޠ͔Βຊޠ 3. ૢ࡞ੑͷٻˠςϯΩʔΛ͑Δૢ࡞ੑ 4. ಋೖ͕༰қͳΠϯλʔϑΣʔε
Background KaliPAKUͰɺϖωτϨʔγϣϯςε τͰࠔΒͳ͍༷ʹKali tools Top10Ͱڍ ͛ΒΕ͍ͯΔπʔϧΛ͑Δ༷ʹͨ͠ ͕ɺॳ৺ऀͱͯ͠ʮԿΛ͢Δʯʹ ʮͲͷπʔϧΛ͏ʯͱ͍͏ͰΜ Ͱ͠·͏ɻ πʔϧΛߟྀ͢Δࣄͳ͘࠷ݶͷۀ
͕Ͱ͖Δ༷ʹ͢Δɻ
Background ༻ݴޠΛӳޠ͔Βຊޠ
Background ςϯΩʔΛ͑Δૢ࡞ੑΛٻΊɺϑϦοΫೖྗʹΑΔૢ࡞ੑΛٻ
Background ͳͥϑϦοΫೖྗͳͷ͔ʁ 20197݄ʹʮεϚʔτϑΥϯͷจࣈೖྗ ͲΕΛ͍ͬͯ·͔͢ʁʯͱΞϯέʔτ ͕ߦΘΕͨɻ ༗ޮճऀ979ਓͷ͏ͪ653ਓɺ66.7ˋ ͷεϚϗϢʔβʔ͕ϑϦοΫೖྗΛϝΠ ϯʹ͍ͬͯΔͱճͨ͠ ࠓ͞Βฉ͚ͳ͍ʮϑϦοΫೖྗʯͷΓํɾઃఆɹθϩ͔Β࿅श͢ΔίπΛत https://mag.app-liv.jp/archive/123964/#482044
Background 15ࡀ ~ 19ࡀ͕77.9ˋ͑ͱ4ਓʹ3ਓϑ ϦοΫೖྗΛ༻ ࠓͷए͍ੈύιίϯΑΓઌʹɺεϚ ϗʹ৮ΕΔࣄ͕ଟ͍ͨΊͱߟ͑ΒΕΔ ΩʔϘʔυೖྗʢςϯΩʔೖྗʣΑΓϑ ϦοΫೖྗͷํ͕ΩϟϦΞ͕͍ ࠓ͞Βฉ͚ͳ͍ʮϑϦοΫೖྗʯͷΓํɾઃఆɹθϩ͔Β࿅श͢ΔίπΛत
https://mag.app-liv.jp/archive/123964/#482044
Background ॳ৺ऀͰಋೖ͕༰қͳΠϯλʔϑΣʔε εϚϗͷීٴʹΑΓҰൠԽͨ͠ͷ͕ϝο ηʔδΞϓϦ વίϚϯυೖྗΑΓϝοηʔδΛૹΔ ૢ࡞ͷํ͕༰қ νϟοτϘοτͱͷΓऔΓʹ
Background MMDݚڀॴɺ2022ʹຊɺΞϝϦΧɺ தࠃʹॅΉ15ࡀ ~ 69ࡀͷεϚʔτϑΥϯΛ ॴ༗͢ΔஉঁΛରʹɺʮถத3ϲࠃࢢ ෦εϚʔτϑΥϯϢʔβʔൺֱௐࠪʯΛ࣮ࢪ िʹ1ճҎ্ར༻͍ͯ͠ΔΞϓϦͷδϟϯϧ Λฉ͍ͨͱ͜ΖɺຊͰʮϝοηʔδΞ ϓϦʯ͕78.1ˋͱ࠷ଟ͘ɺ͍ͭͰʮEϝʔ
ϧʯ͕63.2ˋɺʮఱؾʯ͕54.9ˋͱͳͬͨɻ ओͳ࿈བྷΞϓϦɺຊʮLINEʯถࠃʮInstagramʯதࠃʮඍ৴(WeChat)ʯʲMMDݚڀॴௐʳ https://webtan.impress.co.jp/n/2022/11/28/43705
Background ୭͕ೃછΈ͋ΔϝοηʔδΞϓϦͷΠ ϯλʔϑΣʔε εϚʔτϑΥϯΛ༻ͨ͠ϑϦοΫೖྗ͕ Մೳ ຊޠͰɺΓ͍ͨࣄΛ͑Ε࣮ߦͯ͠ ͘ΕΔνϟοτϘοτ
Overview
Overview ΩʔϘʔυɺ·ͨϑϦοΫೖྗͰϘοτ໋ྩ͢ΔͱɺΣϒϑοΫ͕PythonʢBOCCHIʣʹ໋ྩΛ͑ɺ Python͕֤छπʔϧΛ࣮ߦ͢Δ
Feature
Feature ϝχϡʔදࣔ ϙʔτεΩϟϯ ੬ऑੑஅ ೝূࢼߦ etc…
Feature νϟοτ্ͰτϦΨʔϫʔυʢˏbocchiʣͷޙ ʹ໋ྩจΛ͚ͯൃݴ͢Δ͜ͱͰɺίϚϯυ͕ ࣮ߦ͞ΕϦϓϥΠϝοηʔδͱͯ݁͠Ռ͕දࣔ ͞ΕΔɻ
Feature BOCCHIͰɺʮͯʹΛʯ͕ଟগग़དྷͯ ͍ͳͯ͘ɺ໋ྩͱͳΔΩʔϫʔυΛ֬ ೝ͢ΔࣄͰɺίϚϯυΛ࣮ߦɻ ܗଶૉղੳΤϯδϯΛऔΓೖΕͯޱޠௐ Ͱͷ໋ྩΛड͚͚ɺܗଶૉ͝ͱʹׂ ͪ͠ॻ͖ʢ୯ޠʹׂʣ໋ͯ͠ྩΛड ͚͚͍ͯΔɻ
Feature ܗଶૉղੳΤϯδϯJanomeʢऄͷʣ JanomePure PythonͰॻ͔Εͨࣙॻแͷܗଶૉ ղੳث ґଘϥΠϒϥϦແ͠ͰΠϯετʔϧͰ͖ɺΞϓϦ έʔγϣϯʹΈࠐΈ͍͢γϯϓϧͳAPIΛඋ͑ ΔܗଶૉղੳϥΠϒϥϦ https://github.com/mocobeta/janome
Feature ܗଶૉղੳ ɹରͱͳΔݴޠͷจ๏୯ޠͷࢺ ใΛͱʹɺจষΛܗଶૉʹղ͢ ΔղੳɻࣗવݴޠॲཧͰࣄલॲཧ ͱͯ͠༻͍ΒΕΔख๏ ܗଶૉ ɹҙຯΛ࣋ͭදݱཁૉͷ࠷খ୯Ґ ୯ޠ ࢺ
ࢺࡉྨ ࢲ ໊ࢺ ໊ࢺ ॿࢺ ॿࢺ ϓϩάϥϛϯά ໊ࢺ αมଓ Λ ॿࢺ ֨ॿࢺ ษڧ ໊ࢺ αมଓ ͠ ಈࢺ ཱࣗ ͯ ॿࢺ ଓॿࢺ ͍ ಈࢺ ඇཱࣗ ·͢ ॿಈࢺ ʔ ɻ ه߸ ۟ ʮࢲϓϩάϥϛϯάΛษڧ͍ͯ͠·͢ɻʯ
Feature ͳͥLLMΛ༻͠ͳ͍ͷ͔ʁ ΦϑϥΠϯڥͰϓϩάϥϜΛར༻͢Δओͳར 1. Πϯλʔωοτґଘੑͷճආ: Πϯλʔωοτ ଓ͕ෆ҆ఆ·ͨར༻Ͱ͖ͳ͍ঢ়گͰɺ ϓϩάϥϜ͕ػೳ͢ΔͨΊɺ৴པੑ্͕ 2. ηΩϡϦςΟ্:
Πϯλʔωοτʹଓͤͣ ʹϓϩάϥϜΛ࣮ߦ͢Δ͜ͱͰɺηΩϡϦ ςΟ্ͷϦεΫΛ࠷খݶʹ͑Δ͜ͱ͕Ͱ ͖ɺ֎෦ͱͷ௨৴Λආ͚Δ͜ͱͰใ࿙Ӯͷ Մೳੑ͕ݮ
Feature BOCCHIͰߦΘΕ͍ͯΔॲཧͷྲྀΕ ɹɹɹʮIPΞυϨεΛεΩϟϯͯ͠ʯ໋ྩΛड͚औΔ ɹɹɹJanomeͰ ɹɹɹʮIPΞυϨεʯʮΛʯʮεΩϟϯʯʮ͢Δʯʮͯʯ ɹɹɹʹͪॻ͖͞ΕΔ ɹɹɹΩʔϫʔυΛݕࡧ͠ɺࠓճͳΒnmap͕બ͞ΕΔ ɹɹɹnmapίϚϯυͷߏங ɹɹɹίϚϯυͷ࣮ߦ
Feature ᶃʮʢIPΞυϨεʣΛεΩϟϯͯ͠ʯ ͱ໋ͣΔ ᶄ໋ྩΛͪॻ͖ʹ͢ ᶅΩʔϫʔυΛΑΓnmapίϚϯυΛ࡞ nmap -vv --reason -Pn -T4
-sV -sC --version-all -A —osscan-guess --script=vuln -oA IPAddress ᶆnmapͷ࣮ߦ
Feature εΩϟϯ݁ՌɺࣗಈతʹFaradayΠϯϙʔτ ݁ՌͷՄࢹԽ
Feature ʮαʔϏεΛදࣔͯ͠ʯʮ੬ऑੑΛ දࣔͯ͠ʯͱ໋ྩ͢Δͱνϟοτ্ ͰɺεΩϟϯ݁ՌͷҰ෦ʢݕग़ͨ͠ αʔϏεͷҰཡɺ੬ऑੑͷҰཡʣΛ ֬ೝ͢Δࣄ͕Մೳ
Feature ʮೝূࢼߦΛͯ͠ʯͱ໋ྩ͢Δͱ BrutesprayΛ༻ͨ͠؆қతͳೝ ূࢼߦ߈ܸΛ࣮ߦ͠ɺऴྃޙʹ݁ ՌΛදࣔ
Feature ʮ੬ऑੑஅΛͯ͠ʯͱ໋ྩ͢ΔͱGVM ʢGreenbone Vulnerability Manager چ OpenVASʣΛ༻ͨ͠੬ऑੑஅΛ࣮ߦ ͜ͷࡍɺࡉ͔͍ઃఆΛٻΊΒΕΔࣄͳ͘ࣄ લʹఆΊͨஅํ๏Ͱஅ͕ߦΘΕΔɻ
Feature ʮεΩϟϯʹ͍ͭͯڭ͑ͯʯʮ੬ऑੑஅ ʹ͍ͭͯڭ͑ͯʯͱ࣭͢ΔࣄͰɺ༻͢Δ πʔϧίϚϯυʹ͍ͭͯղઆ ʮରIPΞυϨεͷௐࠪঢ়گΛڭ͑ͯʯͱ࣭ ͢Εɺ࣮ߦϩάΛੳͯ͠ରIPΞυϨ εʹରͯ͠ͷௐࠪঢ়گΛ֬ೝՄೳɻ ෳγεςϜΛௐࠪ͢ΔࡍͷೋखؒΛࢭ
Feature ؆୯ͳૢ࡞Ͱߦ͑Δ໘ɺ҆શ໘Λߟྀ͢ Δඞཁ͕͋Δɻʢྫ͑είʔϓൣғ֎ ͷΞΫηεɺޡૢ࡞ʣ BOCCHIͰɺࣄલʹௐࠪରͱͳΔIPΞ υϨεΛొ͠ɺௐ࣮ࠪߦલʹొ͞Εͨ IPΞυϨε͔ͷ֬ೝΛ࣮ࢪ ޡૢ࡞Λ͙ҝʹ࣮ߦલͷঝೝػೳΛ࣮
Extra
Extra ࢲͷ৬ɺສਓࡐෆͷҝɺOJTͱশͯ͠ ݱʹ৽ਓΛಉߦͤ͞Δࣄ͕ଟʑ͋Δɻ ͔͠͠ɺݱͰ৽ਓͷ૬खΛ͢Δ༨༟ແ͍ɻ ΩϟϦΞͷઙ͍൴ΒʹޮՌతͳOJTΊͣɺ ؍͢Δ͚ͩͷ߹͕ଟ͍ɻʢԿΛͯ͠ྑ͍͔ Θ͔Βͳ͍ҝʣ ? ?
Extra ϖϯςελʔʢॳ৺ऀڵຯͷ͋Δऀʣ ԿΛ͢Εྑ͍͔Θ͔Βͳ͍࣌νϟοτ্Ͱ BOCCHIʹ࣭ͨ͠ΓɺίϚϯυ͕Θ͔Βͳ͘ ͯBOCCHIʹ໋ྩ͢Εղܾ ݱͷงғؾΛମײͰ͖ͯɺۀʹ҆৺ͯ͠ ࢀՃͰ͖ΔͷͰOJTͷޮՌظͰ͖Δ ͻͱΓͰ·ͳ͍͍ͯ͘
Extra ϒϧʔνʔϜSOC ઐతͳ͕ࣝͳͯ͘ɺBOCCHI ʹ໋ྩ͢Δ͚ͩͰٖࣅతͳαΠόʔ ߈ܸʢೝূࢼߦ੬ऑੑஅʣ͕ग़ དྷΔͷͰɺϒϧʔνʔϜSOCͷτ Ϩʔχϯάʹ׆༻Ͱ͖Δ εΩϟϯೝূࢼߦͷ ࠟ
Extra ਓࡐҭͱͯؒ͠ҧ͍ͬͯΔ͕ɺBOCCHIΛ ׆༻͢Δ͜ͱͰແବʹͳ͍ͬͯͨϦιʔεʢ৽ ਓͷPCʣΛ༗ޮ׆༻͢Δࣄ͕Ͱ͖Δɻ৽ਓͷ BotԽʢΤϰΝϯήϦΦϯͷμϛʔγεςϜత ͳͷʣͰ͋Δɻ ࢍ൱྆͋Δͱࢥ͏͕ɺԿͤͣʹͨͩը໘Λ ද͍ࣔͤͯ͞ΔPC͕༨͍ͬͯΔͳΒɺओ ऀͷखͱͳΓͱͳΓۀΛগ͠Ͱ͜ͳͨ͠ ํ͕ޮྑ͘ͳΔͱߟ͑Δɻ
Summary AIνϟοτ·Ͱߦ͔ͳ͍͚ΕͲ؆୯ͳձΦϑϥΠϯͰཱ͢Δ ݱʹΓͳ͍ϗεϐλϦςΟπʔϧͰิ ݶΒΕͨϦιʔε༗ޮ׆༻͖͢ ڥ͕͑εϚʔτϑΥϯͰϖωτϨʔγϣϯςετͰ͖Δ BOCCHI͕͋ΕಠΓ͡Όͳ͍ ຖɺຖ৽͍͠πʔϧΛ࡞ͬͯൃද͢ΔͷԿؾʹΩπ͍
Thank you for listening! Any Question? Github: https://github.com/01rabbit/BOCCHI XʢچTwitterʣ: https://twitter.com/01ra66it