Upgrade to Pro — share decks privately, control downloads, hide ads and more …

P.A.K.U.R.I SECCON2019 Akihabara YOROZU

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Mr.Rabbit Mr.Rabbit
December 21, 2019
Technology
130
1

P.A.K.U.R.I SECCON2019 Akihabara YOROZU

Avatar for Mr.Rabbit

Mr.Rabbit

December 21, 2019

More Decks by Mr.Rabbit

See All by Mr.Rabbit
Azazel Series
Avatar for Mr.Rabbit 01rabbit
0
89
Azazel System for Emergency Shelters
Avatar for Mr.Rabbit 01rabbit
0
190
BOCCHI
Avatar for Mr.Rabbit 01rabbit
0
50
KaliPAKU
Avatar for Mr.Rabbit 01rabbit
0
32
Babbly
Avatar for Mr.Rabbit 01rabbit
0
91
P.A.K.U.R.I AVTOKYO HIVE
Avatar for Mr.Rabbit 01rabbit
0
110
The Empire Strikes Back ~MR.RABBIT 帝国の逆襲~
Avatar for Mr.Rabbit 01rabbit
0
260
地雷探しに脆弱性を使うのは間違っているだろうか Hack a Minesweeper
Avatar for Mr.Rabbit 01rabbit
0
220
あの日学んだ攻撃の方法を僕達はまだ知らない。
Avatar for Mr.Rabbit 01rabbit
0
200

Other Decks in Technology

See All in Technology
[チョークトーク資料]AWS DevOps Agent を使いこなす / AWS Dev Ops Agent Chalk Talk AWS Summit Japan 2026
Avatar for Masanori Yamaguchi kinunori
3
600
GitHub Copilot app最速の発信の裏側
Avatar for tomokusaba tomokusaba
1
200
AI駆動開発を通して感じた、 AI時代のデザイナーの役割変化
Avatar for WHIsaiyo whisaiyo
4
2.3k
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
Avatar for サイバーセキュリティクラウド cscengineer
PRO
2
140
10年間のブログ発信を振り返って見えたWebアプリケーションエンジニアとしての軌跡
Avatar for すてにゃん stefafafan
0
170
SONiCの統計情報を取得したい
Avatar for SONiC Users Group Japan sonic
0
230
Android の公式 Skill / Android skills
Avatar for Yuki Anzai yanzm
0
160
Bucharest Tech Week 2026 - Reinventing testing practices in the AI era
Avatar for Eric Deandrea edeandrea
PRO
1
170
AIのReact習熟度を測る
Avatar for uhyo uhyo
2
650
AWS Security Agent といっしょに脅威モデリングをやってみよう
Avatar for amarelo_n24 amarelo_n24
1
180
iOS アプリの「これって不具合ですか?」を AI に調べてもらう
Avatar for Yuki Miida miichan
0
100
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
Avatar for yoshimi0227 yoshimi0227
0
320

Featured

See All Featured
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1033
470k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
Avatar for Sophie Logan marketingsoph
0
170
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
170
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
1k
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
4k
KATA
Avatar for Megan Lloyd mclloyd
PRO
35
15k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
150
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
1
750
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
230
23k
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
150k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.4k

Transcript

  1. 1",63* SECCON 2019 Akihabara 2019/12/21 - 22 YOROZU @Mr.Rabbit 0QFSBUJPOXJUI5FOLFZ

  2. Who am i ໊લ.S3BCCJU ࢿ֨ΞʔΫ༹઀ɺখܕҠಈࣜΫ Ϩʔϯɺۄֻ͚ɺେܕࣗಈंɺ 0481ɺ$*441ɺ44$1 طԟ঱ਥೋප झຯαόήʔɺΞχϝ ৬ྺݩαΠόʔσΟϑΣϯεݚڀॴ

    ݚमੜ

  3. What is PAKURI ? 1FOFUSBUJPOUFTU "DIJFWF ,OPXMFEHF 6OJUF 3BQJE *OUFSGBDF

  4. What is PAKURI ? ϖωτϨʔγϣϯςετʹඞཁͦ͏ͳπʔϧΛدͤू Ίͯɺ୭Ͱ΋ɺ؆୯ʹɺͦΕͬΆ࣮͘ߦग़དྷΔ༷ʹߏ ੒ͨ͠πʔϧ ͬ͘͟Γݴ͏ͱύΫͬͯΔXʢݖར͸৵֐ͯ͠·ͤΜʣ ͺ͘Δʢҟ௲ɿύΫΔʣ 

    ύΫύΫͱ৯΂Δɻେ͖ͳޱΛ։͚ͯ৯΂Δɻ  ʢଏޠʣ伱Λ͍ͭͯۚ඼Λ͔ͬ͞Β͏ɻۚમ΍ྉۚΛԣྖ͢Δɻ  ʢଏޠʣ౪༻͢Δɻ  ʢଏޠʣܯ࡯ͳͲ͕ਓΛั·͑ɺัറ͢Δɻ IUUQTKBXJLUJPOBSZPSHXJLJͺ͘Δ

  5. 1",63*ͷೳྗ  ৘ใऩूٴͼྻڍ  ੬ऑੑͷ෼ੳ  ೝূࢼߦ  &YQMPJUʢิॿʣ 

    ৘ใͷՄࢹԽ

  6. ҰൠతͳϖωτϨʔγϣϯςετͷྲྀΕ /P ςετ߲໨ આ໌  ϗετݕग़ *$.1Ԡ౴֬ೝΛ࢖༻ͯ͠ɺର৅ͱͳΔγεςϜ্ͷϗετ Λݕग़͢Δ  5$16%1εΩϟϯ

    ٙࣅ߈ܸͷର৅ͱͳΔϗετ͕ଘࡏ͠ϗετ্Ͱٙࣅ߈ܸର ৅ʹͳΔαʔϏε͕Քಇ͍ͯ͠Δ͜ͱΛ֬ೝ͢Δ  ੬ऑੑͷ֬ೝ ੬ऑੑεΩϟφΛར༻͠໢ཏతʹ੬ऑੑͷଘࡏΛ֬ೝ͢Δ  ೝূࢼߦɾΞΫηεݖऔಘ ਪଌՄೳͳΞΧ΢ϯτɾύεϫʔυΛ༻͍ͯೝূࢼߦΛߦ ͍ɺαʔϏε΍ΞϓϦέʔγϣϯͷར༻Մ൱Λ֬ೝ͢Δ  ط஌੬ऑੑΛར༻ͨٙ͠ࣅ߈ܸ ط஌੬ऑੑΛར༻͠ɺ߈ܸίʔυΛ࢖༻ͯٙ͠ࣅ߈ܸΛߦ ͍ɺ࣮ࡍʹ৵ೖٴͼ৘ใͷ઄औ͕Մೳ͔֬ೝ͢Δ  Өڹ౓ͷ֬ೝ ٙࣅ߈ܸ͕੒ޭͨ͠ϗετͷݖݶ΍ϑΝΠϧ౳Λ෼ੳ͠ଞͷ ϗετ΁ͷӨڹ౓Λ֬ೝ͢Δ

  7. 1",63*Ͱ΍Γ͍ͨ͜ͱ /P ςετ߲໨  ϗετݕग़  5$16%1εΩϟϯ  ੬ऑੑͷ֬ೝ 

    ೝূࢼߦɾΞΫηεݖऔಘ  ط஌੬ऑੑΛར༻ͨٙ͠ࣅ߈ܸ  Өڹ౓ͷ֬ೝ ͜ͷൣғΛαϙʔτ͍ͨ͠  ৘ใऩूٴͼྻڍ  ੬ऑੑͷ෼ੳ  ೝূࢼߦ  &YQMPJUʢิॿʣ  ৘ใͷՄࢹԽ

  8. ૢ࡞͕೉͍͠ͷͰ͸ʁ ೉͍͠ͷ͸ͪΐͬͱͶɾɾɾ

  9. ςϯΩʔ͚ͩͰಈ͘Α

  10. ը໘

  11. جຊίϚϯυ ΤΫεϓϩΠτίϚϯυ ίϯϑΟάίϚϯυ εΩϟϯίϚϯυ ίϯϘΛܾΊͯ ίϚϯυ࣮ߦʂʂ

  12. εΩϟϯίϯϘ Discovery Host Vulnerability Scan Well-known ports Scan(Details) AutoRecon ͳʹΛ͢Δʹ΋·ͣ͸ίϨ

    ΦεεϝίϯϘ "VUP3FDPO %JTDPWFSZ)PTU

  13. ΤΫεϓϩΠτίϯϘ Password Crack Create MSF DB Import to MSF DB

    Start Metasploit Check the service ৘͚͸ແ༻ɺୟ͖ࠐΊʂ ΦεεϝίϯϘ 1BTTXPSE$SBDL

  14. ίϯϑΟάίϯϘ Import data into Faraday Switch CUI mode Configure targets

    Switch GUI mode ੒ޭͷΧΪ͸ɺ४උീׂ ΦεεϝίϯϘ *NQPSUEBUBJOUP'BSBEBZ

  15. ϥʔχϯά ෼͔Βͳ͍ࣄΛ஌Δࣄ͕Ұ൪ͷֶͼ "TTJTU MFBSOUP ίϯϘͷ࠷ޙʹMFBSOUPΛબͿͱ ը໘ӈଆʹ࣮ߦ͞ΕΔίϚϯυͷ આ໌͕දࣔ͞ΕΔ "TTJTUΛબͿͱɺ֤جຊίϚϯ υͰͷಈ࡞ʹ͍ͭͯͷղઆΛද ࣔ͢Δ

  16. 1",63*ΛऔΓೖΕֶͨशαΠΫϧ ࣮ԋ ղઆ ʢϥʔχϯάʣ ࣮श ʢίϯϘʣ ੒ޭମݧ ʢ݁ՌͷՄࢹԽʣ ΍ͬͯΈͤɺݴͬͯฉ͔ͤͯɺͤͯ͞Έͤɺ΄Ίͯ΍ΒͶ͹ɺਓ͸ಈ͔͡ ࢁຊޒे࿡

  17. Your benefits ϨουνʔϜͷ৔߹  1",63*Λ࢖༻͢ΔࣄͰɺසൟʹར༻͢ΔίϚϯυΛ ೖྗ͢Δख͕ؒল͚·͢ɻ  ॳ৺ऀͷϖϯςελʔ͸ɺ1",63*Λ࢖༻ͯ͠߈ܸͷ ྲྀΕΛֶ΂·͢ɻ ϒϧʔνʔϜͷ৔߹

     ؆୯ͳૢ࡞Ͱɺ߈ܸऀͷߦಈΛ໛฿Ͱ͖·͢ɻ ˞͋͘·Ͱ΋ҰྫͰ͢

  18. ֶश͔Β࣮຿·ͰςϯΩʔ͚ͩͰͰ͖Δʂ

  19. テンキーの子 Operation with Ten-key

  20. ·ͱΊ ɹϖϯςελʔ͸खΛಈ͔͢͜ͱ͕େ޷͖Ͱ͢ɻ͔͠͠ɺ ໘౗͍͘͞࡞ۀ͸޷͖Ͱ͸͋Γ·ͤΜɻ1",63*͸ɺϖω τϨʔγϣϯςετͰසൟʹ࢖༻͢ΔίϚϯυΛςϯΩʔ ͷૢ࡞͚ͩͰ࣮ߦ͠·͢ɻ·ΔͰ֨ಆήʔϜΛ΍͍ͬͯΔ Α͏ͳײ֮ͰͰ͖·͢ɻ

  21. ·ͱΊ ɹ1",63*͸ϖωτϨʔγϣϯςελʔͷΩϟϦΞΛ։ ࢝͢Δͷʹ΋໾ʹཱͯΔͱࢥ͍·͢ɻ,BMJ5PPMTʹ४ڌ ͢ΔπʔϧΛ࢖༻͍ͯ͠ΔͷͰඞཁҎ্ʹഁյ͢Δ͜ͱ ͸͠·ͤΜɻ1",63*Λ࢖༻͢Δ͜ͱͰɺϖωτϨʔ γϣϯςετͷϑϩʔΛ؆୯ʹମݧֶ͠Ϳ͜ͱ͕ग़དྷ· ͢ɻ ɹ1",63*Λ࢖ͬͯΈͯɺϖωτϨʔγϣϯςετʹڵ ຯΛ͍࣋ͬͯͩ͘͞ɻ

  22. Thank you! Please give me advice and feedback. [email protected] @PAKURI9

    @01ra66it https://github.com/01rabbit/PAKURI