P.A.K.U.R.I SECCON2019 Akihabara YOROZU

Transcript

1. 1",63* SECCON 2019 Akihabara 2019/12/21 - 22 YOROZU @Mr.Rabbit 
   0QFSBUJPO
   XJUI
   5FOLFZ
   

2. Who am i ໊લ
   
   .S3BCCJU
   ࢿ֨
   
   ΞʔΫ༹઀ɺখܕҠಈࣜΫ Ϩʔϯɺۄֻ͚ɺେܕࣗಈंɺ 0481ɺ$*441ɺ44$1
   طԟ঱
   
   ਥೋප
   झຯ
   
   αόήʔɺΞχϝ
   ৬ྺ
   ݩαΠόʔσΟϑΣϯεݚڀॴ
   

   ݚमੜ

3. What is PAKURI ? 1FOFUSBUJPO
   UFTU
   "DIJFWF
   ,OPXMFEHF
   6OJUF
   3BQJE
   *OUFSGBDF

4. What is PAKURI ? ϖωτϨʔγϣϯςετʹඞཁͦ͏ͳπʔϧΛدͤू Ίͯɺ୭Ͱ΋ɺ؆୯ʹɺͦΕͬΆ࣮͘ߦग़དྷΔ༷ʹߏ ੒ͨ͠πʔϧ
   ͬ͘͟Γݴ͏ͱύΫͬͯΔXʢݖར͸৵֐ͯ͠·ͤΜʣ ͺ͘Δʢҟ௲ɿύΫΔʣ
   

   ύΫύΫͱ৯΂Δɻେ͖ͳޱΛ։͚ͯ৯΂Δɻ
    ʢଏޠʣ伱Λ͍ͭͯۚ඼Λ͔ͬ͞Β͏ɻۚમ΍ྉۚΛԣྖ͢Δɻ
    ʢଏޠʣ౪༻͢Δɻ
    ʢଏޠʣܯ࡯ͳͲ͕ਓΛั·͑ɺัറ͢Δɻ IUUQTKBXJLUJPOBSZPSHXJLJͺ͘Δ

5. 1",63*ͷೳྗ  ৘ใऩूٴͼྻڍ
    ੬ऑੑͷ෼ੳ
    ೝূࢼߦ
    &YQMPJUʢิॿʣ
   

   ৘ใͷՄࢹԽ

6. ҰൠతͳϖωτϨʔγϣϯςετͷྲྀΕ /P ςετ߲໨ આ໌  ϗετݕग़ *$.1Ԡ౴֬ೝΛ࢖༻ͯ͠ɺର৅ͱͳΔγεςϜ্ͷϗετ Λݕग़͢Δ  5$16%1εΩϟϯ

   ٙࣅ߈ܸͷର৅ͱͳΔϗετ͕ଘࡏ͠ϗετ্Ͱٙࣅ߈ܸର ৅ʹͳΔαʔϏε͕Քಇ͍ͯ͠Δ͜ͱΛ֬ೝ͢Δ  ੬ऑੑͷ֬ೝ ੬ऑੑεΩϟφΛར༻͠໢ཏతʹ੬ऑੑͷଘࡏΛ֬ೝ͢Δ  ೝূࢼߦɾΞΫηεݖऔಘ ਪଌՄೳͳΞΧ΢ϯτɾύεϫʔυΛ༻͍ͯೝূࢼߦΛߦ ͍ɺαʔϏε΍ΞϓϦέʔγϣϯͷར༻Մ൱Λ֬ೝ͢Δ  ط஌੬ऑੑΛར༻ͨٙ͠ࣅ߈ܸ ط஌੬ऑੑΛར༻͠ɺ߈ܸίʔυΛ࢖༻ͯٙ͠ࣅ߈ܸΛߦ ͍ɺ࣮ࡍʹ৵ೖٴͼ৘ใͷ઄औ͕Մೳ͔֬ೝ͢Δ  Өڹ౓ͷ֬ೝ ٙࣅ߈ܸ͕੒ޭͨ͠ϗετͷݖݶ΍ϑΝΠϧ౳Λ෼ੳ͠ଞͷ ϗετ΁ͷӨڹ౓Λ֬ೝ͢Δ

7. 1",63*Ͱ΍Γ͍ͨ͜ͱ /P ςετ߲໨  ϗετݕग़  5$16%1εΩϟϯ  ੬ऑੑͷ֬ೝ 

   ೝূࢼߦɾΞΫηεݖऔಘ  ط஌੬ऑੑΛར༻ͨٙ͠ࣅ߈ܸ  Өڹ౓ͷ֬ೝ ͜ͷൣғΛαϙʔτ͍ͨ͠  ৘ใऩूٴͼྻڍ
    ੬ऑੑͷ෼ੳ
    ೝূࢼߦ
    &YQMPJUʢิॿʣ
    ৘ใͷՄࢹԽ

8. ૢ࡞͕೉͍͠ͷͰ͸ʁ ೉͍͠ͷ͸ͪΐͬͱͶɾɾɾ

9. ςϯΩʔ͚ͩͰಈ͘Α

10. ը໘

11. جຊίϚϯυ ΤΫεϓϩΠτίϚϯυ ίϯϑΟάίϚϯυ εΩϟϯίϚϯυ ίϯϘΛܾΊͯ
    ίϚϯυ࣮ߦʂʂ

12. εΩϟϯίϯϘ Discovery Host Vulnerability Scan Well-known ports Scan(Details) AutoRecon ͳʹΛ͢Δʹ΋·ͣ͸ίϨ

    ΦεεϝίϯϘ "VUP3FDPO %JTDPWFSZ
    )PTU

13. ΤΫεϓϩΠτίϯϘ Password Crack Create MSF DB Import to MSF DB

    Start Metasploit Check the service ৘͚͸ແ༻ɺୟ͖ࠐΊʂ ΦεεϝίϯϘ 1BTTXPSE
    $SBDL

14. ίϯϑΟάίϯϘ Import data into Faraday Switch CUI mode Configure targets

    Switch GUI mode ੒ޭͷΧΪ͸ɺ४උീׂ ΦεεϝίϯϘ *NQPSU
    EBUB
    JOUP
    'BSBEBZ

15. ϥʔχϯά ෼͔Βͳ͍ࣄΛ஌Δࣄ͕Ұ൪ͷֶͼ "TTJTU MFBSO
    UP ίϯϘͷ࠷ޙʹMFBSO
    UPΛબͿͱ ը໘ӈଆʹ࣮ߦ͞ΕΔίϚϯυͷ આ໌͕දࣔ͞ΕΔ "TTJTUΛબͿͱɺ֤جຊίϚϯ υͰͷಈ࡞ʹ͍ͭͯͷղઆΛද ࣔ͢Δ

16. 1",63*ΛऔΓೖΕֶͨशαΠΫϧ ࣮ԋ ղઆ
    ʢϥʔχϯάʣ ࣮श
    ʢίϯϘʣ ੒ޭମݧ
    ʢ݁ՌͷՄࢹԽʣ ΍ͬͯΈͤɺݴͬͯฉ͔ͤͯɺͤͯ͞Έͤɺ΄Ίͯ΍ΒͶ͹ɺਓ͸ಈ͔͡
    ࢁຊޒे࿡

17. Your benefits ϨουνʔϜͷ৔߹
     1",63*Λ࢖༻͢ΔࣄͰɺසൟʹར༻͢ΔίϚϯυΛ ೖྗ͢Δख͕ؒল͚·͢ɻ
     ॳ৺ऀͷϖϯςελʔ͸ɺ1",63*Λ࢖༻ͯ͠߈ܸͷ ྲྀΕΛֶ΂·͢ɻ ϒϧʔνʔϜͷ৔߹
    

     ؆୯ͳૢ࡞Ͱɺ߈ܸऀͷߦಈΛ໛฿Ͱ͖·͢ɻ ˞͋͘·Ͱ΋ҰྫͰ͢

18. ֶश͔Β࣮຿·ͰςϯΩʔ͚ͩͰͰ͖Δʂ

19. テンキーの子 Operation with Ten-key

20. ·ͱΊ ɹϖϯςελʔ͸खΛಈ͔͢͜ͱ͕େ޷͖Ͱ͢ɻ͔͠͠ɺ ໘౗͍͘͞࡞ۀ͸޷͖Ͱ͸͋Γ·ͤΜɻ1",63*͸ɺϖω τϨʔγϣϯςετͰසൟʹ࢖༻͢ΔίϚϯυΛςϯΩʔ ͷૢ࡞͚ͩͰ࣮ߦ͠·͢ɻ·ΔͰ֨ಆήʔϜΛ΍͍ͬͯΔ Α͏ͳײ֮ͰͰ͖·͢ɻ

21. ·ͱΊ ɹ1",63*͸ϖωτϨʔγϣϯςελʔͷΩϟϦΞΛ։ ࢝͢Δͷʹ΋໾ʹཱͯΔͱࢥ͍·͢ɻ,BMJ5PPMTʹ४ڌ ͢ΔπʔϧΛ࢖༻͍ͯ͠ΔͷͰඞཁҎ্ʹഁյ͢Δ͜ͱ ͸͠·ͤΜɻ1",63*Λ࢖༻͢Δ͜ͱͰɺϖωτϨʔ γϣϯςετͷϑϩʔΛ؆୯ʹମݧֶ͠Ϳ͜ͱ͕ग़དྷ· ͢ɻ
    ɹ1",63*Λ࢖ͬͯΈͯɺϖωτϨʔγϣϯςετʹڵ ຯΛ͍࣋ͬͯͩ͘͞ɻ

22. Thank you! Please give me advice and feedback. [email protected] @PAKURI9

    @01ra66it https://github.com/01rabbit/PAKURI