Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20140714 SITCON Camp 揭開駭客的神祕面紗
Search
Allen Own
July 14, 2014
Technology
2
640
20140714 SITCON Camp 揭開駭客的神祕面紗
2014-07-14 SITCON Camp 揭開駭客的神祕面紗
Allen Own
July 14, 2014
Tweet
Share
More Decks by Allen Own
See All by Allen Own
NPO 要知道的資訊安全
allenown
1
270
PHPConf 2013 - 矛盾大對決
allenown
32
24k
PHPConf 2013 - 我的密碼沒加密,你的呢?
allenown
6
840
BoT2013 海量資料時代的網路分析
allenown
4
570
The Internet is (NOT) safe - WebConf Taiwan 2013
allenown
58
11k
Other Decks in Technology
See All in Technology
IBC 2025 動画技術関連レポート / IBC 2025 Report
cyberagentdevelopers
PRO
2
220
実践マルチモーダル検索!
shibuiwilliam
1
240
CNCFの視点で捉えるPlatform Engineering - 最新動向と展望 / Platform Engineering from the CNCF Perspective
hhiroshell
0
140
Observability — Extending Into Incident Response
nari_ex
1
570
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
14
82k
コンパウンド組織のCRE #cre_meetup
layerx
PRO
1
290
abema-trace-sampling-observability-cost-optimization
tetsuya28
0
350
プロダクト開発と社内データ活用での、BI×AIの現在地 / Data_Findy
sansan_randd
1
610
頭部ふわふわ浄酔器
uyupun
0
230
SRE × マネジメントレイヤーが挑戦した組織・会社のオブザーバビリティ改革 ― ビジネス価値と信頼性を両立するリアルな挑戦
coconala_engineer
0
290
マルチエージェントのチームビルディング_2025-10-25
shinoyamada
0
210
SOTA競争から人間を超える画像認識へ
shinya7y
0
610
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Designing for humans not robots
tammielis
254
26k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
31
2.7k
Agile that works and the tools we love
rasmusluckow
331
21k
For a Future-Friendly Web
brad_frost
180
10k
How to Ace a Technical Interview
jacobian
280
24k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
GraphQLとの向き合い方2022年版
quramy
49
14k
Being A Developer After 40
akosma
91
590k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
34
2.3k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1k
Transcript
揭開駭客的神祕面紗 4*5$0/$BNQ 翁浩正 Allen Own
[email protected]
Ꮦ˃ဧٰ΅Ϟࠢʮ̡
ᑺ٫ᔊʧ ॽख͍ "MMFO0XO %&7$03&Ꮦ˃ဧٰ΅Ϟࠢʮ̡ੂБڗ BMMFOPXO!EFWDPSF ! )*5$0/̨ᝄᎡ܄ϋึਓᐼ̜ /*43"༟τྠඟ௴፬ɛ ༟τҦঐږᆤᘩᒄϋڿࠏeϋԭࠏ
༟τదၣ१ታ१ᚥਪ
ٷ᧼㔃க፞)*5$0/9 "%"15505)&/&8&3"0'4&$63*5:5)3&"54 ˾ _ ̄ ٷޠΥḛ৮㑱ൽ㡴˒৴ἵ㋒̙ቢῳ፞㒔 IUUQIJUDPOPSH
None
νОϓމ੶٫k
None
None
ኪࣧʔ݊Ϟk މʡჿᒔࠅІʉрɢk
ኪࣧԃ ଣሞeʫ̌ ุޢ ྼਕeуࣛɢe؛̌
ኪࣧԃ ଣሞeʫ̌ ุޢ ྼਕeуࣛɢe؛̌ ๖
৷ ʕ ɽ ኪ  Ӻ ה ఱ ุ
৷ ʕ ɽ ኪ  Ӻ ה ఱ ุ 為什麼?
৷ ʕ ɽ ኪ  Ӻ ה ఱ ุ ????
৷ ʕ ɽ ኪ  Ӻ ה ఱ ุ ㄨ
ྼਕࠦ̈೯ ᓘ՟ุޢeၣ༩ɪٙٝᗆ ԑኪࣧίྼਕɪٙʔԑ
ᜊ੶ٙږᝌjІ˴ኪ୦
老老師領領進門,修行行在個㆟人
None
None
І˴ኪ୦ ഛ͜ၣ༩ɪٙኪ༟๕ ʔࠅᔊʕ˖eߵ˖ й፰ဲdਗ˓ਂఱ࿁əl ϓఱชܘࠠࠅl
ʔࠅ̰ ̰ٙɛdʑ݊ኪՑ௰εٙ
ࡳԬٝᗆ݊Ңࡁ̀௪ٙճk
όႧԊ $$ +BWB$ ໔͉ႧԊ 4DSJQUJOH-BOHVBHF 4IFMM4DSJQU+BWB4DSJQU1ZUIPO3VCZ1FSM ၣࠫᏐ͜όႧԊ "41/&51)1+413P3 БਗༀໄόႧԊ
"OESPJE +BWB J04 0CKFDUJWF$ 8JOEPXT 1IPOF
νО፯όႧԊk 5*0#&1SPHSBNNJOH$PNNVOJUZ*OEFY IUUQXXXUJPCFDPNJOEFYQIQDPOUFOUQBQFSJOGPUQDJ JOEFYIUNM રБᒈැ̙˸ՑႧԊٙᆠژܓ˸ʿุޢٙცӋ
None
None
ڐಂ༟τࠅၲ
ᒄژ᚛дj ̘ϋΌଢϞᄂഅࡈ༟̮ރ ᒄژ᚛д௰อ*453ၣ༩τΌ۾উజѓܸ̈d̘ϋ೯͛ٙ ༟τԫᜑͪdᎡ܄ҸᏘҞҸᏘᔷމڗಂᆑͿٙɓ ϣɽᅼҸᏘdϋΌଢߒϞᄂഅ༟̮ࣘރf ί༈జѓ୕ࠇʕd̨ᝄίϋၣ༩۾উʕΤΐΌ ଢୋdԭݲසϣʕeΙܓfʫϞٙ০࿁ ҸᏘᕁ֛ՑɛᅼٙʕɽۨΆุdҭ೯ʿႡி ุމҸᏘᕁ֛ٙՇɽପุfϾ̘ϋ̨ᝄչѫඉરΤ ୋΤɪʺЇୋdⶋ܉ၣ༩ɰરΤୋf
IUUQXXXJUIPNFDPNUXOFXT
F#BZቊල܄ɝڧ ᄂ͜˒༟̮ࣘރ F#BZ˚ί֜˙ၣ१ʮ̺dʦϋ˜ֵЇ˜ڋd ᄂ܄˒ٙཥඉήѧe̋ܝٙᇁë͛˚ಂʿИѧ ഃᅰኽೳ՟dШೳ՟ٙ˖Ѱʔўৌਕ༟ࣘfʮ ̡ڮሗᄂ͜˒һҷᇁf F#BZڌͪdմۃ೯ତவԬቊᎡٙਪᕚኯᗇdމə࿏ֵ ݟਪᕚdה˸ٜՑ˚ʑʮ̺dШ൷ᕎ˜ڋቊල܄ ɝڧࣛගʊڐࡈ˜f IUUQXXXCCDDPVL[IPOHXFOUSBEXPSME@FCBZ@IBDLFSTIUNM
"0-վוӻ୕ቊɝڧd Ꭱ܄̙ঐπ՟ɽඎԴ͜٫੮ "0-ᆽႩᎡ܄͊બᛆπ՟əўϞɽඎԴ͜٫੮ٙУ ኜdܼ̍͜˒ٙཥɿඉ੮eήѧeஷৃe̋ ٙᇁe̋ٙτΌஷᗫႧd˸ʿʈЪఊЗdϾ ˲"0-ɰڦչѫᔥʊෂൟᗺඉഗߒ͜˒ٙ ஷৃʾɛf IUUQXXXJUIPNFDPNUXOFXT
ߕཧਯਠ*5ӻ୕Κዚ ৰə5BSHFUεཧਯਠɰቊݪ ௰ڐdԨʔස˟5BSHFUɓ೯͛ࠠɽ༟̮ࣘރԫf ࣬ኽ༩ீٟܸ̈dίື˚ᒅي֙ಂගdৰə5BSHFUၾ /FJNBO.BSDVTʘ̮ٙεཧਯਠdɰቊՑᎡ܄ҸᏘf ɪ5BSHFUீᚣܸ̈dᎡ܄՟ə ຬഅٙᚥ܄ ֑Τeඉήѧeཥ༑ᇁeཥɿඉήѧၾ˕˹̔ ༟ࣘdШ̘ϋ˜ʕϚৎజኬ፲̰ٙഅᅰމ ຬ
അf IUUQOFXTOFUXPSLNBHB[JOFDPNUXDMBTTJGJDBUJPOTFDVSJUZ
ӚϞʔτΌٙӻ୕ ̥ϞʔτΌٙɛ
None
None
A Nice Password, but….? Admin password Admin.R386W
Is Your Password Safe?
ซซІʉϞӚϞਂՑτΌf ໆӻ୕ʔτΌʘۃd
༟τ۾উၾᏐ࿁ ԣጏ٫ԨʔᆞҸᏘ٫ٙː࿒eͦٙeҦஔഃdኬߧ ԫ೯͛ܝʑঐආБࡌfϾʔٝ༸ҸᏘٙҦஔၾ˙ جdࡌɰසطᅺʔط͉ ෂ୕ٙԣጏ˙όdܼ̍ӻ୕ࡌeԣጏe̋dேΪ อҦஔɓɓॎ༆dԷνʱόஈଣeථ၌e(16e 3BJOCPX5BCMF
༟τ۾উၾᏐ࿁ ٝʉٝ־dϵʔݫ ኪ୦Ꭱ܄ٙܠၪd௰อٙҦஔdԨ˲ə༆Іʉӻ୕ٙ ঌࢮᓃӺίОஈ
Cyberwar݊ʡჿk
http://www.flickr.com/photos/42514833@N07/5246970893/ Cyberwar
ၣ༩͍ίආБʕl
Ŗϓၣ༩ගፒҸᏘ ԸІॴዚ೯ਗ ࣬ኽϋ7FSJ[PO௰อ೯̺ٙ༟̮ࣘރሜݟజ ѓܸ̈dίሜݟڐٙၣ༩ගፒҸᏘԫʕdϞ ݊ԸІִ݁ॴዚٙ೯ਗdՉʕऒʿ༟̮ࣘރٙҸ Ꮨݺਗۆ݊Цəfజѓɰܸ̈dϞਗ਼ڐɓ̒ ٙ ၣ༩ගፒݺਗேԸІʕձՉ̴؇ԭה˴ኬd̤̮ ɰϞĈۆ݊ԸІ؇ᆄήਜfʕһϞ൴ཀ̒ᅰ˸ɪ
ٙၣ༩ගፒҸᏘ࿁݊˸ߕމ˴dՉϣ݊˚͉ ձᒵ  f IUUQXXXJUIPNFDPNUXOFXT
Ꭱ܄ᜣ့ཥൖ̨ვБ یᒵజኬj̏ᒵהމ یᒵɪ˜ቊᎡ܄ɝڧdεཥൖ̨ձვБΌࠦᜣ့d یᒵᙆ˙ɓܓ၈Ꭱ܄ҸᏘԸІʕdܝҷɹ݊ߕʿ ᆄݲഃࡈdШʦ˂یᒵʮ̺͍όజѓdܸછ̏ᒵ ᆽމவৎҸᏘࣩٙ˴ፑdᘪࣛගڗ༺˜ʘɮf IUUQXXXBQQMFEBJMZDPNUXSFBMUJNFOFXTBSUJDMFJOUFSOBUJPOBM
Ꭱ܄त၇ඟ ږ㛬Έˏ͜ɓ΅̏ᒵִ݁֜˙˖༟ܸࣘ̈d̏ᒵʊ ݂ჯኬɛږ͍˚ϋᒔፋІɨ˿ਗ਼ணί̻ᘎٙၣ༩ त၇ඟᓒᇜЇ ɛdᒱ್༈΅˖ٙॆྼ͊ ᆽႩdШږ㛬ΈኽϤౣd̏ᒵᎡ܄ɛᅰʘܝʊɽష ᄣ̋dϞԬ݊ݼታʕd˸کԫသீऎ̮ၣ༩ٙ ਕf IUUQOFXTDIJOBUJNFTDPNXPSMEIUNM
None
Die Hard 4.0
ၣ༩ٙͦٙ݊ʡჿk ՟ઋజ ᜣ့ၣ༩ ਔ॰ ܁౮ІҢଣׂ
Ꭱ܄݊ʡჿk What is Hacker?
http://www.flickr.com/photos/torh/5275187124/
Ꭱ܄݊ʡჿ Ꭱ܄ )BDLFS ࡡจމ ᆠহཥ໘ӻ୕ҦஔӺٙਖ਼ ɽඎႬ͜ɨᎡ܄ɓ൚੭ϞࠋࠦЍd੬މ ڢجెจॎᕸeɝڧӻ୕ٙɛ
Ꭱ܄݊ʡჿ White Hat 白帽駭客 ༟τਖ਼d࿁ӻ୕τΌආБӺԨԣጏࡌfεᅰ ԫ༟ৃτΌᗫБุ Black Hat 黑帽駭客 ආБ͕ໆٙɝڧБމdਖ਼̡ॎᕸd˸ۃ͵̙၈
މ$SBDLFS
Ꭱ܄݊ʡჿ (SFZ)BUϲసᎡ܄ ʧ8IJUF)BUʿ#MBDL)BUʘග 4DSJQU,JEEJF ҦஔʔॱᆞאʔᏑࡡଣd̥ึԴ͜ତϞҸᏘ όආБెจॎᕸٙҸᏘ٫dᏕ၈މ4DSJQU ,JEEJFdͦۃεᅰెจॎᕸ٫ޫ݊
None
Ꭱ܄ଡ଼ᔌ ֜˙ᇜՓ  ִ݁ Άุ ڢ֜˙ᇜՓήɨ
Ꭱ܄ҸᏘٙͦᅺ ͦᅺjУኜࡈɛཥ໘ ెจᎡ܄މə༺ՑݔԬͦٙdึҸᏘУኜא ࡈɛཥ໘fʔΝٙͦᅺึϞʔΝٙҸᏘ˓جd ɰึϞഹʔΝٙͦٙf
ၣ१ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk
ၣ१ɝڧٙܝ؈k ՟ၣ१ʫ༟ࣘ ਂމ༪ؐҸᏘՉ˼˴ዚ નᇁא׳ໄెจό ໄ౬ࠫࠦאॎᕸ ՟१ʫ੮ᇁࡈ༟
None
None
None
None
None
Ꭱ܄՟੮ᇁνОԴ͜ ০࿁ٙೳ͜ݔ੮ ՟၍ଣ٫ᛆࠢ ਗ਼ᇁᏦႡЪϓοՊᏦ
None
None
ࡈɛཥ໘ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk
ࡈɛཥ໘ɝڧٙܝ؈k ՟ཥ໘ʫ༟ࣘ ՟ཥ໘ʫ੮ᇁࡈ༟ ਂމ༪ؐҸᏘՉ˼˴ዚ
㔃கሯᇜḢပᚓ㢂
⁰ഥ ㉺ ⁔ፇ ሟᇌ ༃༦⾬̳ ⳽୷⭶ё ῳ̎ഇ₁༓༶⾽̿
⁰ഥ ㉺ ⁔ፇ ሟᇌ ⳽୷⭶ё ᖤஞቒ̳ ῳ̎ഇ₁༓༶⾽̿
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU %%P4ሯᇜ
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU %%P4ሯᇜ
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ ṬᄍӴξͥ፦࠵
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ 你更新了嗎?
你更新了嗎?
੬ԈτΌဍݸ࡚ؓ
ၣ१༟ৃރဍ ၣ१፹Ⴌৃࢹ͊ᒯᔛ Уኜක೯٫و͉છ၍ࠫࠦ͊ৰ ၣࠫУኜක઼ͦΐڌ *OEFY0G ࠬᎈjഗʚᎡ܄ɝڧٙ༟ৃdܼ̍ӻ୕ৣໄeͦdޟ Ї੮eᇁഃ
⊷ਘῠ໊aіa⊷ਘῠẀᇂ
ᅟℯⅴਫ਼
None
?
B 網站 密碼:1qaz2wsx C 網站 密碼:1@#$%^%^*ag 密碼:1qaz2wsx A 網站 (遭⼊入侵)
(⼊入侵)
၍ଣ٫͊းப ᒯਛʔజˏ೯һᘌࠠٙԫ࿒ પ՝பೌج༆Ӕਪᕚ ๘ᗇኽਪᕚԱᔚπίdᎡ܄ஶჇІί
None
None
None
ၣ१τΌᏨνОྼЪ
ၣ१τΌᏨνОྼЪ ݟ༔Уኜeࢁٙو͉༟ৃ ᝈ࿀ၣ१ࠫࠦeʩ९eආɝᓃ ഗʚ͍੬ٙ፩ɝeମ੬ٙ፩ɝdᝈ࿀ၣ१ٙˀᏐʿৃ ࢹ 5SJBMBOE&SSPS
༊ʈՈ .BOUSBIUUQXXXHFUNBOUSBDPN #VSQ4VJUFIUUQQPSUTXJHHFSOFUCVSQ 'JEEMFSIUUQGJEEMFSDPN
None
τΌᏨʃҦ̷ Ꮸၣ१݊щಀᎡ IUUQXXXHPPHMFDPNTBGFCSPXTJOHEJBHOPTUJD TJUF IUUQ[POFIPSH IUUQXXXNBMXBSFEPNBJOMJTUDPNNEMQIQ IUUQXXXVSMWPJEDPN
Ꭱ܄ٙܠၪ༧Ңࡁʔɓᅵ
None
Injection? Path? Path?
None
admin ‘ or 1=1 -- admin abc123 123456 password 3939889
19831001 A12345678 87468c07c02e370ef84d4b7e3a668589 Try to get the password WordPress Vulnerability?
Ꭱ܄ҸᏘݴ 3FDPOOBJTTBODF 4DBOOJOH (BJOJOH"DDFTT .BJOUBJOJOH"DDFTT $MFBSJOH5SBDLT Reconnaissance Scanning Gaining Access
Maintaining Access Clearing Tracks
ॆྼҸᏘԫԷ Ꭱ܄͟ၣ१ҬՑɪෂeᄳᏦഃࢮᓃdಔɝXFCTIFMM ܝژஹɝ˴ዚf IUUQWJDUJNPSHTIFMMQIQ DNEPYPY ၇ၣࠫτΌਪᕚޫ̙л͜dܼ̍ᄳᏦeҷᏦeɪ ෂᏦࣩf
ॆྼҸᏘԫԷ $POU ஹɝ˴ዚܝ೯ତ੮ᛆࠢʔԑd˴ዚʫరҬ̙ٙ͜ ༟ৃf ᛆࠢjOPCPEZOPHSPVQ Ҭర̙͜੮FUDQBTTXE ݟ༔ӻ୕̙͜༟ৃWBSMPH ฤరϞೌTFUVJEGJMFT̙Զл͜
ॆྼҸᏘԫԷ $POU ೯ତ˴ዚ,FSOFMو͉ཀᔚdϞ̙ᛆٙࢮᓃf ᅠᄳฤర&YQMPJUҸᏘd՟SPPUᛆࠢf IUUQXXXFYQMPJUECDPN (PPHMF #ZZPVSTFMG
ॆྼҸᏘԫԷ $POU ׳ໄܝژ3PPULJU˸Զ˚ܝԴ͜f FUDQBTTXEܔͭ੮ FUDSDE׳ໄܝژ ˾౬TTIEഃ
ॆྼҸᏘԫԷ $POU ৰԑ༦jাᏦʿӻ୕ߏ _IJTUPSZ _CBTI@IJTUPSZ WBSMPH
ၣ༩݊τΌٙk
None
8FMDPNFUPQIQ.Z"ENJO"/% $SFBUFOFXEBUBCBTFGJMFUZQFQIQ
None
None
None
-BC
ІҢኪ୦
༟τהცٙٝᗆߠ౻ၾҦঐ ༟ৃϗණ*OGPSNBUJPO(BUIFSJOH ӻ୕τΌ4ZTUFN4FDVSJUZ ၣ༩τΌ/FUXPSL4FDVSJUZ ၣ१ၾၣࠫᏐ͜ότΌ8FC4FDVSJUZ ̋ၾ༆$SZQUPHSBQIZ ెจόᏨ.BMXBSF%FUFDUJPO Σʈ3FWFSTJOH&OHJOFFSJOH ᅰЗᛠᗆ%JHJUBM'PSFOTJDT Бਗༀໄ.PCJMF%FWJDFT
ІҢᇖ୦ IUUQTXXXPXBTQPSHJOEFYQIQ$BUFHPSZ08"41@8FC(PBU@1SPKFDU IUUQTQFOUFTUFSMBCDPN IUUQXXXEWXBDPVL IUUQXXXIBDLUIJTTJUFPSH IUUQIBDLBEFNJDUFJMBSHS IUUQTIBDLNF IUUQ[FSPXFCBQQTFDVSJUZDPN IUUQTPVSDFGPSHFOFUQSPKFDUTNVUJMMJEBF
None
2"
ᑌഖ˙ό ߰ϞОٙဲਪdᛇڎᎇࣛၾҢᑌᖩf " " ॽख͍"MMFO0XO IUUQEFWDPSF BMMFOPXO!EFWDPSF