Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20140714 SITCON Camp 揭開駭客的神祕面紗
Search
Allen Own
July 14, 2014
Technology
2
630
20140714 SITCON Camp 揭開駭客的神祕面紗
2014-07-14 SITCON Camp 揭開駭客的神祕面紗
Allen Own
July 14, 2014
Tweet
Share
More Decks by Allen Own
See All by Allen Own
NPO 要知道的資訊安全
allenown
1
260
PHPConf 2013 - 矛盾大對決
allenown
32
24k
PHPConf 2013 - 我的密碼沒加密,你的呢?
allenown
6
830
BoT2013 海量資料時代的網路分析
allenown
4
560
The Internet is (NOT) safe - WebConf Taiwan 2013
allenown
58
11k
Other Decks in Technology
See All in Technology
Rethinking Incident Response: Context-Aware AI in Practice
rrreeeyyy
2
940
An introduction to Claude Code SDK
choplin
2
1.2k
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.2k
AI Ready API ─ AI時代に求められるAPI設計とは?/ AI-Ready API - Designing MCP and APIs in the AI Era
yokawasa
9
2.5k
データ戦略部門 紹介資料
sansan33
PRO
1
3.3k
Copilot coding agentにベットしたいCTOが開発組織で取り組んだこと / GitHub Copilot coding agent in Team
tnir
0
200
安定した基盤システムのためのライブラリ選定
kakehashi
PRO
3
130
OpenTelemetryセマンティック規約の恩恵とMackerel APMにおける活用例 / SRE NEXT 2025
mackerelio
3
2k
AWS 怖い話 WAF編 @fillz_noh #AWSStartup #AWSStartup_Kansai
fillznoh
0
130
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
harukasakihara
2
240
衛星運用をソフトウェアエンジニアに依頼したときにできあがるもの
sankichi92
1
1.1k
〜『世界中の家族のこころのインフラ』を目指して”次の10年”へ〜 SREが導いたグローバルサービスの信頼性向上戦略とその舞台裏 / Towards the Next Decade: Enhancing Global Service Reliability
kohbis
3
1.5k
Featured
See All Featured
Practical Orchestrator
shlominoach
189
11k
How to train your dragon (web standard)
notwaldorf
96
6.1k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
Fireside Chat
paigeccino
37
3.5k
Designing Experiences People Love
moore
142
24k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
990
The Pragmatic Product Professional
lauravandoore
35
6.7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
Code Review Best Practice
trishagee
69
19k
Transcript
揭開駭客的神祕面紗 4*5$0/$BNQ 翁浩正 Allen Own
[email protected]
Ꮦ˃ဧٰ΅Ϟࠢʮ̡
ᑺ٫ᔊʧ ॽख͍ "MMFO0XO %&7$03&Ꮦ˃ဧٰ΅Ϟࠢʮ̡ੂБڗ BMMFOPXO!EFWDPSF ! )*5$0/̨ᝄᎡ܄ϋึਓᐼ̜ /*43"༟τྠඟ௴፬ɛ ༟τҦঐږᆤᘩᒄϋڿࠏeϋԭࠏ
༟τదၣ१ታ१ᚥਪ
ٷ᧼㔃க፞)*5$0/9 "%"15505)&/&8&3"0'4&$63*5:5)3&"54 ˾ _ ̄ ٷޠΥḛ৮㑱ൽ㡴˒৴ἵ㋒̙ቢῳ፞㒔 IUUQIJUDPOPSH
None
νОϓމ੶٫k
None
None
ኪࣧʔ݊Ϟk މʡჿᒔࠅІʉрɢk
ኪࣧԃ ଣሞeʫ̌ ุޢ ྼਕeуࣛɢe؛̌
ኪࣧԃ ଣሞeʫ̌ ุޢ ྼਕeуࣛɢe؛̌ ๖
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ 為什麼?
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ ????
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ ㄨ
ྼਕࠦ̈೯ ᓘ՟ุޢeၣ༩ɪٙٝᗆ ԑኪࣧίྼਕɪٙʔԑ
ᜊ੶ٙږᝌjІ˴ኪ୦
老老師領領進門,修行行在個㆟人
None
None
І˴ኪ୦ ഛ͜ၣ༩ɪٙኪ༟๕ ʔࠅᔊʕ˖eߵ˖ й፰ဲdਗ˓ਂఱ࿁əl ϓఱชܘࠠࠅl
ʔࠅ̰ ̰ٙɛdʑ݊ኪՑ௰εٙ
ࡳԬٝᗆ݊Ңࡁ̀௪ٙճk
όႧԊ $$ +BWB$ ໔͉ႧԊ 4DSJQUJOH-BOHVBHF 4IFMM4DSJQU+BWB4DSJQU1ZUIPO3VCZ1FSM ၣࠫᏐ͜όႧԊ "41/&51)1+413P3 БਗༀໄόႧԊ
"OESPJE +BWB J04 0CKFDUJWF$ 8JOEPXT 1IPOF
νО፯όႧԊk 5*0#&1SPHSBNNJOH$PNNVOJUZ*OEFY IUUQXXXUJPCFDPNJOEFYQIQDPOUFOUQBQFSJOGPUQDJ JOEFYIUNM રБᒈැ̙˸ՑႧԊٙᆠژܓ˸ʿุޢٙცӋ
None
None
ڐಂ༟τࠅၲ
ᒄژ᚛дj ̘ϋΌଢϞᄂഅࡈ༟̮ރ ᒄژ᚛д௰อ*453ၣ༩τΌ۾উజѓܸ̈d̘ϋ೯͛ٙ ༟τԫᜑͪdᎡ܄ҸᏘҞҸᏘᔷމڗಂᆑͿٙɓ ϣɽᅼҸᏘdϋΌଢߒϞᄂഅ༟̮ࣘރf ί༈జѓ୕ࠇʕd̨ᝄίϋၣ༩۾উʕΤΐΌ ଢୋdԭݲසϣʕeΙܓfʫϞٙ০࿁ ҸᏘᕁ֛ՑɛᅼٙʕɽۨΆุdҭ೯ʿႡி ุމҸᏘᕁ֛ٙՇɽପุfϾ̘ϋ̨ᝄչѫඉરΤ ୋΤɪʺЇୋdⶋ܉ၣ༩ɰરΤୋf
IUUQXXXJUIPNFDPNUXOFXT
F#BZቊල܄ɝڧ ᄂ͜˒༟̮ࣘރ F#BZ˚ί֜˙ၣ१ʮ̺dʦϋ˜ֵЇ˜ڋd ᄂ܄˒ٙཥඉήѧe̋ܝٙᇁë͛˚ಂʿИѧ ഃᅰኽೳ՟dШೳ՟ٙ˖Ѱʔўৌਕ༟ࣘfʮ ̡ڮሗᄂ͜˒һҷᇁf F#BZڌͪdմۃ೯ତவԬቊᎡٙਪᕚኯᗇdމə࿏ֵ ݟਪᕚdה˸ٜՑ˚ʑʮ̺dШ൷ᕎ˜ڋቊල܄ ɝڧࣛගʊڐࡈ˜f IUUQXXXCCDDPVL[IPOHXFOUSBEXPSME@FCBZ@IBDLFSTIUNM
"0-վוӻ୕ቊɝڧd Ꭱ܄̙ঐπ՟ɽඎԴ͜٫੮ "0-ᆽႩᎡ܄͊બᛆπ՟əўϞɽඎԴ͜٫੮ٙУ ኜdܼ̍͜˒ٙཥɿඉ੮eήѧeஷৃe̋ ٙᇁe̋ٙτΌஷᗫႧd˸ʿʈЪఊЗdϾ ˲"0-ɰڦչѫᔥʊෂൟᗺඉഗߒ͜˒ٙ ஷৃʾɛf IUUQXXXJUIPNFDPNUXOFXT
ߕཧਯਠ*5ӻ୕Κዚ ৰə5BSHFUεཧਯਠɰቊݪ ௰ڐdԨʔස˟5BSHFUɓ೯͛ࠠɽ༟̮ࣘރԫf ࣬ኽ༩ீٟܸ̈dίື˚ᒅي֙ಂගdৰə5BSHFUၾ /FJNBO.BSDVTʘ̮ٙεཧਯਠdɰቊՑᎡ܄ҸᏘf ɪ5BSHFUீᚣܸ̈dᎡ܄՟ə ຬഅٙᚥ܄ ֑Τeඉήѧeཥ༑ᇁeཥɿඉήѧၾ˕˹̔ ༟ࣘdШ̘ϋ˜ʕϚৎజኬ፲̰ٙഅᅰމ ຬ
അf IUUQOFXTOFUXPSLNBHB[JOFDPNUXDMBTTJGJDBUJPOTFDVSJUZ
ӚϞʔτΌٙӻ୕ ̥ϞʔτΌٙɛ
None
None
A Nice Password, but….? Admin password Admin.R386W
Is Your Password Safe?
ซซІʉϞӚϞਂՑτΌf ໆӻ୕ʔτΌʘۃd
༟τ۾উၾᏐ࿁ ԣጏ٫ԨʔᆞҸᏘ٫ٙː࿒eͦٙeҦஔഃdኬߧ ԫ೯͛ܝʑঐආБࡌfϾʔٝ༸ҸᏘٙҦஔၾ˙ جdࡌɰසطᅺʔط͉ ෂ୕ٙԣጏ˙όdܼ̍ӻ୕ࡌeԣጏe̋dேΪ อҦஔɓɓॎ༆dԷνʱόஈଣeථ၌e(16e 3BJOCPX5BCMF
༟τ۾উၾᏐ࿁ ٝʉٝ־dϵʔݫ ኪ୦Ꭱ܄ٙܠၪd௰อٙҦஔdԨ˲ə༆Іʉӻ୕ٙ ঌࢮᓃӺίОஈ
Cyberwar݊ʡჿk
http://www.flickr.com/photos/42514833@N07/5246970893/ Cyberwar
ၣ༩͍ίආБʕl
Ŗϓၣ༩ගፒҸᏘ ԸІॴዚ೯ਗ ࣬ኽϋ7FSJ[PO௰อ೯̺ٙ༟̮ࣘރሜݟజ ѓܸ̈dίሜݟڐٙၣ༩ගፒҸᏘԫʕdϞ ݊ԸІִ݁ॴዚٙ೯ਗdՉʕऒʿ༟̮ࣘރٙҸ Ꮨݺਗۆ݊Цəfజѓɰܸ̈dϞਗ਼ڐɓ̒ ٙ ၣ༩ගፒݺਗேԸІʕձՉ̴؇ԭה˴ኬd̤̮ ɰϞĈۆ݊ԸІ؇ᆄήਜfʕһϞ൴ཀ̒ᅰ˸ɪ
ٙၣ༩ගፒҸᏘ࿁݊˸ߕމ˴dՉϣ݊˚͉ ձᒵ f IUUQXXXJUIPNFDPNUXOFXT
Ꭱ܄ᜣ့ཥൖ̨ვБ یᒵజኬj̏ᒵהމ یᒵɪ˜ቊᎡ܄ɝڧdεཥൖ̨ձვБΌࠦᜣ့d یᒵᙆ˙ɓܓ၈Ꭱ܄ҸᏘԸІʕdܝҷɹ݊ߕʿ ᆄݲഃࡈdШʦ˂یᒵʮ̺͍όజѓdܸછ̏ᒵ ᆽމவৎҸᏘࣩٙ˴ፑdᘪࣛගڗ༺˜ʘɮf IUUQXXXBQQMFEBJMZDPNUXSFBMUJNFOFXTBSUJDMFJOUFSOBUJPOBM
Ꭱ܄त၇ඟ ږ㛬Έˏ͜ɓ΅̏ᒵִ݁֜˙˖༟ܸࣘ̈d̏ᒵʊ ݂ჯኬɛږ͍˚ϋᒔፋІɨ˿ਗ਼ணί̻ᘎٙၣ༩ त၇ඟᓒᇜЇ ɛdᒱ್༈΅˖ٙॆྼ͊ ᆽႩdШږ㛬ΈኽϤౣd̏ᒵᎡ܄ɛᅰʘܝʊɽష ᄣ̋dϞԬ݊ݼታʕd˸کԫသீऎ̮ၣ༩ٙ ਕf IUUQOFXTDIJOBUJNFTDPNXPSMEIUNM
None
Die Hard 4.0
ၣ༩ٙͦٙ݊ʡჿk ՟ઋజ ᜣ့ၣ༩ ਔ॰ ܁౮ІҢଣׂ
Ꭱ܄݊ʡჿk What is Hacker?
http://www.flickr.com/photos/torh/5275187124/
Ꭱ܄݊ʡჿ Ꭱ܄ )BDLFS ࡡจމ ᆠহཥ໘ӻ୕ҦஔӺٙਖ਼ ɽඎႬ͜ɨᎡ܄ɓ൚੭ϞࠋࠦЍd੬މ ڢجెจॎᕸeɝڧӻ୕ٙɛ
Ꭱ܄݊ʡჿ White Hat 白帽駭客 ༟τਖ਼d࿁ӻ୕τΌආБӺԨԣጏࡌfεᅰ ԫ༟ৃτΌᗫБุ Black Hat 黑帽駭客 ආБ͕ໆٙɝڧБމdਖ਼̡ॎᕸd˸ۃ͵̙၈
މ$SBDLFS
Ꭱ܄݊ʡჿ (SFZ)BUϲసᎡ܄ ʧ8IJUF)BUʿ#MBDL)BUʘග 4DSJQU,JEEJF ҦஔʔॱᆞאʔᏑࡡଣd̥ึԴ͜ତϞҸᏘ όආБెจॎᕸٙҸᏘ٫dᏕ၈މ4DSJQU ,JEEJFdͦۃεᅰెจॎᕸ٫ޫ݊
None
Ꭱ܄ଡ଼ᔌ ֜˙ᇜՓ ִ݁ Άุ ڢ֜˙ᇜՓήɨ
Ꭱ܄ҸᏘٙͦᅺ ͦᅺjУኜࡈɛཥ໘ ెจᎡ܄މə༺ՑݔԬͦٙdึҸᏘУኜא ࡈɛཥ໘fʔΝٙͦᅺึϞʔΝٙҸᏘ˓جd ɰึϞഹʔΝٙͦٙf
ၣ१ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk
ၣ१ɝڧٙܝ؈k ՟ၣ१ʫ༟ࣘ ਂމ༪ؐҸᏘՉ˼˴ዚ નᇁא׳ໄెจό ໄ౬ࠫࠦאॎᕸ ՟१ʫ੮ᇁࡈ༟
None
None
None
None
None
Ꭱ܄՟੮ᇁνОԴ͜ ০࿁ٙೳ͜ݔ੮ ՟၍ଣ٫ᛆࠢ ਗ਼ᇁᏦႡЪϓοՊᏦ
None
None
ࡈɛཥ໘ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk
ࡈɛཥ໘ɝڧٙܝ؈k ՟ཥ໘ʫ༟ࣘ ՟ཥ໘ʫ੮ᇁࡈ༟ ਂމ༪ؐҸᏘՉ˼˴ዚ
㔃கሯᇜḢပᚓ㢂
⁰ഥ ㉺ ⁔ፇ ሟᇌ ༃༦⾬̳ ⳽୷⭶ё ῳ̎ഇ₁༓༶⾽̿
⁰ഥ ㉺ ⁔ፇ ሟᇌ ⳽୷⭶ё ᖤஞቒ̳ ῳ̎ഇ₁༓༶⾽̿
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU %%P4ሯᇜ
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU %%P4ሯᇜ
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ ṬᄍӴξͥ፦࠵
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ 你更新了嗎?
你更新了嗎?
੬ԈτΌဍݸ࡚ؓ
ၣ१༟ৃރဍ ၣ१፹Ⴌৃࢹ͊ᒯᔛ Уኜක೯٫و͉છ၍ࠫࠦ͊ৰ ၣࠫУኜක઼ͦΐڌ *OEFY0G ࠬᎈjഗʚᎡ܄ɝڧٙ༟ৃdܼ̍ӻ୕ৣໄeͦdޟ Ї੮eᇁഃ
⊷ਘῠ໊aіa⊷ਘῠẀᇂ
ᅟℯⅴਫ਼
None
?
B 網站 密碼:1qaz2wsx C 網站 密碼:1@#$%^%^*ag 密碼:1qaz2wsx A 網站 (遭⼊入侵)
(⼊入侵)
၍ଣ٫͊းப ᒯਛʔజˏ೯һᘌࠠٙԫ࿒ પ՝பೌج༆Ӕਪᕚ ๘ᗇኽਪᕚԱᔚπίdᎡ܄ஶჇІί
None
None
None
ၣ१τΌᏨνОྼЪ
ၣ१τΌᏨνОྼЪ ݟ༔Уኜeࢁٙو͉༟ৃ ᝈ࿀ၣ१ࠫࠦeʩ९eආɝᓃ ഗʚ͍੬ٙ፩ɝeମ੬ٙ፩ɝdᝈ࿀ၣ१ٙˀᏐʿৃ ࢹ 5SJBMBOE&SSPS
༊ʈՈ .BOUSBIUUQXXXHFUNBOUSBDPN #VSQ4VJUFIUUQQPSUTXJHHFSOFUCVSQ 'JEEMFSIUUQGJEEMFSDPN
None
τΌᏨʃҦ̷ Ꮸၣ१݊щಀᎡ IUUQXXXHPPHMFDPNTBGFCSPXTJOHEJBHOPTUJD TJUF IUUQ[POFIPSH IUUQXXXNBMXBSFEPNBJOMJTUDPNNEMQIQ IUUQXXXVSMWPJEDPN
Ꭱ܄ٙܠၪ༧Ңࡁʔɓᅵ
None
Injection? Path? Path?
None
admin ‘ or 1=1 -- admin abc123 123456 password 3939889
19831001 A12345678 87468c07c02e370ef84d4b7e3a668589 Try to get the password WordPress Vulnerability?
Ꭱ܄ҸᏘݴ 3FDPOOBJTTBODF 4DBOOJOH (BJOJOH"DDFTT .BJOUBJOJOH"DDFTT $MFBSJOH5SBDLT Reconnaissance Scanning Gaining Access
Maintaining Access Clearing Tracks
ॆྼҸᏘԫԷ Ꭱ܄͟ၣ१ҬՑɪෂeᄳᏦഃࢮᓃdಔɝXFCTIFMM ܝژஹɝ˴ዚf IUUQWJDUJNPSHTIFMMQIQ DNEPYPY ၇ၣࠫτΌਪᕚޫ̙л͜dܼ̍ᄳᏦeҷᏦeɪ ෂᏦࣩf
ॆྼҸᏘԫԷ $POU ஹɝ˴ዚܝ೯ତ੮ᛆࠢʔԑd˴ዚʫరҬ̙ٙ͜ ༟ৃf ᛆࠢjOPCPEZOPHSPVQ Ҭర̙͜੮FUDQBTTXE ݟ༔ӻ୕̙͜༟ৃWBSMPH ฤరϞೌTFUVJEGJMFT̙Զл͜
ॆྼҸᏘԫԷ $POU ೯ତ˴ዚ,FSOFMو͉ཀᔚdϞ̙ᛆٙࢮᓃf ᅠᄳฤర&YQMPJUҸᏘd՟SPPUᛆࠢf IUUQXXXFYQMPJUECDPN (PPHMF #ZZPVSTFMG
ॆྼҸᏘԫԷ $POU ׳ໄܝژ3PPULJU˸Զ˚ܝԴ͜f FUDQBTTXEܔͭ੮ FUDSDE׳ໄܝژ ˾౬TTIEഃ
ॆྼҸᏘԫԷ $POU ৰԑ༦jাᏦʿӻ୕ߏ _IJTUPSZ _CBTI@IJTUPSZ WBSMPH
ၣ༩݊τΌٙk
None
8FMDPNFUPQIQ.Z"ENJO"/% $SFBUFOFXEBUBCBTFGJMFUZQFQIQ
None
None
None
-BC
ІҢኪ୦
༟τהცٙٝᗆߠ౻ၾҦঐ ༟ৃϗණ*OGPSNBUJPO(BUIFSJOH ӻ୕τΌ4ZTUFN4FDVSJUZ ၣ༩τΌ/FUXPSL4FDVSJUZ ၣ१ၾၣࠫᏐ͜ότΌ8FC4FDVSJUZ ̋ၾ༆$SZQUPHSBQIZ ెจόᏨ.BMXBSF%FUFDUJPO Σʈ3FWFSTJOH&OHJOFFSJOH ᅰЗᛠᗆ%JHJUBM'PSFOTJDT Бਗༀໄ.PCJMF%FWJDFT
ІҢᇖ୦ IUUQTXXXPXBTQPSHJOEFYQIQ$BUFHPSZ08"41@8FC(PBU@1SPKFDU IUUQTQFOUFTUFSMBCDPN IUUQXXXEWXBDPVL IUUQXXXIBDLUIJTTJUFPSH IUUQIBDLBEFNJDUFJMBSHS IUUQTIBDLNF IUUQ[FSPXFCBQQTFDVSJUZDPN IUUQTPVSDFGPSHFOFUQSPKFDUTNVUJMMJEBF
None
2"
ᑌഖ˙ό ߰ϞОٙဲਪdᛇڎᎇࣛၾҢᑌᖩf " " ॽख͍"MMFO0XO IUUQEFWDPSF BMMFOPXO!EFWDPSF