セキュリティ スキャニング フレームワークの作り方/Seven staps to build a Security Scanning Framework

Transcript

1. ηΩϡϦςΟεΩϟχϯά ϑϨʔϜϫʔΫͷͭ͘Γ͔ͨ @moperon 2017/10/31 #ssmjp

2. ໨࣍ ࣗݾ঺հ
 ੬ऑੑ਍அͱ͸
 ՝୊
 7εςοϓͰ։ൃ
 ·ͱΊ

3. @moperon • ηΩϡϦςΟΤϯδχΞ • ੬ऑੑ਍அྺ10೥
 PF/Web/Android/ଞ͍Ζ͍Ζ • ੬ऑੑ਍அʹ·ͭΘΔ։ൃ
 ࣾ಺πʔϧ։ൃ •

   2017೥4݄͔ΒR&D෦໳΁ • ࠓಡΜͰ͍Δٕज़ॻ
 -> Cooking for Geeks

4. ੬ऑੑ਍அͱ͸

5. ੬ऑੑ਍அͱ͸ ࣄલ४උ ਍அ ใࠂ

6. ੬ऑੑ਍அͱ͸ ੬ऑੑΛݕग़͢Δ࡞ۀ

7. ੬ऑੑ਍அͱ͸ ੬ऑੑΛݕग़͢Δ࡞ۀ ͪΐͬͱҧ͏

8. ੬ऑੑ਍அͱ͸ ੬ऑੑͷ༗ແΛ֬ೝՄೳͳ ূ੻Λऩू͢Δ࡞ۀ

9. ηΩϡϦςΟεΩϟφ ূ੻ෆ଍ ِӄੑ/ِཅੑ

10. खಈ਍அͷඞཁੑ ূ੻ͷऩू ِཅੑ/ِӄੑͷϦΧόϦ

11. ՝୊

12. खಈ਍அͷ՝୊ ૿͑ଓ͚Δ਍அख๏ ޮ཰΁ͷѱӨڹ

13. εΩϟφͱखಈͷ伱ؒ Χόʔ͖͠Εͳ͍ ਍அ߲໨ ୯७͚ͩͲ ख͕͔͔ؒΔ ਍அ߲໨

14. ηΩϡϦςΟ εΩϟχϯά ϑϨʔϜϫʔΫ • ηΩϡϦςΟεΩϟφΛ
 ։ൃ͢ΔͨΊͷϑϨʔϜϫʔΫ • ਍அ߲໨ΛϓϥάΠϯԽ Λ࡞Ζ͏ खಈ਍அΛ͋Δఔ౓ࣗಈԽ͢ΔͨΊɺ

15. ηΩϡϦςΟεΩϟχϯά ϑϨʔϜϫʔΫ Λ࡞Δ 7ͭͷεςοϓ

16. εςοϓ1 ཉ͍͠ػೳΛܾΊΔ

17. γϯϓϧͰίϯύΫτͳγεςϜ • ਍அ߲໨ϓϥάΠϯ • ࣮ߦॱΛ໦ߏ଄ʹఆٛՄೳ • ϚϧνεϨουͷδϣϒίϯτϩʔϧػೳ • netshϥΠΫͳίϚϯυUI •

    Ϩϙʔτػೳ ཉ͍͠ػೳ

18. εςοϓ2 ݴޠΛܾΊΔ

19. ݴޠ

20. ͳΜͰ ࢖Θͳ͍ͷ?ͱࢥͬͨ͋ͳͨ

21. େઌഐʹಉ͜͡ͱݴ͑Δ?

22. https://github.com/rapid7/metasploit-framework/wiki/Why-Ruby%3F Why Ruby?

23. 1. Ruby͍͍ΑRuby 2. Metasploit Framework 3. ActiveModelͳͲɺRailsͷࢿ࢈ ͳͥRubyʹ͔ͨ͠

24. εςοϓ3 ࡐྉΛἧ͑Δ

25. ։ൃʹඞཁͳ΋ͷ ։ൃ؀ڥ ࢀߟࢿྉ

26. ։ൃ؀ڥ

27. ࢀߟࢿྉ-1

28. ࢀߟࢿྉ-2 ਺ଟ͘ͷૉ੖Β͍͠OSSͷίʔυ

29. εςοϓ4 γεςϜߏ੒

30. γεςϜߏ੒ Console Controller TestSuite TestCase Command ActiveModel & ActiveRecord Report

    DBMS Tester Command Command Command Command

31. γεςϜߏ੒ Console Controller TestSuite TestCase ActiveModel & ActiveRecord Report DBMS

    Tester ֦ுՄೳ Command Command Command Command Command TestSuite͸
 γεςϜʹؚΊͣ
 ผϦϙδτϦ΁

32. γεςϜߏ੒ Console Controller TestSuite TestCase ActiveModel & ActiveRecord Report DBMS

    Tester ֦ுػೳΛಈతʹload(unload) Command Command Command Command Command

33. γεςϜߏ੒ Console Controller TestSuite TestCase ActiveModel & ActiveRecord Report DBMS

    Tester δϣϒίϯτϩʔϧ Command Command Command Command Command

34. δϣϒίϯτϩʔϧ TestSuite TestCase A TestCase B TestCase C TestCase D

    TestCase H TestCase E TestCase F TestCase G

35. δϣϒίϯτϩʔϧ Tester TestSuite TestCase A TestCase B TestCase C TestCase

    D TestCase H TestCase E TestCase F TestCase G Host A TestSuite TestCase A TestCase B TestCase C TestCase D TestCase H TestCase E TestCase F TestCase G Host B Host/Portຖʹ TestCaseͷThreadΛੜ੒ ಈ࡞Λ؂ࢹ/੍ޚ

36. εςοϓ5 DBઃܭ

37. DBMSબఆ

38. DBMSબఆ Cons
 ϚϧνεϨουରԠ͕໘౗ Cons
 ҉໧ͷܕม׵ා͍
 .oO(ORM࢖͏͔Βؔ܎ͳ͍͚Ͳ)

39. DBઃܭ Ͱ͖Δ͚ͩγϯϓϧʹ ඞཁͳ΋ͷ͚ͩʹߜΔ Ұਓͷਓ͕ؒ શମΛ೺ѲͰ͖ΔαΠζ

40. DBઃܭ ςʔϒϧ͸9ݸ͚ͩ +ActiveRecord؅ཧςʔϒϧ2ݸ

41. DBઃܭ ؊͸6ͭ

42. DBઃܭ sites ෳ਺ͷhostΛ ·ͱΊΔςʔϒϧ ʮ਍அ࡞ۀʯΛද͢

43. DBઃܭ hosts IPΞυϨε ਍அϗετ

44. DBઃܭ ports ϙʔτ ϙʔτͷঢ়ଶΛอ࣋ udp/tcp, ൪߸, state, αʔϏε nmapϨϙʔτ (ਖ਼نԽ͖ͬͯ͠ͳ͍)

45. DBઃܭ evidences ਍அূ੻ ϦΫΤετͱ Ϩεϙϯε ϗετ΍ϙʔτͱ ݁ͼͭ͘

46. DBઃܭ vulnerabilities ੬ऑੑ 1:nͰূ੻ʹඥ෇͚ siteຖʹϢχʔΫ

47. DBઃܭ test_cases ਍அ߲໨ ࣗݾࢀরܕ1:n݁߹Ͱ πϦʔߏ଄ʹ

48. εςοϓ6 ࣮૷

49. 1) DB઀ଓ : ActiveRecord/ActiveModel 2) UX/ೖग़ྗ : ReadLine/Logger 3) δϣϒίϯτϩʔϥ

    : Thread/Mutex/ConditionVariable 4) Ϩϙʔτػೳ : Slim/jQuery/Bootstrap 5) ֦ுػೳ : ࠇຐज़/module_eval 6) ηοτΞοϓ : Rake 7) σόοά : pry-byebug 8) ίϯςφ : Docker/docker-compose 9) ϦϑΝΫλϦϯά : RuboCop 10)ςετ : RSpec ࣮૷

50. 9)ϦϑΝΫλϦϯά ஏ͔͍ͣ͠ίʔυΛগ͠ஏ͔ͣ͘͠ͳ͘͢Δߦҝ ८ࠪϚδݫ͍͠ Assignment Branch Condition Size is too highͭΒ͍

51. 10)ςετ RSpec ϑϨʔϜϫʔΫࣗ਎Λςετ ςετ͕ॆ࣮͍ͯ͠Δͱ҆৺Ͱ͖Δ •Ruby΍gemsͷΞοϓάϨʔυ •ϦϑΝΫλϦϯά ͨͩ͠ɺεΫϥονͷϓϩάϥϜͷ৔߹ɺ ΧελϜϚονϟ΍υϥΠόॻ͘ͷ͕େม

52. ൓ল ࣮૷޻ఔͷ࠷ॳʹରԠ͢΂͖Ͱ͢

53. εςοϓ7 Φʔϓϯιʔεʹ͢Δ

54. 1)ձࣾͷڐՄΛಘΔ 2)ϓϩμΫτ໊ΛܾΊΔ 3)ίϚϯυ໊ΛܾΊΔ 4)ϥΠηϯεΛܾΊΔ 5)υΩϡϝϯτΛॻ͘ 6)ެ։͢Δ Φʔϓϯιʔεʹ͢Δ

55. 1)ձࣾͷڐՄΛಘΔ ձࣾͷϦιʔεͱ࣌ؒΛ࢖ͬͯɺࣾ಺πʔϧͱͯ͠։ൃ উखʹΦʔϓϯιʔεʹ͢ΔΘ͚ʹ͸ߦ͔ͳ͍ͷͰɺ Φʔϓϯιʔεʹ͢Δͱྑ͍͜ͱ͋ΔΑ ͱ͔ɺ༗Δࣄແ͍ࣄ࿩ͯ͠ ্࢘ͱ͔Λὃઆಘͯ͠ڐՄΛ΋Β͏

56. 2)ϓϩμΫτ໊ΛܾΊΔ ggϥϏϦςΟେࣄ ҙຯ͸ߟ͑ͳ͍

57. 2)ϓϩμΫτ໊ΛܾΊΔ $BSBT'SBNFXPSL

58. $BSBT'SBNFXPSL 2)ϓϩμΫτ໊ΛܾΊΔ

59. 3)ίϚϯυ໊ΛܾΊΔ ίϚϯυ΋େࣄ λΠϓ͠΍͍͢จࣈྻ͕ྑ͍ λΠϓ͠ʹ͍͘จࣈྻͷྫ : 3DES

60. 3)ίϚϯυ໊ΛܾΊΔ DBSBTI

    
    DBSBT
    TIFMM

61. からしゅ DBSBTI

    
    DBSBT
    TIFMM 3)ίϚϯυ໊ΛܾΊΔ

62. 4)ϥΠηϯεΛܾΊΔ GPL BSD Apache/2.0 MIT WTFPL

63. 4)ϥΠηϯεΛܾΊΔ GPL BSD Apache/2.0 MIT WTFPL

64. 4)ϥΠηϯεΛܾΊΔ ͍·ͩʹΑ͘Θ͔ͬͯ·ͤΜ •೔ຊʹ͓͚Δ๏తͳҐஔ෇͚ •ஶ࡞ݖ/஌తࡒ࢈ݖ •ίϯτϦϏϡʔλͷஶ࡞ݖ •൑ྫ •ϦεΫ •ٛ຿ ΦʔϓϯιʔεσΟετϦϏϡʔλͱͯ͠

65. 5)υΩϡϝϯτΛॻ͘ I. ೔ຊޠͰॻ͍ͯӳ༁ɺӳจͷΈެ։ II. ެ։ޙɺ஌ਓʹʮϫλγɺχϗϯδϯʯͱݴΘΕΔ III. ӳޠͷυΩϡϝϯτΛ຋༁ͯ͠push खॱ

66. 6)ެ։͢Δ https://github.com/gsx-lab/caras-framework

67. ·ͱΊ

68. ·ͱΊ ηΩϡϦςΟ εΩϟχϯά ϑϨʔϜϫʔΫ Caras-FrameworkΛ Φʔϓϯιʔεʹ͠·ͨ͠ https://github.com/gsx-lab/caras-framework

69. ͓·͚

70. େઌഐͷDB

71. େઌഐͷDB https://github.com/rapid7/metasploit-framework/blob/master/db/schema.rb

72. େઌഐͷDB

73. େઌഐͷDB ྺ࢙ͷॏΈ ϓϩδΣΫτͷن໛

74. େઌഐͷDB • ֎෦Ωʔ੍໿ͳ͠ • ORM -> Metasploit::Model • ҋ͕ਂ͍

75. ΤϞ͍ίʔυ

76. ΤϞ͍chord codeͱ͸ ײ৘Λ༳͞ͿΒΕΔcode όάͰ͸ͳ͍͕ɺͭΒΈͷ༗Δcode ౒ྗͷ੻͕ྦΛ༠͏code => ΤϞ͍

77. ΤϞ͍code-1 https://github.com/gsx-lab/caras-framework/blob/master/docs/DEVELOP_TEST_SUITES.md#implementation-example TestCaseͷ ࣮૷νϡʔτϦΞϧ ͕ BannerGrabber

78. ΤϞ͍code-2 https://github.com/gsx-lab/caras-testsuite/search?q=sleep TestCaseαϯϓϧ ͷsleepϝιου ඇಉظॲཧΛ ίϯτϩʔϧ͖͠Εͳ͍ ൵͠Έ

79. ΤϞ͍code-3 https://github.com/gsx-lab/caras-framework/blob/master/app/models/evidence.rb EvidenceϞσϧ ActiveModelͰ ϝιουνΣʔϯॻ͘લʹ ཉ͍͠SQLจΛॻ͍ͯɺ ࣮૷ޙʹ #to_sql Ͱ Ұக͢Δ͔֬ೝ͍ͯ͠Δ

80. ΤϞ͍code-4 https://github.com/gsx-lab/caras-framework/blob/master/.gitignore Gemfile.lock͕ .gitignoreʹೖͬͯΔ TestSuitesΛؚΉ֤छػೳ֦ுͰ΋ GemfileΛ࢖͑ΔΑ͏ʹ͔ͨͬͨ͠ɻ -> Πϯετʔϧ͢Δػೳ֦ுʹΑͬͯ Gemfile.lock͕มΘΔͷͰɺ lockϑΝΠϧΛϦϙδτϦʹೖΕΒΕͳ͍ɻ

    ͭΒ͍ɻ

81. ͓͠·͍