セキュリティスキャニングフレームワークの作り方/Seven staps to build a Security Scanning Framework

Slide 1

Slide 1 text

ηΩϡϦςΟεΩϟχϯά ϑϨʔϜϫʔΫͷͭ͘Γ͔ͨ @moperon 2017/10/31 #ssmjp

Slide 2

Slide 2 text

໨࣍ ࣗݾ঺հ  ੬ऑੑ਍அͱ͸  ՝୊  7εςοϓͰ։ൃ  ·ͱΊ

Slide 3

Slide 3 text

@moperon • ηΩϡϦςΟΤϯδχΞ • ੬ऑੑ਍அྺ10೥  PF/Web/Android/ଞ͍Ζ͍Ζ • ੬ऑੑ਍அʹ·ͭΘΔ։ൃ  ࣾ಺πʔϧ։ൃ • 2017೥4݄͔ΒR&D෦໳΁ • ࠓಡΜͰ͍Δٕज़ॻ  -> Cooking for Geeks

Slide 4

Slide 4 text

੬ऑੑ਍அͱ͸

Slide 5

Slide 5 text

੬ऑੑ਍அͱ͸ ࣄલ४උ ਍அ ใࠂ

Slide 6

Slide 6 text

੬ऑੑ਍அͱ͸ ੬ऑੑΛݕग़͢Δ࡞ۀ

Slide 7

Slide 7 text

੬ऑੑ਍அͱ͸ ੬ऑੑΛݕग़͢Δ࡞ۀ ͪΐͬͱҧ͏

Slide 8

Slide 8 text

੬ऑੑ਍அͱ͸ ੬ऑੑͷ༗ແΛ֬ೝՄೳͳ ূ੻Λऩू͢Δ࡞ۀ

Slide 9

Slide 9 text

ηΩϡϦςΟεΩϟφ ূ੻ෆ଍ ِӄੑ/ِཅੑ

Slide 10

Slide 10 text

खಈ਍அͷඞཁੑ ূ੻ͷऩू ِཅੑ/ِӄੑͷϦΧόϦ

Slide 11

Slide 11 text

՝୊

Slide 12

Slide 12 text

खಈ਍அͷ՝୊ ૿͑ଓ͚Δ਍அख๏ ޮ཰΁ͷѱӨڹ

Slide 13

Slide 13 text

εΩϟφͱखಈͷ伱ؒ Χόʔ͖͠Εͳ͍ ਍அ߲໨ ୯७͚ͩͲ ख͕͔͔ؒΔ ਍அ߲໨

Slide 14

Slide 14 text

ηΩϡϦςΟ εΩϟχϯά ϑϨʔϜϫʔΫ • ηΩϡϦςΟεΩϟφΛ  ։ൃ͢ΔͨΊͷϑϨʔϜϫʔΫ • ਍அ߲໨ΛϓϥάΠϯԽ Λ࡞Ζ͏ खಈ਍அΛ͋Δఔ౓ࣗಈԽ͢ΔͨΊɺ

Slide 15

Slide 15 text

ηΩϡϦςΟεΩϟχϯά ϑϨʔϜϫʔΫ Λ࡞Δ 7ͭͷεςοϓ

Slide 16

Slide 16 text

εςοϓ1 ཉ͍͠ػೳΛܾΊΔ

Slide 17

Slide 17 text

γϯϓϧͰίϯύΫτͳγεςϜ • ਍அ߲໨ϓϥάΠϯ • ࣮ߦॱΛ໦ߏ଄ʹఆٛՄೳ • ϚϧνεϨουͷδϣϒίϯτϩʔϧػೳ • netshϥΠΫͳίϚϯυUI • Ϩϙʔτػೳ ཉ͍͠ػೳ

Slide 18

Slide 18 text

εςοϓ2 ݴޠΛܾΊΔ

Slide 19

Slide 19 text

ݴޠ

Slide 20

Slide 20 text

ͳΜͰ ࢖Θͳ͍ͷ?ͱࢥͬͨ͋ͳͨ

Slide 21

Slide 21 text

େઌഐʹಉ͜͡ͱݴ͑Δ?

Slide 22

Slide 22 text

https://github.com/rapid7/metasploit-framework/wiki/Why-Ruby%3F Why Ruby?

Slide 23

Slide 23 text

1. Ruby͍͍ΑRuby 2. Metasploit Framework 3. ActiveModelͳͲɺRailsͷࢿ࢈ ͳͥRubyʹ͔ͨ͠

Slide 24

Slide 24 text

εςοϓ3 ࡐྉΛἧ͑Δ

Slide 25

Slide 25 text

։ൃʹඞཁͳ΋ͷ ։ൃ؀ڥ ࢀߟࢿྉ

Slide 26

Slide 26 text

։ൃ؀ڥ

Slide 27

Slide 27 text

ࢀߟࢿྉ-1

Slide 28

Slide 28 text

ࢀߟࢿྉ-2 ਺ଟ͘ͷૉ੖Β͍͠OSSͷίʔυ

Slide 29

Slide 29 text

εςοϓ4 γεςϜߏ੒

Slide 30

Slide 30 text

γεςϜߏ੒ Console Controller TestSuite TestCase Command ActiveModel & ActiveRecord Report DBMS Tester Command Command Command Command

Slide 31

Slide 31 text

γεςϜߏ੒ Console Controller TestSuite TestCase ActiveModel & ActiveRecord Report DBMS Tester ֦ுՄೳ Command Command Command Command Command TestSuite͸  γεςϜʹؚΊͣ  ผϦϙδτϦ΁

Slide 32

Slide 32 text

γεςϜߏ੒ Console Controller TestSuite TestCase ActiveModel & ActiveRecord Report DBMS Tester ֦ுػೳΛಈతʹload(unload) Command Command Command Command Command

Slide 33

Slide 33 text

γεςϜߏ੒ Console Controller TestSuite TestCase ActiveModel & ActiveRecord Report DBMS Tester δϣϒίϯτϩʔϧ Command Command Command Command Command

Slide 34

Slide 34 text

δϣϒίϯτϩʔϧ TestSuite TestCase A TestCase B TestCase C TestCase D TestCase H TestCase E TestCase F TestCase G

Slide 35

Slide 35 text

δϣϒίϯτϩʔϧ Tester TestSuite TestCase A TestCase B TestCase C TestCase D TestCase H TestCase E TestCase F TestCase G Host A TestSuite TestCase A TestCase B TestCase C TestCase D TestCase H TestCase E TestCase F TestCase G Host B Host/Portຖʹ TestCaseͷThreadΛੜ੒ ಈ࡞Λ؂ࢹ/੍ޚ

Slide 36

Slide 36 text

εςοϓ5 DBઃܭ

Slide 37

Slide 37 text

DBMSબఆ

Slide 38

Slide 38 text

DBMSબఆ Cons  ϚϧνεϨουରԠ͕໘౗ Cons  ҉໧ͷܕม׵ා͍  .oO(ORM࢖͏͔Βؔ܎ͳ͍͚Ͳ)

Slide 39

Slide 39 text

DBઃܭ Ͱ͖Δ͚ͩγϯϓϧʹ ඞཁͳ΋ͷ͚ͩʹߜΔ Ұਓͷਓ͕ؒ શମΛ೺ѲͰ͖ΔαΠζ

Slide 40

Slide 40 text

DBઃܭ ςʔϒϧ͸9ݸ͚ͩ +ActiveRecord؅ཧςʔϒϧ2ݸ

Slide 41

Slide 41 text

DBઃܭ ؊͸6ͭ

Slide 42

Slide 42 text

DBઃܭ sites ෳ਺ͷhostΛ ·ͱΊΔςʔϒϧ ʮ਍அ࡞ۀʯΛද͢

Slide 43

Slide 43 text

DBઃܭ hosts IPΞυϨε ਍அϗετ

Slide 44

Slide 44 text

DBઃܭ ports ϙʔτ ϙʔτͷঢ়ଶΛอ࣋ udp/tcp, ൪߸, state, αʔϏε nmapϨϙʔτ (ਖ਼نԽ͖ͬͯ͠ͳ͍)

Slide 45

Slide 45 text

DBઃܭ evidences ਍அূ੻ ϦΫΤετͱ Ϩεϙϯε ϗετ΍ϙʔτͱ ݁ͼͭ͘

Slide 46

Slide 46 text

DBઃܭ vulnerabilities ੬ऑੑ 1:nͰূ੻ʹඥ෇͚ siteຖʹϢχʔΫ

Slide 47

Slide 47 text

DBઃܭ test_cases ਍அ߲໨ ࣗݾࢀরܕ1:n݁߹Ͱ πϦʔߏ଄ʹ

Slide 48

Slide 48 text

εςοϓ6 ࣮૷

Slide 49

Slide 49 text

1) DB઀ଓ : ActiveRecord/ActiveModel 2) UX/ೖग़ྗ : ReadLine/Logger 3) δϣϒίϯτϩʔϥ : Thread/Mutex/ConditionVariable 4) Ϩϙʔτػೳ : Slim/jQuery/Bootstrap 5) ֦ுػೳ : ࠇຐज़/module_eval 6) ηοτΞοϓ : Rake 7) σόοά : pry-byebug 8) ίϯςφ : Docker/docker-compose 9) ϦϑΝΫλϦϯά : RuboCop 10)ςετ : RSpec ࣮૷

Slide 50

Slide 50 text

9)ϦϑΝΫλϦϯά ஏ͔͍ͣ͠ίʔυΛগ͠ஏ͔ͣ͘͠ͳ͘͢Δߦҝ ८ࠪϚδݫ͍͠ Assignment Branch Condition Size is too highͭΒ͍

Slide 51

Slide 51 text

10)ςετ RSpec ϑϨʔϜϫʔΫࣗ਎Λςετ ςετ͕ॆ࣮͍ͯ͠Δͱ҆৺Ͱ͖Δ •Ruby΍gemsͷΞοϓάϨʔυ •ϦϑΝΫλϦϯά ͨͩ͠ɺεΫϥονͷϓϩάϥϜͷ৔߹ɺ ΧελϜϚονϟ΍υϥΠόॻ͘ͷ͕େม

Slide 52

Slide 52 text

൓ল ࣮૷޻ఔͷ࠷ॳʹରԠ͢΂͖Ͱ͢

Slide 53

Slide 53 text

εςοϓ7 Φʔϓϯιʔεʹ͢Δ

Slide 54

Slide 54 text

1)ձࣾͷڐՄΛಘΔ 2)ϓϩμΫτ໊ΛܾΊΔ 3)ίϚϯυ໊ΛܾΊΔ 4)ϥΠηϯεΛܾΊΔ 5)υΩϡϝϯτΛॻ͘ 6)ެ։͢Δ Φʔϓϯιʔεʹ͢Δ

Slide 55

Slide 55 text

1)ձࣾͷڐՄΛಘΔ ձࣾͷϦιʔεͱ࣌ؒΛ࢖ͬͯɺࣾ಺πʔϧͱͯ͠։ൃ উखʹΦʔϓϯιʔεʹ͢ΔΘ͚ʹ͸ߦ͔ͳ͍ͷͰɺ Φʔϓϯιʔεʹ͢Δͱྑ͍͜ͱ͋ΔΑ ͱ͔ɺ༗Δࣄແ͍ࣄ࿩ͯ͠ ্࢘ͱ͔Λὃઆಘͯ͠ڐՄΛ΋Β͏

Slide 56

Slide 56 text

2)ϓϩμΫτ໊ΛܾΊΔ ggϥϏϦςΟେࣄ ҙຯ͸ߟ͑ͳ͍

Slide 57

Slide 57 text

2)ϓϩμΫτ໊ΛܾΊΔ $BSBT'SBNFXPSL

Slide 58

Slide 58 text

$BSBT'SBNFXPSL 2)ϓϩμΫτ໊ΛܾΊΔ

Slide 59

Slide 59 text

3)ίϚϯυ໊ΛܾΊΔ ίϚϯυ΋େࣄ λΠϓ͠΍͍͢จࣈྻ͕ྑ͍ λΠϓ͠ʹ͍͘จࣈྻͷྫ : 3DES

Slide 60

Slide 60 text

3)ίϚϯυ໊ΛܾΊΔ DBSBTI  DBSBTTIFMM

Slide 61

Slide 61 text

からしゅ DBSBTI  DBSBTTIFMM 3)ίϚϯυ໊ΛܾΊΔ

Slide 62

Slide 62 text

4)ϥΠηϯεΛܾΊΔ GPL BSD Apache/2.0 MIT WTFPL

Slide 63

Slide 63 text

4)ϥΠηϯεΛܾΊΔ GPL BSD Apache/2.0 MIT WTFPL

Slide 64

Slide 64 text

4)ϥΠηϯεΛܾΊΔ ͍·ͩʹΑ͘Θ͔ͬͯ·ͤΜ •೔ຊʹ͓͚Δ๏తͳҐஔ෇͚ •ஶ࡞ݖ/஌తࡒ࢈ݖ •ίϯτϦϏϡʔλͷஶ࡞ݖ •൑ྫ •ϦεΫ •ٛ຿ ΦʔϓϯιʔεσΟετϦϏϡʔλͱͯ͠

Slide 65

Slide 65 text

5)υΩϡϝϯτΛॻ͘ I. ೔ຊޠͰॻ͍ͯӳ༁ɺӳจͷΈެ։ II. ެ։ޙɺ஌ਓʹʮϫλγɺχϗϯδϯʯͱݴΘΕΔ III. ӳޠͷυΩϡϝϯτΛ຋༁ͯ͠push खॱ

Slide 66

Slide 66 text

6)ެ։͢Δ https://github.com/gsx-lab/caras-framework

Slide 67

Slide 67 text

·ͱΊ

Slide 68

Slide 68 text

·ͱΊ ηΩϡϦςΟ εΩϟχϯά ϑϨʔϜϫʔΫ Caras-FrameworkΛ Φʔϓϯιʔεʹ͠·ͨ͠ https://github.com/gsx-lab/caras-framework

Slide 69

Slide 69 text

͓·͚

Slide 70

Slide 70 text

େઌഐͷDB

Slide 71

Slide 71 text

େઌഐͷDB https://github.com/rapid7/metasploit-framework/blob/master/db/schema.rb

Slide 72

Slide 72 text

େઌഐͷDB

Slide 73

Slide 73 text

େઌഐͷDB ྺ࢙ͷॏΈ ϓϩδΣΫτͷن໛

Slide 74

Slide 74 text

େઌഐͷDB • ֎෦Ωʔ੍໿ͳ͠ • ORM -> Metasploit::Model • ҋ͕ਂ͍

Slide 75

Slide 75 text

ΤϞ͍ίʔυ

Slide 76

Slide 76 text

ΤϞ͍chord codeͱ͸ ײ৘Λ༳͞ͿΒΕΔcode όάͰ͸ͳ͍͕ɺͭΒΈͷ༗Δcode ౒ྗͷ੻͕ྦΛ༠͏code => ΤϞ͍

Slide 77

Slide 77 text

ΤϞ͍code-1 https://github.com/gsx-lab/caras-framework/blob/master/docs/DEVELOP_TEST_SUITES.md#implementation-example TestCaseͷ ࣮૷νϡʔτϦΞϧ ͕ BannerGrabber

Slide 78

Slide 78 text

ΤϞ͍code-2 https://github.com/gsx-lab/caras-testsuite/search?q=sleep TestCaseαϯϓϧ ͷsleepϝιου ඇಉظॲཧΛ ίϯτϩʔϧ͖͠Εͳ͍ ൵͠Έ

Slide 79

Slide 79 text

ΤϞ͍code-3 https://github.com/gsx-lab/caras-framework/blob/master/app/models/evidence.rb EvidenceϞσϧ ActiveModelͰ ϝιουνΣʔϯॻ͘લʹ ཉ͍͠SQLจΛॻ͍ͯɺ ࣮૷ޙʹ #to_sql Ͱ Ұக͢Δ͔֬ೝ͍ͯ͠Δ

Slide 80

Slide 80 text

ΤϞ͍code-4 https://github.com/gsx-lab/caras-framework/blob/master/.gitignore Gemfile.lock͕ .gitignoreʹೖͬͯΔ TestSuitesΛؚΉ֤छػೳ֦ுͰ΋ GemfileΛ࢖͑ΔΑ͏ʹ͔ͨͬͨ͠ɻ -> Πϯετʔϧ͢Δػೳ֦ுʹΑͬͯ Gemfile.lock͕มΘΔͷͰɺ lockϑΝΠϧΛϦϙδτϦʹೖΕΒΕͳ͍ɻ ͭΒ͍ɻ

Slide 81

Slide 81 text

͓͠·͍