Tweet
Tweet

Slide 1

Slide 1 text

Web Security Network Introduction Racterub @ ITAC

Slide 2

Slide 2 text

•元智大學 電通英專大二 •常用 ID:Racterub / Racter •2017-2019 AIS3 學員 •2019 台灣好厲駭 學員 •2020 ⺠生物聯網漏洞挖掘競賽 第二期第三名 •2020 Zyxel 榮耀資戰 第三名 About Me

Slide 3

Slide 3 text

1. 基本網路概論 2. HTTP 3. Ports 4. CDN 5. URL Scheme 目錄

Slide 4

Slide 4 text

OSI 模型 TCP/IP

Slide 5

Slide 5 text

OSI 模型

Slide 6

Slide 6 text

OSI 模型

Slide 7

Slide 7 text

• 應用層 Application Layer • HTTP • FTP • DNS • SSH OSI 模型

Slide 8

Slide 8 text

OSI 模型

Slide 9

Slide 9 text

• 傳輸層 Transport Layer • UDP • TCP OSI 模型

Slide 10

Slide 10 text

OSI 模型

Slide 11

Slide 11 text

OSI 模型

Slide 12

Slide 12 text

OSI 模型

Slide 13

Slide 13 text

IP

Slide 14

Slide 14 text

• 蚤֦疑ጱ瑿࣎Ӟ䰬 • 蟈կฎತ瑿࣎ੀ蝑ጱ • 碍硁ฎತ IP ੀ蝑ጱ • Example: • 140 . 138 . 8 . 12 IP

Slide 15

Slide 15 text

• 獉翕 • 10.0.0.0/8 • 192.168.0.0/16 • 172.16.0.0/12 • ๜秚 • 127.0.0.0/8 狒ኸ IP

Slide 16

Slide 16 text

• 10.0.0.0/8 ? IP

Slide 17

Slide 17 text

• 10.0.0.0/8 ? • CIDR IP

Slide 18

Slide 18 text

• 10.0.0.0/8 ? • CIDR • 主要在分配 IP 的辣 IP

Slide 19

Slide 19 text

• 10.0.0.0/8 ? • CIDR • 主要在分配 IP 的辣 • 例如元智在學術網路分配到的是 140.138.0.0/16 IP

Slide 20

Slide 20 text

IP 10.0.0.0 (10)

Slide 21

Slide 21 text

IP 10.0.0.0 (10) 00001010.00000000.00000000.0000000 (2)

Slide 22

Slide 22 text

IP 10.0.0.0/8(10) 00001010.00000000.00000000.0000000 (2) 前 8 bits 固定

Slide 23

Slide 23 text

IP 10.0.0.0/8(10) 11111111.00000000.00000000.0000000 (2) (固定設 1,其餘設 0)

Slide 24

Slide 24 text

IP 10.0.0.0/8 遮罩 IP 範圍 255.0.0.0 10.0.0.0 ~ 10.255.255.255

Slide 25

Slide 25 text

• 獉翕 • 10.0.0.0/8 • 192.168.0.0/16 • 172.16.0.0/12 • ๜秚 • 127.0.0.0/8 狒ኸ IP

Slide 26

Slide 26 text

DNS

Slide 27

Slide 27 text

• 將域名轉成 IP 的酷東東 • Example: • portalx.yzu.edu.tw • 140.138.8.150 • ! DNS

Slide 28

Slide 28 text

DNS

Slide 29

Slide 29 text

DNS

Slide 30

Slide 30 text

DNS

Slide 31

Slide 31 text

HTTP HyperText Transfer Protocol

Slide 32

Slide 32 text

•HTTP 具有無狀態特性 •通常使用 TCP 協定 •訂定八種請求方式 •訂有回傳狀態碼 •歷史版本 •HTTP 1.0 •HTTP 1.1 •HTTP 2.0 HTTP

Slide 33

Slide 33 text

HTTP 秂毣

Slide 34

Slide 34 text

HTTP Header (Request) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1 HTTP Method 請求方式

Slide 35

Slide 35 text

HTTP Header (Request) Request Path 資源位置 GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

Slide 36

Slide 36 text

HTTP Header (Request) HTTP 協定版本 1.1 1.2 2 GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

Slide 37

Slide 37 text

HTTP Header (Request) ਂ玲翕ᒊऒݷ (domain/IP + port) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

Slide 38

Slide 38 text

HTTP Header (Request) አෝ蜣獨֢禂羬翄޾ਮ䜛ᒒ(倵薩瑊) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

Slide 39

Slide 39 text

HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun, 27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 !!% Status Code

Slide 40

Slide 40 text

HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun, 27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 !!% Response Header

Slide 41

Slide 41 text

HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun, 27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 !!% ෈๜獉਻

Slide 42

Slide 42 text

•GET: 向指定的資源發出顯示請求 HTTP Method

Slide 43

Slide 43 text

•GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 HTTP Method 提交的資料

Slide 44

Slide 44 text

•GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有 HTTP請求方法 HTTP Method

Slide 45

Slide 45 text

•GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有HTTP請求方 法 •HEAD: 和 GET 雷同,但不回傳文本內容 •PUT: 向指定資源位置上傳其最新內容 •DELETE: 請求伺服器刪除Request-URI所標識的資源 •CONNECT: 預留給能夠將連接改為隧道方式的代理伺服器。(HTTP 1.1) •TRACE: 回顯伺服器收到的請求,主要用於測試或診斷 HTTP Method

Slide 46

Slide 46 text

• 200 : ౮ۑ • 300 : 旉࣎ • 400 : አ䜛ᒒ梊藮 • 500 : ֑๐ᒒ梊藮 HTTP 制眲嘨

Slide 47

Slide 47 text

Lab Forge HTTP 1

Slide 48

Slide 48 text

URL Uniform Resource Locator

Slide 49

Slide 49 text

URL scheme://User@Domain:Port/Path?Query#Fragment

Slide 50

Slide 50 text

URL scheme://User@Domain:Port/Path?Query#Fragment https://root@racterub.me:443/shell?cmd=ls#output

Slide 51

Slide 51 text

Ports

Slide 52

Slide 52 text

• ਧ嬝ࣁ TCP/IP 愊ᶎ • Port 塅瑻ࣁ 1 ~ 65535 • ࣁ IANA 磪ਧ嬝Ӟ犚 Port ጱአ蝝
 (֕ฎ User ݢ犥ᛔ懪) Ports

Slide 53

Slide 53 text

• 21: FTP • 22: SSH • 23: Telnet • 80: HTTP • 443: HTTPS • 3306: MySQL • 3389: RDP Ports

Slide 54

Slide 54 text

Lab Forge HTTP 2

Slide 55

Slide 55 text

CDN Content Delivery Network

Slide 56

Slide 56 text

•傳統模式: •一台 Server 同時面向 N 台用戶端服務 •缺點: •效能容易吃緊 •Server 和用戶端的距離過⻑ CDN

Slide 57

Slide 57 text

•CDN •同樣只有一台 Server,但是透過 CDN 可以對 Server 的 靜態資源進行緩存,並且 CDN 機房是遍佈各地的 •優點: •減少 Server 負擔,縮短用戶端和 Server 的距離 •缺點: •你在 Server 更新資料,可能 CDN 的邊緣主機尚未取 的最新資料 CDN

Slide 58

Slide 58 text

CDN 瑽薹 Index.html 134 ms Server Client

Slide 59

Slide 59 text

CDN 瑽薹 Cache 74 ms CDN Client Server

Slide 60

Slide 60 text

CDN 瑽薹 Cache 74 ms Index.html 60 ms CDN Client Server

Slide 61

Slide 61 text

CDN 瑽薹 Cache 74 ms Index.html 60 ms CDN Client Server

Slide 62

Slide 62 text

Real Case 霸脫 在外面⺟湯卵共

Slide 63

Slide 63 text

Real Case (P**)

Slide 64

Slide 64 text

Real Case (P**)

Slide 65

Slide 65 text

Real Case (P**)

Slide 66

Slide 66 text

Real Case (P**)

Slide 67

Slide 67 text

Real Case (Y*utu*e)

Slide 68

Slide 68 text

Real Case (Y*utu*e) 持有登入的 Cookie 瞱磪ጭ獈盅ጱ Cookie 登入 2FA ጭ獈盅殷ᶎ

Slide 69

Slide 69 text

Real Case (Y*utu*e) 㯽蝑የྰ纷ୗ

Slide 70

Slide 70 text

Real Case (Y*utu*e) የྰࢧ㯽癱蒈ੂ嘨޾ጭ獈盅ጱ Cookie

Slide 71

Slide 71 text

Real Case (Y*utu*e) ༙獈ۙ瞱کጱ Cookie

Slide 72

Slide 72 text

Real Case (Y*utu*e) 狕硬ੂ嘨牏2FA

Slide 73

Slide 73 text

Real Case (Y*utu*e) ੂ嘨硬ധ牏2FA 犖ᤩ硬ധ

Slide 74

Slide 74 text

Real Case (Y*utu*e) ੂ嘨硬ധ牏2FA 犖ᤩ硬ധ 蝡圵硭䢗ࣁ FaceBook ޾ Google ᮷ฎݢᤈጱ硭䢗ොဩ 疪ٌฎ FaceBook 牧च๜Ӥݝᥝ೭ک Cookie 疰ݢ犥ࣁ犨 ֜襎脲ጭ獈֦ጱ癱蒈

Slide 75

Slide 75 text

• 磪战ग़羬翄䨝ᛔᤈ䋿֢㯏介አ䜛 IP ጱۑ胼 (አ蝝犋Ӟ) • ֕ฎ䌃ဩ盄ग़᮷ฎ梊藮ጱ • https://devco.re/blog/2014/06/19/client-ip-detection/ • ݢ犥蝚螂㯔蝨 X-Forwarded-For ֵ㯏介秚ګ瓥ധ • 磧盅疩膌虻懱丽襷 Real Case (IP)

Slide 76

Slide 76 text

Real Case (IP)

Slide 77

Slide 77 text

Real Case (IP) !

Slide 78

Slide 78 text

Real Case (IP) access = [] for i in range(256): time.sleep(1) for j in range(256): ip = f"192.168.{i}.{j}" print(f"[-] Testing {ip}") headers = {"X-Forwarded-For": ip, "User-Agent": UA} try: r = requests.get(URL, headers=headers) except: time.sleep(5) r = requests.get(URL, headers=headers) if ("WARNING" not in r.text): print(f"[+] Found : {ip}") access += ip

Slide 79

Slide 79 text

作業 Web1 Admin Panel

Slide 80

Slide 80 text

作業 Web1 Admin Panel - Advanced

Slide 81

Slide 81 text

最後 有意願打 CTF 的可以私下 來找我ㄛ

Slide 82

Slide 82 text

• 薹氂ࣳ • AIS3 EOF CTF • Attack & Defense 翕獉԰಑ࣳ • HITCON CTF Finals • King of the Hill 㬟覿秚瑊ࣳ • ݳ۪ 禛聱虻䜗 (CDX) CTF

Slide 83

Slide 83 text

• CTF • picoCTF • Bamboofox (NCTU) • overthewire.org • ctftime.org 硽䋊虻რ

Slide 84

Slide 84 text

• 抓纷 • 纷ୗਞ獊 (NTU, NCTU, NTUST, NCU) (犋獍樄) • Bamboofox (NCTU) • NISRA (FJU) • NTUST ISC 硽䋊虻რ

Slide 85

Slide 85 text

• 犡ॠݝᓒฎՕ奧翕᪠ጱच๜禊盢 • ᥝሻ虻ਞ牧ྯ㮆覿ऒ襑ᥝӞ犚च๜皈ৼ • 蝡䋊๗ጱᐒ抓ݢ胼䨝纸盏ᏝԧӞ讨 • Ԇᥝ螭ฎ૶磭ሻ஑樄ஞ೉牧ߺॠ䋊کݢ犥಑䋊໊翕ᒊ犖犋 梊 盅懿

Slide 86

Slide 86 text

• CTF Ԇᥝฎࣁ娞聜硭䢗ጱದૣ牧CTF ಑஑ग़䌘ෝ匍䋿佒蝚 䨝盠盄ग़ • CTF Ԇᥝ獤ࢥय़覿ऒ • Pwn (Reverse + Binary Exploitation) • Reverse • Crypto (Math) • Web 盅懿

Slide 87

Slide 87 text

• ISIP • AIS3 • ݣ傀অ玭洸 • AIS3 EOF CTF • MFCTF 硽胍蟂虻რ