Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ITAC | Websec 1

8c89d680ec23fdcecb8524130e4eb582?s=47 racterub
October 13, 2020
Research
0
140

ITAC | Websec 1

ITAC | Websec 1

8c89d680ec23fdcecb8524130e4eb582?s=128

racterub

October 13, 2020
Tweet

More Decks by racterub

See All by racterub
8c89d680ec23fdcecb8524130e4eb582?s=48 racterub
0
69
8c89d680ec23fdcecb8524130e4eb582?s=48 racterub
0
90
8c89d680ec23fdcecb8524130e4eb582?s=48 racterub
0
28
8c89d680ec23fdcecb8524130e4eb582?s=48 racterub
0
69
8c89d680ec23fdcecb8524130e4eb582?s=48 racterub
1
29
8c89d680ec23fdcecb8524130e4eb582?s=48 racterub
1
53
8c89d680ec23fdcecb8524130e4eb582?s=48 racterub
1
29

Other Decks in Research

See All in Research
09ed5afcc83ed2abfea708651c975882?s=48 shunk031
0
770
96466365a9bf7e66990f2b9ba547b02f?s=48 yumu19
1
2.4k
060f64875a37f6fb6639500a06ae9f8c?s=48 jayagonoy
0
110
99e9e6d2de62c373990ac1bd7c4defc5?s=48 hakubishin3
1
860
Bb6c3fc8c577710c72d03aeb4fa56bf6?s=48 masakat0
0
220
A82e268e52c06ad69b83f1a251c682d4?s=48 hiking
0
1.9k
80ebdd6d76fd11529a09b7a384e4f52a?s=48 ledgerback
0
220
362e55239a0463356377118628470d15?s=48 mot_ai_tech
1
930
D77e6b2d469947a4792ab062d466350b?s=48 hagino3000
0
350
32bc2790201d9301bbe5be830b03ff04?s=48 yoshipon
0
120
C29f097d23f8904532ca088ac23ce801?s=48 kayceesrk
2
3.5k
E2dd989b2ba0f83d8a981b9cb3197bf1?s=48 j20232
0
800

Featured

See All Featured
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
17
1.9k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
308
17k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
204
35k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
192
8.6k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
187
14k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
260
11k
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
94
5.1k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
176
7.4k
24fc194843a71f10949be18d5a692682?s=48 gr2m
83
11k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
71
3.6k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
274
31k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k

Transcript

  1. Web Security Network Introduction Racterub @ ITAC

  2. •元智大學 電通英專大二 •常用 ID:Racterub / Racter •2017-2019 AIS3 學員 •2019

    台灣好厲駭 學員 •2020 ⺠生物聯網漏洞挖掘競賽 第二期第三名 •2020 Zyxel 榮耀資戰 第三名 About Me

  3. 1. 基本網路概論 2. HTTP 3. Ports 4. CDN 5. URL

    Scheme 目錄

  4. OSI 模型 TCP/IP

  5. OSI 模型

  6. OSI 模型

  7. • 應用層 Application Layer • HTTP • FTP • DNS

    • SSH OSI 模型

  8. OSI 模型

  9. • 傳輸層 Transport Layer • UDP • TCP OSI 模型

  10. OSI 模型

  11. OSI 模型

  12. OSI 模型

  13. IP

  14. • 蚤֦疑ጱ瑿࣎Ӟ䰬 • 蟈կฎತ瑿࣎ੀ蝑ጱ • 碍硁ฎತ IP ੀ蝑ጱ • Example:

    • 140 . 138 . 8 . 12 IP

  15. • 獉翕 • 10.0.0.0/8 • 192.168.0.0/16 • 172.16.0.0/12 • ๜秚

    • 127.0.0.0/8 狒ኸ IP

  16. • 10.0.0.0/8 ? IP

  17. • 10.0.0.0/8 ? • CIDR IP

  18. • 10.0.0.0/8 ? • CIDR • 主要在分配 IP 的辣 IP

  19. • 10.0.0.0/8 ? • CIDR • 主要在分配 IP 的辣 •

    例如元智在學術網路分配到的是 140.138.0.0/16 IP

  20. IP 10.0.0.0 (10)

  21. IP 10.0.0.0 (10) 00001010.00000000.00000000.0000000 (2)

  22. IP 10.0.0.0/8(10) 00001010.00000000.00000000.0000000 (2) 前 8 bits 固定

  23. IP 10.0.0.0/8(10) 11111111.00000000.00000000.0000000 (2) (固定設 1,其餘設 0)

  24. IP 10.0.0.0/8 遮罩 IP 範圍 255.0.0.0 10.0.0.0 ~ 10.255.255.255

  25. • 獉翕 • 10.0.0.0/8 • 192.168.0.0/16 • 172.16.0.0/12 • ๜秚

    • 127.0.0.0/8 狒ኸ IP

  26. DNS

  27. • 將域名轉成 IP 的酷東東 • Example: • portalx.yzu.edu.tw • 140.138.8.150

    • ! DNS

  28. DNS

  29. DNS

  30. DNS

  31. HTTP HyperText Transfer Protocol

  32. •HTTP 具有無狀態特性 •通常使用 TCP 協定 •訂定八種請求方式 •訂有回傳狀態碼 •歷史版本 •HTTP 1.0

    •HTTP 1.1 •HTTP 2.0 HTTP

  33. HTTP 秂毣

  34. HTTP Header (Request) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0

    (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1 HTTP Method 請求方式

  35. HTTP Header (Request) Request Path 資源位置 GET / HTTP/1.1 Host:

    racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

  36. HTTP Header (Request) HTTP 協定版本 1.1 1.2 2 GET /

    HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

  37. HTTP Header (Request) ਂ玲翕ᒊऒݷ (domain/IP + port) GET / HTTP/1.1

    Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

  38. HTTP Header (Request) አෝ蜣獨֢禂羬翄޾ਮ䜛ᒒ(倵薩瑊) GET / HTTP/1.1 Host: racterub.me User-Agent:

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1

  39. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> !!% Status Code

  40. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> !!% Response Header

  41. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> !!% ෈๜獉਻

  42. •GET: 向指定的資源發出顯示請求 HTTP Method

  43. •GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 HTTP Method 提交的資料

  44. •GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有 HTTP請求方法 HTTP Method

  45. •GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有HTTP請求方 法 •HEAD: 和 GET

    雷同,但不回傳文本內容 •PUT: 向指定資源位置上傳其最新內容 •DELETE: 請求伺服器刪除Request-URI所標識的資源 •CONNECT: 預留給能夠將連接改為隧道方式的代理伺服器。(HTTP 1.1) •TRACE: 回顯伺服器收到的請求,主要用於測試或診斷 HTTP Method

  46. • 200 : ౮ۑ • 300 : 旉࣎ • 400

    : አ䜛ᒒ梊藮 • 500 : ֑๐ᒒ梊藮 HTTP 制眲嘨

  47. Lab Forge HTTP 1

  48. URL Uniform Resource Locator

  49. URL scheme://User@Domain:Port/Path?Query#Fragment

  50. URL scheme://User@Domain:Port/Path?Query#Fragment https://root@racterub.me:443/shell?cmd=ls#output

  51. Ports

  52. • ਧ嬝ࣁ TCP/IP 愊ᶎ • Port 塅瑻ࣁ 1 ~ 65535

    • ࣁ IANA 磪ਧ嬝Ӟ犚 Port ጱአ蝝
 (֕ฎ User ݢ犥ᛔ懪) Ports

  53. • 21: FTP • 22: SSH • 23: Telnet •

    80: HTTP • 443: HTTPS • 3306: MySQL • 3389: RDP Ports

  54. Lab Forge HTTP 2

  55. CDN Content Delivery Network

  56. •傳統模式: •一台 Server 同時面向 N 台用戶端服務 •缺點: •效能容易吃緊 •Server 和用戶端的距離過⻑

    CDN

  57. •CDN •同樣只有一台 Server,但是透過 CDN 可以對 Server 的 靜態資源進行緩存,並且 CDN 機房是遍佈各地的

    •優點: •減少 Server 負擔,縮短用戶端和 Server 的距離 •缺點: •你在 Server 更新資料,可能 CDN 的邊緣主機尚未取 的最新資料 CDN

  58. CDN 瑽薹 Index.html 134 ms Server Client

  59. CDN 瑽薹 Cache 74 ms CDN Client Server

  60. CDN 瑽薹 Cache 74 ms Index.html 60 ms CDN Client

    Server

  61. CDN 瑽薹 Cache 74 ms Index.html 60 ms CDN Client

    Server

  62. Real Case 霸脫 在外面⺟湯卵共

  63. Real Case (P**)

  64. Real Case (P**)

  65. Real Case (P**)

  66. Real Case (P**)

  67. Real Case (Y*utu*e)

  68. Real Case (Y*utu*e) 持有登入的 Cookie 瞱磪ጭ獈盅ጱ Cookie 登入 2FA ጭ獈盅殷ᶎ

  69. Real Case (Y*utu*e) 㯽蝑የྰ纷ୗ

  70. Real Case (Y*utu*e) የྰࢧ㯽癱蒈ੂ嘨޾ጭ獈盅ጱ Cookie

  71. Real Case (Y*utu*e) ༙獈ۙ瞱کጱ Cookie

  72. Real Case (Y*utu*e) 狕硬ੂ嘨牏2FA

  73. Real Case (Y*utu*e) ੂ嘨硬ധ牏2FA 犖ᤩ硬ധ

  74. Real Case (Y*utu*e) ੂ嘨硬ധ牏2FA 犖ᤩ硬ധ 蝡圵硭䢗ࣁ FaceBook ޾ Google ᮷ฎݢᤈጱ硭䢗ොဩ

    疪ٌฎ FaceBook 牧च๜Ӥݝᥝ೭ک Cookie 疰ݢ犥ࣁ犨 ֜襎脲ጭ獈֦ጱ癱蒈

  75. • 磪战ग़羬翄䨝ᛔᤈ䋿֢㯏介አ䜛 IP ጱۑ胼 (አ蝝犋Ӟ) • ֕ฎ䌃ဩ盄ग़᮷ฎ梊藮ጱ • https://devco.re/blog/2014/06/19/client-ip-detection/ •

    ݢ犥蝚螂㯔蝨 X-Forwarded-For ֵ㯏介秚ګ瓥ധ • 磧盅疩膌虻懱丽襷 Real Case (IP)

  76. Real Case (IP)

  77. Real Case (IP) !

  78. Real Case (IP) access = [] for i in range(256):

    time.sleep(1) for j in range(256): ip = f"192.168.{i}.{j}" print(f"[-] Testing {ip}") headers = {"X-Forwarded-For": ip, "User-Agent": UA} try: r = requests.get(URL, headers=headers) except: time.sleep(5) r = requests.get(URL, headers=headers) if ("WARNING" not in r.text): print(f"[+] Found : {ip}") access += ip

  79. 作業 Web1 Admin Panel

  80. 作業 Web1 Admin Panel - Advanced

  81. 最後 有意願打 CTF 的可以私下 來找我ㄛ

  82. • 薹氂ࣳ • AIS3 EOF CTF • Attack & Defense

    翕獉԰಑ࣳ • HITCON CTF Finals • King of the Hill 㬟覿秚瑊ࣳ • ݳ۪ 禛聱虻䜗 (CDX) CTF

  83. • CTF • picoCTF • Bamboofox (NCTU) • overthewire.org •

    ctftime.org 硽䋊虻რ

  84. • 抓纷 • 纷ୗਞ獊 (NTU, NCTU, NTUST, NCU) (犋獍樄) •

    Bamboofox (NCTU) • NISRA (FJU) • NTUST ISC 硽䋊虻რ

  85. • 犡ॠݝᓒฎՕ奧翕᪠ጱच๜禊盢 • ᥝሻ虻ਞ牧ྯ㮆覿ऒ襑ᥝӞ犚च๜皈ৼ • 蝡䋊๗ጱᐒ抓ݢ胼䨝纸盏ᏝԧӞ讨 • Ԇᥝ螭ฎ૶磭ሻ஑樄ஞ೉牧ߺॠ䋊کݢ犥಑䋊໊翕ᒊ犖犋 梊 盅懿

  86. • CTF Ԇᥝฎࣁ娞聜硭䢗ጱದૣ牧CTF ಑஑ग़䌘ෝ匍䋿佒蝚 䨝盠盄ग़ • CTF Ԇᥝ獤ࢥय़覿ऒ • Pwn

    (Reverse + Binary Exploitation) • Reverse • Crypto (Math) • Web 盅懿

  87. • ISIP • AIS3 • ݣ傀অ玭洸 • AIS3 EOF CTF

    • MFCTF 硽胍蟂虻რ