Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20140714 SITCON Camp 揭開駭客的神祕面紗
Search
Allen Own
July 14, 2014
Technology
2
590
20140714 SITCON Camp 揭開駭客的神祕面紗
2014-07-14 SITCON Camp 揭開駭客的神祕面紗
Allen Own
July 14, 2014
Tweet
Share
More Decks by Allen Own
See All by Allen Own
NPO 要知道的資訊安全
allenown
1
240
PHPConf 2013 - 矛盾大對決
allenown
32
24k
PHPConf 2013 - 我的密碼沒加密,你的呢?
allenown
6
800
BoT2013 海量資料時代的網路分析
allenown
4
550
The Internet is (NOT) safe - WebConf Taiwan 2013
allenown
58
11k
Other Decks in Technology
See All in Technology
Wantedly での Datadog 活用事例
bgpat
1
530
re:Invent 2024 Innovation Talks(NET201)で語られた大切なこと
shotashiratori
0
320
kargoの魅力について伝える
magisystem0408
0
210
Oracle Cloudの生成AIサービスって実際どこまで使えるの? エンジニア目線で試してみた
minorun365
PRO
4
290
成果を出しながら成長する、アウトプット駆動のキャッチアップ術 / Output-driven catch-up techniques to grow while producing results
aiandrox
0
360
Snykで始めるセキュリティ担当者とSREと開発者が楽になる脆弱性対応 / Getting started with Snyk Vulnerability Response
yamaguchitk333
2
190
大幅アップデートされたRagas v0.2をキャッチアップ
os1ma
2
540
バクラクのドキュメント解析技術と実データにおける課題 / layerx-ccc-winter-2024
shimacos
2
1.1k
第3回Snowflake女子会_LT登壇資料(合成データ)_Taro_CCCMK
tarotaro0129
0
200
WACATE2024冬セッション資料(ユーザビリティ)
scarletplover
0
210
Google Cloud で始める Cloud Run 〜AWSとの比較と実例デモで解説〜
risatube
PRO
0
110
10個のフィルタをAXI4-Streamでつなげてみた
marsee101
0
170
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
A better future with KSS
kneath
238
17k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Scaling GitHub
holman
458
140k
Code Reviewing Like a Champion
maltzj
520
39k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
It's Worth the Effort
3n
183
28k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Producing Creativity
orderedlist
PRO
341
39k
Transcript
揭開駭客的神祕面紗 4*5$0/$BNQ 翁浩正 Allen Own
[email protected]
Ꮦ˃ဧٰ΅Ϟࠢʮ̡
ᑺ٫ᔊʧ ॽख͍ "MMFO0XO %&7$03&Ꮦ˃ဧٰ΅Ϟࠢʮ̡ੂБڗ BMMFOPXO!EFWDPSF ! )*5$0/̨ᝄᎡ܄ϋึਓᐼ̜ /*43"༟τྠඟ௴፬ɛ ༟τҦঐږᆤᘩᒄϋڿࠏeϋԭࠏ
༟τదၣ१ታ१ᚥਪ
ٷ᧼㔃க፞)*5$0/9 "%"15505)&/&8&3"0'4&$63*5:5)3&"54 ˾ _ ̄ ٷޠΥḛ৮㑱ൽ㡴˒৴ἵ㋒̙ቢῳ፞㒔 IUUQIJUDPOPSH
None
νОϓމ੶٫k
None
None
ኪࣧʔ݊Ϟk މʡჿᒔࠅІʉрɢk
ኪࣧԃ ଣሞeʫ̌ ุޢ ྼਕeуࣛɢe؛̌
ኪࣧԃ ଣሞeʫ̌ ุޢ ྼਕeуࣛɢe؛̌ ๖
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ 為什麼?
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ ????
৷ ʕ ɽ ኪ Ӻ ה ఱ ุ ㄨ
ྼਕࠦ̈೯ ᓘ՟ุޢeၣ༩ɪٙٝᗆ ԑኪࣧίྼਕɪٙʔԑ
ᜊ੶ٙږᝌjІ˴ኪ୦
老老師領領進門,修行行在個㆟人
None
None
І˴ኪ୦ ഛ͜ၣ༩ɪٙኪ༟๕ ʔࠅᔊʕ˖eߵ˖ й፰ဲdਗ˓ਂఱ࿁əl ϓఱชܘࠠࠅl
ʔࠅ̰ ̰ٙɛdʑ݊ኪՑ௰εٙ
ࡳԬٝᗆ݊Ңࡁ̀௪ٙճk
όႧԊ $$ +BWB$ ໔͉ႧԊ 4DSJQUJOH-BOHVBHF 4IFMM4DSJQU+BWB4DSJQU1ZUIPO3VCZ1FSM ၣࠫᏐ͜όႧԊ "41/&51)1+413P3 БਗༀໄόႧԊ
"OESPJE +BWB J04 0CKFDUJWF$ 8JOEPXT 1IPOF
νО፯όႧԊk 5*0#&1SPHSBNNJOH$PNNVOJUZ*OEFY IUUQXXXUJPCFDPNJOEFYQIQDPOUFOUQBQFSJOGPUQDJ JOEFYIUNM રБᒈැ̙˸ՑႧԊٙᆠژܓ˸ʿุޢٙცӋ
None
None
ڐಂ༟τࠅၲ
ᒄژ᚛дj ̘ϋΌଢϞᄂഅࡈ༟̮ރ ᒄژ᚛д௰อ*453ၣ༩τΌ۾উజѓܸ̈d̘ϋ೯͛ٙ ༟τԫᜑͪdᎡ܄ҸᏘҞҸᏘᔷމڗಂᆑͿٙɓ ϣɽᅼҸᏘdϋΌଢߒϞᄂഅ༟̮ࣘރf ί༈జѓ୕ࠇʕd̨ᝄίϋၣ༩۾উʕΤΐΌ ଢୋdԭݲසϣʕeΙܓfʫϞٙ০࿁ ҸᏘᕁ֛ՑɛᅼٙʕɽۨΆุdҭ೯ʿႡி ุމҸᏘᕁ֛ٙՇɽପุfϾ̘ϋ̨ᝄչѫඉરΤ ୋΤɪʺЇୋdⶋ܉ၣ༩ɰરΤୋf
IUUQXXXJUIPNFDPNUXOFXT
F#BZቊල܄ɝڧ ᄂ͜˒༟̮ࣘރ F#BZ˚ί֜˙ၣ१ʮ̺dʦϋ˜ֵЇ˜ڋd ᄂ܄˒ٙཥඉήѧe̋ܝٙᇁë͛˚ಂʿИѧ ഃᅰኽೳ՟dШೳ՟ٙ˖Ѱʔўৌਕ༟ࣘfʮ ̡ڮሗᄂ͜˒һҷᇁf F#BZڌͪdմۃ೯ତவԬቊᎡٙਪᕚኯᗇdމə࿏ֵ ݟਪᕚdה˸ٜՑ˚ʑʮ̺dШ൷ᕎ˜ڋቊල܄ ɝڧࣛගʊڐࡈ˜f IUUQXXXCCDDPVL[IPOHXFOUSBEXPSME@FCBZ@IBDLFSTIUNM
"0-վוӻ୕ቊɝڧd Ꭱ܄̙ঐπ՟ɽඎԴ͜٫੮ "0-ᆽႩᎡ܄͊બᛆπ՟əўϞɽඎԴ͜٫੮ٙУ ኜdܼ̍͜˒ٙཥɿඉ੮eήѧeஷৃe̋ ٙᇁe̋ٙτΌஷᗫႧd˸ʿʈЪఊЗdϾ ˲"0-ɰڦչѫᔥʊෂൟᗺඉഗߒ͜˒ٙ ஷৃʾɛf IUUQXXXJUIPNFDPNUXOFXT
ߕཧਯਠ*5ӻ୕Κዚ ৰə5BSHFUεཧਯਠɰቊݪ ௰ڐdԨʔස˟5BSHFUɓ೯͛ࠠɽ༟̮ࣘރԫf ࣬ኽ༩ீٟܸ̈dίື˚ᒅي֙ಂගdৰə5BSHFUၾ /FJNBO.BSDVTʘ̮ٙεཧਯਠdɰቊՑᎡ܄ҸᏘf ɪ5BSHFUீᚣܸ̈dᎡ܄՟ə ຬഅٙᚥ܄ ֑Τeඉήѧeཥ༑ᇁeཥɿඉήѧၾ˕˹̔ ༟ࣘdШ̘ϋ˜ʕϚৎజኬ፲̰ٙഅᅰމ ຬ
അf IUUQOFXTOFUXPSLNBHB[JOFDPNUXDMBTTJGJDBUJPOTFDVSJUZ
ӚϞʔτΌٙӻ୕ ̥ϞʔτΌٙɛ
None
None
A Nice Password, but….? Admin password Admin.R386W
Is Your Password Safe?
ซซІʉϞӚϞਂՑτΌf ໆӻ୕ʔτΌʘۃd
༟τ۾উၾᏐ࿁ ԣጏ٫ԨʔᆞҸᏘ٫ٙː࿒eͦٙeҦஔഃdኬߧ ԫ೯͛ܝʑঐආБࡌfϾʔٝ༸ҸᏘٙҦஔၾ˙ جdࡌɰසطᅺʔط͉ ෂ୕ٙԣጏ˙όdܼ̍ӻ୕ࡌeԣጏe̋dேΪ อҦஔɓɓॎ༆dԷνʱόஈଣeථ၌e(16e 3BJOCPX5BCMF
༟τ۾উၾᏐ࿁ ٝʉٝ־dϵʔݫ ኪ୦Ꭱ܄ٙܠၪd௰อٙҦஔdԨ˲ə༆Іʉӻ୕ٙ ঌࢮᓃӺίОஈ
Cyberwar݊ʡჿk
http://www.flickr.com/photos/42514833@N07/5246970893/ Cyberwar
ၣ༩͍ίආБʕl
Ŗϓၣ༩ගፒҸᏘ ԸІॴዚ೯ਗ ࣬ኽϋ7FSJ[PO௰อ೯̺ٙ༟̮ࣘރሜݟజ ѓܸ̈dίሜݟڐٙၣ༩ගፒҸᏘԫʕdϞ ݊ԸІִ݁ॴዚٙ೯ਗdՉʕऒʿ༟̮ࣘރٙҸ Ꮨݺਗۆ݊Цəfజѓɰܸ̈dϞਗ਼ڐɓ̒ ٙ ၣ༩ගፒݺਗேԸІʕձՉ̴؇ԭה˴ኬd̤̮ ɰϞĈۆ݊ԸІ؇ᆄήਜfʕһϞ൴ཀ̒ᅰ˸ɪ
ٙၣ༩ගፒҸᏘ࿁݊˸ߕމ˴dՉϣ݊˚͉ ձᒵ f IUUQXXXJUIPNFDPNUXOFXT
Ꭱ܄ᜣ့ཥൖ̨ვБ یᒵజኬj̏ᒵהމ یᒵɪ˜ቊᎡ܄ɝڧdεཥൖ̨ձვБΌࠦᜣ့d یᒵᙆ˙ɓܓ၈Ꭱ܄ҸᏘԸІʕdܝҷɹ݊ߕʿ ᆄݲഃࡈdШʦ˂یᒵʮ̺͍όజѓdܸછ̏ᒵ ᆽމவৎҸᏘࣩٙ˴ፑdᘪࣛගڗ༺˜ʘɮf IUUQXXXBQQMFEBJMZDPNUXSFBMUJNFOFXTBSUJDMFJOUFSOBUJPOBM
Ꭱ܄त၇ඟ ږ㛬Έˏ͜ɓ΅̏ᒵִ݁֜˙˖༟ܸࣘ̈d̏ᒵʊ ݂ჯኬɛږ͍˚ϋᒔፋІɨ˿ਗ਼ணί̻ᘎٙၣ༩ त၇ඟᓒᇜЇ ɛdᒱ್༈΅˖ٙॆྼ͊ ᆽႩdШږ㛬ΈኽϤౣd̏ᒵᎡ܄ɛᅰʘܝʊɽష ᄣ̋dϞԬ݊ݼታʕd˸کԫသீऎ̮ၣ༩ٙ ਕf IUUQOFXTDIJOBUJNFTDPNXPSMEIUNM
None
Die Hard 4.0
ၣ༩ٙͦٙ݊ʡჿk ՟ઋజ ᜣ့ၣ༩ ਔ॰ ܁౮ІҢଣׂ
Ꭱ܄݊ʡჿk What is Hacker?
http://www.flickr.com/photos/torh/5275187124/
Ꭱ܄݊ʡჿ Ꭱ܄ )BDLFS ࡡจމ ᆠহཥ໘ӻ୕ҦஔӺٙਖ਼ ɽඎႬ͜ɨᎡ܄ɓ൚੭ϞࠋࠦЍd੬މ ڢجెจॎᕸeɝڧӻ୕ٙɛ
Ꭱ܄݊ʡჿ White Hat 白帽駭客 ༟τਖ਼d࿁ӻ୕τΌආБӺԨԣጏࡌfεᅰ ԫ༟ৃτΌᗫБุ Black Hat 黑帽駭客 ආБ͕ໆٙɝڧБމdਖ਼̡ॎᕸd˸ۃ͵̙၈
މ$SBDLFS
Ꭱ܄݊ʡჿ (SFZ)BUϲసᎡ܄ ʧ8IJUF)BUʿ#MBDL)BUʘග 4DSJQU,JEEJF ҦஔʔॱᆞאʔᏑࡡଣd̥ึԴ͜ତϞҸᏘ όආБెจॎᕸٙҸᏘ٫dᏕ၈މ4DSJQU ,JEEJFdͦۃεᅰెจॎᕸ٫ޫ݊
None
Ꭱ܄ଡ଼ᔌ ֜˙ᇜՓ ִ݁ Άุ ڢ֜˙ᇜՓήɨ
Ꭱ܄ҸᏘٙͦᅺ ͦᅺjУኜࡈɛཥ໘ ెจᎡ܄މə༺ՑݔԬͦٙdึҸᏘУኜא ࡈɛཥ໘fʔΝٙͦᅺึϞʔΝٙҸᏘ˓جd ɰึϞഹʔΝٙͦٙf
ၣ१ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk
ၣ१ɝڧٙܝ؈k ՟ၣ१ʫ༟ࣘ ਂމ༪ؐҸᏘՉ˼˴ዚ નᇁא׳ໄెจό ໄ౬ࠫࠦאॎᕸ ՟१ʫ੮ᇁࡈ༟
None
None
None
None
None
Ꭱ܄՟੮ᇁνОԴ͜ ০࿁ٙೳ͜ݔ੮ ՟၍ଣ٫ᛆࠢ ਗ਼ᇁᏦႡЪϓοՊᏦ
None
None
ࡈɛཥ໘ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk
ࡈɛཥ໘ɝڧٙܝ؈k ՟ཥ໘ʫ༟ࣘ ՟ཥ໘ʫ੮ᇁࡈ༟ ਂމ༪ؐҸᏘՉ˼˴ዚ
㔃கሯᇜḢပᚓ㢂
⁰ഥ ㉺ ⁔ፇ ሟᇌ ༃༦⾬̳ ⳽୷⭶ё ῳ̎ഇ₁༓༶⾽̿
⁰ഥ ㉺ ⁔ፇ ሟᇌ ⳽୷⭶ё ᖤஞቒ̳ ῳ̎ഇ₁༓༶⾽̿
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU %%P4ሯᇜ
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU %%P4ሯᇜ
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ ṬᄍӴξͥ፦࠵
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ 你更新了嗎?
你更新了嗎?
੬ԈτΌဍݸ࡚ؓ
ၣ१༟ৃރဍ ၣ१፹Ⴌৃࢹ͊ᒯᔛ Уኜක೯٫و͉છ၍ࠫࠦ͊ৰ ၣࠫУኜක઼ͦΐڌ *OEFY0G ࠬᎈjഗʚᎡ܄ɝڧٙ༟ৃdܼ̍ӻ୕ৣໄeͦdޟ Ї੮eᇁഃ
⊷ਘῠ໊aіa⊷ਘῠẀᇂ
ᅟℯⅴਫ਼
None
?
B 網站 密碼:1qaz2wsx C 網站 密碼:1@#$%^%^*ag 密碼:1qaz2wsx A 網站 (遭⼊入侵)
(⼊入侵)
၍ଣ٫͊းப ᒯਛʔజˏ೯һᘌࠠٙԫ࿒ પ՝பೌج༆Ӕਪᕚ ๘ᗇኽਪᕚԱᔚπίdᎡ܄ஶჇІί
None
None
None
ၣ१τΌᏨνОྼЪ
ၣ१τΌᏨνОྼЪ ݟ༔Уኜeࢁٙو͉༟ৃ ᝈ࿀ၣ१ࠫࠦeʩ९eආɝᓃ ഗʚ͍੬ٙ፩ɝeମ੬ٙ፩ɝdᝈ࿀ၣ१ٙˀᏐʿৃ ࢹ 5SJBMBOE&SSPS
༊ʈՈ .BOUSBIUUQXXXHFUNBOUSBDPN #VSQ4VJUFIUUQQPSUTXJHHFSOFUCVSQ 'JEEMFSIUUQGJEEMFSDPN
None
τΌᏨʃҦ̷ Ꮸၣ१݊щಀᎡ IUUQXXXHPPHMFDPNTBGFCSPXTJOHEJBHOPTUJD TJUF IUUQ[POFIPSH IUUQXXXNBMXBSFEPNBJOMJTUDPNNEMQIQ IUUQXXXVSMWPJEDPN
Ꭱ܄ٙܠၪ༧Ңࡁʔɓᅵ
None
Injection? Path? Path?
None
admin ‘ or 1=1 -- admin abc123 123456 password 3939889
19831001 A12345678 87468c07c02e370ef84d4b7e3a668589 Try to get the password WordPress Vulnerability?
Ꭱ܄ҸᏘݴ 3FDPOOBJTTBODF 4DBOOJOH (BJOJOH"DDFTT .BJOUBJOJOH"DDFTT $MFBSJOH5SBDLT Reconnaissance Scanning Gaining Access
Maintaining Access Clearing Tracks
ॆྼҸᏘԫԷ Ꭱ܄͟ၣ१ҬՑɪෂeᄳᏦഃࢮᓃdಔɝXFCTIFMM ܝژஹɝ˴ዚf IUUQWJDUJNPSHTIFMMQIQ DNEPYPY ၇ၣࠫτΌਪᕚޫ̙л͜dܼ̍ᄳᏦeҷᏦeɪ ෂᏦࣩf
ॆྼҸᏘԫԷ $POU ஹɝ˴ዚܝ೯ତ੮ᛆࠢʔԑd˴ዚʫరҬ̙ٙ͜ ༟ৃf ᛆࠢjOPCPEZOPHSPVQ Ҭర̙͜੮FUDQBTTXE ݟ༔ӻ୕̙͜༟ৃWBSMPH ฤరϞೌTFUVJEGJMFT̙Զл͜
ॆྼҸᏘԫԷ $POU ೯ତ˴ዚ,FSOFMو͉ཀᔚdϞ̙ᛆٙࢮᓃf ᅠᄳฤర&YQMPJUҸᏘd՟SPPUᛆࠢf IUUQXXXFYQMPJUECDPN (PPHMF #ZZPVSTFMG
ॆྼҸᏘԫԷ $POU ׳ໄܝژ3PPULJU˸Զ˚ܝԴ͜f FUDQBTTXEܔͭ੮ FUDSDE׳ໄܝژ ˾౬TTIEഃ
ॆྼҸᏘԫԷ $POU ৰԑ༦jাᏦʿӻ୕ߏ _IJTUPSZ _CBTI@IJTUPSZ WBSMPH
ၣ༩݊τΌٙk
None
8FMDPNFUPQIQ.Z"ENJO"/% $SFBUFOFXEBUBCBTFGJMFUZQFQIQ
None
None
None
-BC
ІҢኪ୦
༟τהცٙٝᗆߠ౻ၾҦঐ ༟ৃϗණ*OGPSNBUJPO(BUIFSJOH ӻ୕τΌ4ZTUFN4FDVSJUZ ၣ༩τΌ/FUXPSL4FDVSJUZ ၣ१ၾၣࠫᏐ͜ότΌ8FC4FDVSJUZ ̋ၾ༆$SZQUPHSBQIZ ెจόᏨ.BMXBSF%FUFDUJPO Σʈ3FWFSTJOH&OHJOFFSJOH ᅰЗᛠᗆ%JHJUBM'PSFOTJDT Бਗༀໄ.PCJMF%FWJDFT
ІҢᇖ୦ IUUQTXXXPXBTQPSHJOEFYQIQ$BUFHPSZ08"41@8FC(PBU@1SPKFDU IUUQTQFOUFTUFSMBCDPN IUUQXXXEWXBDPVL IUUQXXXIBDLUIJTTJUFPSH IUUQIBDLBEFNJDUFJMBSHS IUUQTIBDLNF IUUQ[FSPXFCBQQTFDVSJUZDPN IUUQTPVSDFGPSHFOFUQSPKFDUTNVUJMMJEBF
None
2"
ᑌഖ˙ό ߰ϞОٙဲਪdᛇڎᎇࣛၾҢᑌᖩf " " ॽख͍"MMFO0XO IUUQEFWDPSF BMMFOPXO!EFWDPSF