20140714 SITCON Camp 揭開駭客的神祕面紗

Transcript

1. 揭開駭客的神祕面紗 
   4*5$0/
   $BNQ 翁浩正 Allen Own [email protected] Ꮦ˃੒ဧٰ΅Ϟࠢʮ̡

2. ᑺ٫ᔊʧ ॽख͍
   "MMFO
   0XO
   %&7$03&
   Ꮦ˃੒ဧٰ΅Ϟࠢʮ̡
   ੂБڗ
   BMMFOPXO!EFWDPSF
   ! )*5$0/
   ̨ᝄᎡ܄ϋึਓᐼ̜
   /*43"
   ༟τྠඟ௴፬ɛ
   ༟τҦঐږ޷ᆤᘩᒄϋڿࠏeϋԭࠏ
   

   ༟τద᜗ၣ१ታ१ᚥਪ

3. ٷ᧼㔃க൥፞
   )*5$0/
   9
   "%"15
   50
   5)&
   /&8
   &3"
   0'
   4&$63*5:
   5)3&"54
   
   ˾
   _
   
   ̄
   ٷ׸ޠΥḛ৮㑱ൽ㡴˒৴ἵ⃄㋒
   ̙ቢῳ፞⁠୹㒔
   IUUQIJUDPOPSH

4. None

5. νОϓމ੶٫k

6. None
7. None

8. ኪࣧʔ݊Ϟ઺෗k
   މʡჿᒔࠅІʉрɢk

9. ኪࣧ઺ԃ
   ଣሞeʫ̌
 
 ุޢ
   ྼਕeуࣛ኷ɢe؛̌

10. ኪࣧ઺ԃ
    ଣሞeʫ̌ 
 ุޢ
    ྼਕeуࣛ኷ɢe؛̌ ๖

11. ৷
    ʕ ɽ ኪ ޼ Ӻ ה ఱ ุ

12. ৷
    ʕ ɽ ኪ ޼ Ӻ ה ఱ ุ 為什麼？

13. ৷
    ʕ ɽ ኪ ޼ Ӻ ה ఱ ุ ????

14. ৷
    ʕ ɽ ኪ ޼ Ӻ ה ఱ ุ ㄨ

15. ੽ྼਕࠦ̈೯
    ᓘ՟ุޢeၣ༩ɪٙٝᗆ
    ໾ԑኪࣧίྼਕɪٙʔԑ

16. ᜊ੶ٙږᝌjІ˴ኪ୦

17. 老老師領領進門，修行行在個㆟人

18. None
19. None

20. І˴ኪ୦ ഛ͜ၣ༩ɪٙ઺ኪ༟๕
    ʔࠅ׊ᔊ᜗ʕ˖eߵ˖
    й፰ဲdਗ˓ਂఱ࿁əl
    ϓఱชܘࠠࠅl

21. ʔࠅ׊̰઻
    ̰઻ٙɛdʑ݊ኪՑ௰εٙ

22. ࡳԬٝᗆ݊Ңࡁ̀௪ٙճk

23. ೻όႧԊ
    $
    
    $
    
    +BWB
    
    $
    ໔͉ႧԊ
    4DSJQUJOH
    -BOHVBHF
    4IFMM
    4DSJQU
    
    +BWB4DSJQU
    
    1ZUIPO
    
    3VCZ
    
    1FSM
    ၣࠫᏐ͜೻όႧԊ
    "41/&5
    
    1)1
    
    +41
    
    3P3
    Бਗༀໄ೻όႧԊ
    
    

    "OESPJE
    +BWB
    
    J04
    0CKFDUJWF$
    
    8JOEPXT
    1IPOF

24. νО፯኿೻όႧԊk 5*0#&
    1SPHSBNNJOH
    $PNNVOJUZ
    *OEFY
    IUUQXXXUJPCFDPNJOEFYQIQDPOUFOUQBQFSJOGPUQDJ JOEFYIUNM
    ੽રБᒈැ̙˸޶ՑႧԊٙᆠژ೻ܓ˸ʿุޢٙცӋ

25. None
26. None

27. ڐಂ༟τࠅၲ

28. ᒄژ᚛дj
    ̘ϋΌଢϞᄂഅࡈ༟̮ރ ᒄژ᚛д௰อ*453ၣ༩τΌ۾উజѓܸ̈d̘ϋ೯͛ٙ ༟τԫ΁ᜑͪdᎡ܄ҸᏘ੽Ҟ஺ҸᏘᔷމڗಂᆑͿٙɓ ϣ׌ɽ஝ᅼҸᏘdϋΌଢߒϞᄂഅ༟̮ࣘރf
    ί༈జѓ୕ࠇʕd̨ᝄίϋ዆᜗ၣ༩۾উʕΤΐΌ ଢୋdԭݲසϣ׵ʕ਷eΙܓf਷ʫϞٙ০࿁׌ ҸᏘᕁ֛Ցɛ஝ᅼٙʕɽۨΆุdҭ೯ʿႡி ุމҸᏘᕁ֛ٙՇɽପุfϾ̘ϋ̨ᝄչѫඉ΁રΤ੽ ୋΤɪʺЇୋdⶋ܉ၣ༩ɰરΤୋf

    IUUQXXXJUIPNFDPNUXOFXT

29. F#BZ
    ቊල܄ɝڧ
 
    ᄂ͜˒༟̮ࣘރ F#BZ
    ˚ί֜˙ၣ१ʮ̺dʦϋ˜ֵЇ˜ڋd ᄂ܄˒ٙཥඉήѧe̋੗ܝٙ੗ᇁë͛˚ಂʿИѧ ഃᅰኽ஗ೳ՟dШ஗ೳ՟ٙ˖΁Ѱʔўৌਕ༟ࣘfʮ ̡ڮሗᄂ͜˒һҷ੗ᇁf
    F#BZڌͪdմۃ೯ତவԬቊᎡٙਪᕚኯᗇdމə࿏ֵ ૶ݟਪᕚdה˸ٜՑ˚ʑʮ̺dШ൷ᕎ˜ڋቊල܄ ɝڧࣛගʊ຾ڐࡈ˜f IUUQXXXCCDDPVL[IPOHXFOUSBEXPSME@FCBZ@IBDLFSTIUNM

30. "0-վוӻ୕ቊɝڧd
 Ꭱ܄̙ঐπ՟ɽඎԴ͜٫੮໮ "0-ᆽႩᎡ܄͊຾બᛆπ՟əўϞɽඎԴ͜٫੮໮ٙУ ؂ኜdܼ̍͜˒ٙཥɿඉ΁੮໮eήѧeஷৃ፽e̋ ੗ٙ੗ᇁe̋੗ٙτΌஷᗫ੗Ⴇd˸ʿʈЪఊЗdϾ ˲"0-ɰ޴ڦչѫᔥʊ຾ෂ৔ൟᗺඉ΁ഗߒ͜˒ٙ ஷৃ፽ʾɛf IUUQXXXJUIPNFDPNUXOFXT

31. ߕ਷ཧਯਠ*5ӻ୕௘Κዚ
 ৰə5BSHFUε࢕ཧਯਠɰቊݪ ௰ڐdԨʔස˟׵
    5BSHFU
    ɓ࢕೯͛ࠠɽ༟̮ࣘރԫ΁f ࣬ኽ༩ீٟܸ̈dίື˚ᒅي֙ಂගdৰə
    5BSHFU
    ၾ /FJNBO
    .BSDVT
    ʘ̮ٙ஢εཧਯਠdɰቊՑᎡ܄ҸᏘf
    ɪ඄
    5BSHFU
    ீᚣܸ̈dᎡ܄᛿՟ə΍ ຬഅٙᚥ܄ ֑Τeඉ΁ήѧeཥ༑໮ᇁeཥɿඉ΁ήѧၾ˕˹̔ ༟ࣘdШ̘ϋ˜ʕϚৎ΋జኬ፲̰ٙഅᅰމ ຬ

    അf IUUQOFXTOFUXPSLNBHB[JOFDPNUXDMBTTJGJDBUJPOTFDVSJUZ

32. ӚϞʔτΌٙӻ୕
 ̥ϞʔτΌٙɛ

33. None
34. None

35. A Nice Password, but….? Admin password Admin.R386W

36. Is Your Password Safe?

37. ΋ซซІʉϞӚϞਂՑτΌf ׉ໆӻ୕ʔτΌʘۃd

38. ༟τ۾উၾᏐ࿁ ԣጏ٫Ԩʔᆞ઄ҸᏘ٫ٙː࿒eͦٙeҦஔഃdኬߧ ԫ΁೯͛ܝʑঐආБࡌ໾fϾʔٝ༸ҸᏘٙҦஔၾ˙ جdࡌ໾ɰසطᅺʔط͉
    ෂ୕ٙԣጏ˙όdܼ̍ӻ୕ࡌ໾eԣጏe̋੗dேΪ อҦஔɓɓ஗ॎ༆dԷνʱ౳όஈଣeථ၌e(16e 3BJOCPX5BCMF

39. ༟τ۾উၾᏐ࿁ ٝʉٝ־dϵ኷ʔݫ
    ኪ୦Ꭱ܄ٙܠၪd௰อٙҦஔdԨ˲ə༆Іʉӻ୕ٙ ঌࢮᓃӺ௞ίОஈ

40. Cyberwar
    ݊ʡჿk

41. http://www.flickr.com/photos/42514833@N07/5246970893/ Cyberwar

42. ၣ༩኷͍ίආБʕl

43. Ŗϓၣ༩ගፒҸᏘ
    ԸІ਷࢕ॴዚ࿴೯ਗ ࣬ኽ
    
    ϋ
    7FSJ[PO
    ௰อ೯̺ٙ
    
    ༟̮ࣘރሜݟజ ѓܸ̈dίሜݟڐ΁ٙၣ༩ගፒҸᏘԫ΁ʕdϞ ݊ԸІ׵਷࢕ִ݁ॴዚ࿴ٙ೯ਗdՉʕऒʿ༟̮ࣘރٙҸ Ꮨݺਗۆ݊Цəfజѓɰܸ̈dϞਗ਼ڐɓ̒  ٙ ၣ༩ගፒݺਗேԸІ׵ʕ਷ձՉ̴؇ԭ਷࢕ה˴ኬd̤̮ ɰϞĈۆ݊ԸІ؇ᆄήਜ਷࢕f຅ʕһϞ൴ཀ̒ᅰ˸ɪ

    ٙၣ༩ගፒҸᏘ࿁൥݊˸ߕ਷މ˴dՉϣ݊˚͉  ձᒵ ਷  f
    IUUQXXXJUIPNFDPNUXOFXT

44. Ꭱ܄ᜣ့ཥൖ̨ვБ
    یᒵజኬj̏ᒵהމ یᒵɪ˜ቊᎡ܄ɝڧdε࢕ཥൖ̨ձვБΌࠦᜣ့d یᒵᙆ˙ɓܓ၈Ꭱ܄ҸᏘԸІʕ਷dܝҷɹ݊ߕ਷ʿ ᆄݲഃࡈ਷࢕dШʦ˂یᒵʮ̺͍όజѓdܸછ̏ᒵ ᆽމவৎҸᏘࣩٙ˴ፑdᘪ೥ࣛගڗ༺˜ʘɮf
    IUUQXXXBQQMFEBJMZDPNUXSFBMUJNFOFXTBSUJDMFJOUFSOBUJPOBM

45. Ꭱ܄त၇௅ඟ ږ㛬Έˏ͜ɓ΅̏ᒵִ݁֜˙˖΁༟ܸࣘ̈d̏ᒵʊ ݂ჯኬɛږ͍˚ϋᒔፋІɨ˿ਗ਼ணί̻ᘎٙၣ༩ त၇௅ඟᓒᇜЇ ɛdᒱ್༈΅˖΁ٙॆྼ׌͊຾ ᆽႩdШږ㛬ΈኽϤౣ಻d̏ᒵᎡ܄ɛᅰʘܝʊɽష ᄣ̋dϞԬ݊ݼታʕ਷d˸ک੽ԫသீऎ̮ၣ༩ٙ΂ ਕf
    IUUQOFXTDIJOBUJNFTDPNXPSMEIUNM

46. None

47. Die Hard 4.0

48. ၣ༩኷ٙͦٙ݊ʡჿk ᛿՟਷࢕ઋజ
    ᜣ့ၣ༩
    ਔ॰
    ܁౮ІҢଣׂ

49. Ꭱ܄݊ʡჿk What is Hacker?

50. http://www.flickr.com/photos/torh/5275187124/

51. Ꭱ܄݊ʡჿ Ꭱ܄
    )BDLFS
    ࡡจމ
 ˜ᆠহ׵ཥ໘ӻ୕Ҧஔ޼Ӻٙਖ਼࢕™
    ɽඎႬ͜ɨ˜Ꭱ܄™ɓ൚੭ϞࠋࠦЍ੹d੬މ ڢجెจॎᕸeɝڧӻ୕ٙɛ

52. Ꭱ܄݊ʡჿ White Hat 白帽駭客 ༟τਖ਼࢕d࿁ӻ୕τΌආБ޼ӺԨԣጏࡌ໾fεᅰ ੽ԫ༟ৃτΌ޴ᗫБุ
    Black Hat 黑帽駭客 ආБ͕ໆٙɝڧБމdਖ਼̡ॎᕸd˸ۃ͵̙၈

    މ
    $SBDLFS

53. Ꭱ܄݊ʡჿ (SFZ
    )BU
    ϲసᎡ܄
    ʧ׵
    8IJUF
    )BU
    ʿ
    #MBDL
    )BU
    ʘග
    4DSJQU
    ,JEEJF
    ҦஔʔॱᆞאʔᏑࡡଣd̥ึԴ͜ତϞҸᏘ೻ όආБెจॎᕸٙҸᏘ٫d஗Ꮥ၈މ
    4DSJQU
    ,JEEJFdͦۃεᅰెจॎᕸ٫ޫ݊

54. None

55. Ꭱ܄ଡ଼ᔌ ֜˙ᇜՓ
    ਷࢕
    ִ݁
    Άุ
    ڢ֜˙ᇜՓ€ήɨ

56. Ꭱ܄ҸᏘٙͦᅺ ͦᅺjУ؂ኜ
    
    ࡈɛཥ໘
    ెจᎡ܄މə༺ՑݔԬͦٙdึҸᏘУ؂ኜא ࡈɛཥ໘fʔΝٙͦᅺึϞʔΝٙҸᏘ˓جd ɰึϞഹʔΝٙͦٙf

57. ၣ१஗ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk

58. ၣ१஗ɝڧٙܝ؈k 
    ᛿՟ၣ१ʫ௅༟ࣘ
    
    ਂމ༪ؐҸᏘՉ˼˴ዚ
    
    નᇁא׳ໄెจ೻ό
    
    ໄ౬ࠫࠦאॎᕸ
    
    ᛿՟१ʫ੮໮੗ᇁࡈ༟

59. None
60. None
61. None
62. None
63. None

64. Ꭱ܄՟੻੮໮੗ᇁνОԴ͜ 
    ০࿁׌ٙೳ͜ݔ੮໮
    
    ՟੻၍ଣ٫ᛆࠢ
    
    ਗ਼੗ᇁᏦႡЪϓοՊᏦ

65. None
66. None

67. ࡈɛཥ໘஗ɝڧٙܝ؈k Ꭱ܄Ցֵࠅٙ݊ʡჿk

68. ࡈɛཥ໘஗ɝڧٙܝ؈k  ᛿՟ཥ໘ʫ௅༟ࣘ
     ᛿՟ཥ໘ʫ੮໮੗ᇁࡈ༟
     ਂމ༪ؐҸᏘՉ˼˴ዚ

69. 㔃கሯᇜḢပᚓ㢂

70. ೸⁰ഥ ␶㉺ ⁔ፇ ሟᇌ␹ ༃༦⾬̳ ⳽୷⭶ё ῳ̎ഇ₁༓༶⾽̿

71. ೸⁰ഥ ␶㉺ ⁔ፇ ሟᇌ␹ ⳽୷⭶ё ᖤஞቒ̳ ῳ̎ഇ₁༓༶⾽̿

72. ሟᇌ␹ ⳽୷⭶ё ⋣⃳ ⳽ቛൻ #PUOFU %%P4
    ሯᇜ

73. ሟᇌ␹ ⳽୷⭶ё ⋣⃳ ⳽ቛൻ #PUOFU %%P4
    ሯᇜ

74. ሟᇌ␹ ⳽୷⭶ё ⋣⃳ ⳽ቛൻ ṬᄍӴξͥ፦࠵

75. http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ 你更新了嗎？

76. 你更新了嗎？

77. ੬ԈτΌဍݸ࡚ؓ

78. ၣ१༟ৃރဍ ၣ१፹Ⴌৃࢹ͊ᒯᔛ
    У؂ኜක೯٫و͉છ၍ࠫࠦ͊୅ৰ
    ၣࠫУ؂ኜක઼ͦ፽ΐڌ
    *OEFY
    0G
    ࠬᎈjഗʚᎡ܄ɝڧٙ༟ৃdܼ̍ӻ୕ৣໄeͦ፽dޟ Ї੮໮e੗ᇁഃ

79. ⊷ਘῠ῵໊aіa⊷ਘῠ଀Ẁ஥ᇂ

80. ↌ᅟℯⅴਫ਼῅

81. None

82. ？

83. B 網站 密碼：1qaz2wsx C 網站 密碼：1@#$%^%^*ag 密碼：1qaz2wsx A 網站 (遭⼊入侵)

    (⼊入侵)

84. ၍ଣ٫͊းப΂ ᒯਛʔజ
    
    ˏ೯һᘌࠠٙԫ࿒
    પ՝ப΂
    
    ೌج༆Ӕਪᕚ
    ಴๘ᗇኽ
    
    ਪᕚԱᔚπίdᎡ܄ஶჇІί

85. None
86. None
87. None

88. ၣ१τΌᏨ಻νОྼЪ

89. ၣ१τΌᏨ಻νОྼЪ ݟ༔У؂ኜeࢁ΁ٙو͉༟ৃ
    ᝈ࿀ၣ१ࠫࠦeʩ९eආɝᓃ
    ഗʚ͍੬ٙ፩ɝeମ੬ٙ፩ɝdᝈ࿀ၣ१ٙˀᏐʿৃ ࢹ
    5SJBM
    BOE
    &SSPS

90. ಻༊ʈՈ .BOUSB
    IUUQXXXHFUNBOUSBDPN
    #VSQ
    4VJUF
    IUUQQPSUTXJHHFSOFUCVSQ
    'JEEMFS
    IUUQGJEEMFSDPN

91. None

92. τΌᏨ಻ʃҦ̷ Ꮸ಻ၣ१݊щಀ஗Ꭱ
    IUUQXXXHPPHMFDPNTBGFCSPXTJOHEJBHOPTUJD TJUF
    IUUQ[POFIPSH
    IUUQXXXNBMXBSFEPNBJOMJTUDPNNEMQIQ
    IUUQXXXVSMWPJEDPN

93. Ꭱ܄ٙܠၪ༧Ңࡁʔɓᅵ

94. None

95. Injection? Path? Path?

96. None

97. admin ‘ or 1=1 -- admin
 abc123
 123456
 password 3939889


    19831001
 A12345678 87468c07c02e370ef84d4b7e3a668589 Try to get the password WordPress Vulnerability?

98. Ꭱ܄ҸᏘݴ೻ 3FDPOOBJTTBODF
    4DBOOJOH
    (BJOJOH
    "DDFTT
    .BJOUBJOJOH
    "DDFTT
    $MFBSJOH
    5SBDLT Reconnaissance Scanning Gaining
 Access

    Maintaining
 Access Clearing
 Tracks

99. ॆྼҸᏘԫԷ Ꭱ܄຾͟ၣ१ҬՑɪෂeᄳᏦഃࢮᓃdಔɝ
    XFCTIFMM
    ܝژஹɝ˴ዚf
    IUUQWJDUJNPSHTIFMMQIQ DNEPYPY
    ΢၇ၣࠫτΌਪᕚޫ̙л͜dܼ̍ᄳᏦeҷᏦeɪ ෂᏦࣩf

100. ॆྼҸᏘԫԷ
     $POU ஹɝ˴ዚܝ೯ତ੮໮ᛆࠢʔԑd੽˴ዚʫరҬ̙ٙ͜ ༟ৃf
     ᛆࠢjOPCPEZOPHSPVQ
     Ҭర̙͜੮໮
     FUDQBTTXE
     ݟ༔ӻ୕̙͜༟ৃ
     WBSMPH
     ฤరϞೌ
     TFUVJE
     GJMFT
     ̙Զл͜

101. ॆྼҸᏘԫԷ
     $POU ೯ତ˴ዚ
     ,FSOFM
     و͉ཀᔚdϞ̙౤ᛆٙࢮᓃf
     ᅠᄳ
     
     ฤర
     &YQMPJU
     ҸᏘd՟੻
     SPPU
     ᛆࠢf
     IUUQXXXFYQMPJUECDPN
     (PPHMF
     #Z
     ZPVSTFMG

102. ॆྼҸᏘԫԷ
     $POU ׳ໄܝژ
     
     3PPULJU
     ˸Զ˚ܝԴ͜f
     FUDQBTTXE
     ܔͭ੮໮
     FUDSDE
     ׳ໄܝژ
     ˾౬
     TTIE
     ഃ

103. ॆྼҸᏘԫԷ
     $POU ૶ৰԑ༦jা፽Ꮶʿӻ୕ߏ፽
     _IJTUPSZ
     _CBTI@IJTUPSZ
     WBSMPH

104. ၣ༩݊τΌٙ෗k

105. None

106. 8FMDPNF
     UP
     QIQ.Z"ENJO
     "/%
     
 
     $SFBUF
     OFX
     EBUBCBTF
     GJMFUZQFQIQ

107. None
108. None
109. None

110. -BC

111. ІҢኪ୦

112. ༟τהცٙٝᗆߠ౻ၾҦঐ ༟ৃϗණ
     *OGPSNBUJPO
     (BUIFSJOH
     ӻ୕τΌ
     4ZTUFN
     4FDVSJUZ
     ၣ༩τΌ
     /FUXPSL
     4FDVSJUZ
     ၣ१ၾၣࠫᏐ͜೻ότΌ
     8FC
     4FDVSJUZ
     ̋੗ၾ༆੗
     $SZQUPHSBQIZ
     ెจ೻όᏨ಻
     .BMXBSF
     %FUFDUJPO
     ৕Σʈ೻
     3FWFSTJOH
     &OHJOFFSJOH
     ᅰЗᛠᗆ
     %JHJUBM
     'PSFOTJDT
     Бਗༀໄ
     .PCJMF
     %FWJDFT

113. ІҢᇖ୦ IUUQTXXXPXBTQPSHJOEFYQIQ$BUFHPSZ08"41@8FC(PBU@1SPKFDU
     IUUQTQFOUFTUFSMBCDPN
     IUUQXXXEWXBDPVL
     IUUQXXXIBDLUIJTTJUFPSH
     IUUQIBDLBEFNJDUFJMBSHS
     IUUQTIBDLNF
     IUUQ[FSPXFCBQQTFDVSJUZDPN
     IUUQTPVSDFGPSHFOFUQSPKFDUTNVUJMMJEBF

114. None

115. 2
     
     "

116. ᑌഖ˙ό ߰Ϟ΂ОٙဲਪdᛇڎᎇࣛၾҢᑌᖩf
     " " ॽख͍
     "MMFO
     0XO
     IUUQEFWDPSF
     BMMFOPXO!EFWDPSF