HoneyCon 2014

HoneyCon 2014jeytsai@NIT

Outline

● Ask questions any time

● HoneyCon Agenda

● CTF Time

The INFORMATION contained in this slide are generated by random alphanumeric and the images are randomly selected from web.

HoneyCon Agenda

Attack Event

● Past○ ATM 變彈珠台○ Web ATM Vulnerability [2]○ Website hacked [3]○ Spam○ Home router as botnet [4]○ APT on government [5]

Attack Event (cont’d)

● Current○ APT○ Hack as a Service [6]○ Mobile Hacking [7]○ Heartbleed [8]○ Orphan (DNS / NTP) Server○ IOT Hacking

SPAM

● The email which you did not want it○ Random generate○ APT

● Spam contains○ Phishing link○ Malware○ CryptoLocker [10]○ ...

SPAM + Exploit

● So receive spam have no danger if I…○ Not download the attachment?○ Not click the link?

● Exploit on Reception Software○ Malicious webpage○ document preview○ ...

DDoS

● Past○ Ping to Death○ SYN Flood○ TearDrop Attack○ Slow I/O Attack○ …

● Design issue on program / protocol

DDoS

● Current○ Reflected attack○ GSM○ LOIC (低軌道離子砲)○ SPAM

● Attack target○ Bandwidth / Infrastructure / Service

DDoS + DNS / NTP

● 七傷拳○ I DDoS U === U DDoS I

● 放大攻擊 (Reflection)○ GET request => Full webpage○ DNS request => DNS response○ ...

Avoid DDoS

● Illusory○ High-End firewall○ ISP○ Lots of backends

● Hacker always attack the weakness○ Load balancer / Proxy Server / DNS Server / ...

Hard to Avoid DDoS

● Pattern matching○ Not immediately respond ○ How about simulate general user○ Variant is easy

● Total solution○ 鎖國政策?○ ISP?

HoneyPot

● A trap set to detect an unauthorized user.○ 蜜罐 / 誘捕系統○ A logging system based on full / simulation system

● Concept○ Assume should be hacked○ Logging○ Analysis

HoneyPot (cont’d)

● Low-interaction○ Dionae / HoneyD / Kippo / Glastopf / Conpot

● High-interaction○ Honeypot / Sebek

● Real Honeypot○ HonEeeBox○ Raspberry PI (潮)

HoneyPot + Analysis

● SPAM○ Register a never used mail domain○ Receive mail => SPAM which send to random addr

● SandBox○ Simulate human behavior○ Analysis the system status

HoneyPot + Analysis

● HoneyPot always be hacked○ Too many events○ Hard to analysis by trace the log one-by-one

● Visualization ○ 潮

CTF Time

● Capture the Flag○ Problem solve○ Put flat on the website○ Protect your server

● Under the rule○ you can do anything…

What’s CTF

HoneyCon - CTF Rules1. Honeycon2014會 議 期 間 參 賽 隊 伍 可 隨 時 連 線 至

WarGame主機參賽。2. 參賽者必需維持所守護主機的網頁服務正常運作，並對外

公開服務。3. 刻意的D[D]oS行為將被取消比賽資格。4. 任何防礙遊戲進行之行為，將被取消比賽資格。5. 攻防行為僅限於WarGame環境中進行。6. 遊戲中會有GM一同參與。7. 遊戲中可能會有中毒的風險。8. 獲獎隊伍需進行技術分享。

Why CTF

● Practice as a hacker in legal way

● Simulate how hacker to attack

● Defence hacker

How CTF

● In the open network○ On-line○ Give a hink (IP address with service / binary)○ Find the flag

● In the closed network○ Non-limit○ All device in subnet can be hacked

PenTest Flow

● Social Engineering● Scan by nmap [9] (DDoS…)● Choice one target / service

○ Web / SSH / SMB / FTP / UPnP / IRC / ...● Hacking

Reference1. http://www.honeynet.org/2. http://www.i-security.tw/learn/tips_content.asp?Tid=1343. http://www.zone-h.org/archive4. http://hexus.net/tech/news/network/61245-easy-exploit-backdoor-

found-several-d-link-router-models/5. http://techorange.com/2013/07/30/9th-hitcon-are-we-the-loser-in-

the-cyber-war/6. https://blog.damballa.com/archives/3307. http://www.ewdna.com/2014/05/phishing.html8. http://www.ithome.com.tw/special_report/heartbleed9. http://nmap.org/

10. http://www.ithome.com.tw/node/83226

Thanks for your attentionQ&A