HoneyCon 2014jeytsai@NIT
Outline
● Ask questions any time
● HoneyCon Agenda
● CTF Time
The INFORMATION contained in this slide are generated by random alphanumeric and the images are randomly selected from web.
HoneyCon Agenda
Attack Event
● Past○ ATM 變彈珠台○ Web ATM Vulnerability [2]○ Website hacked [3]○ Spam○ Home router as botnet [4]○ APT on government [5]
Attack Event (cont’d)
● Current○ APT○ Hack as a Service [6]○ Mobile Hacking [7]○ Heartbleed [8]○ Orphan (DNS / NTP) Server○ IOT Hacking
SPAM
● The email which you did not want it○ Random generate○ APT
● Spam contains○ Phishing link○ Malware○ CryptoLocker [10]○ ...
SPAM + Exploit
● So receive spam have no danger if I…○ Not download the attachment?○ Not click the link?
● Exploit on Reception Software○ Malicious webpage○ document preview○ ...
DDoS
● Past○ Ping to Death○ SYN Flood○ TearDrop Attack○ Slow I/O Attack○ …
● Design issue on program / protocol
DDoS
● Current○ Reflected attack○ GSM○ LOIC (低軌道離子砲)○ SPAM
● Attack target○ Bandwidth / Infrastructure / Service
DDoS + DNS / NTP
● 七傷拳○ I DDoS U === U DDoS I
● 放大攻擊 (Reflection)○ GET request => Full webpage○ DNS request => DNS response○ ...
Avoid DDoS
● Illusory○ High-End firewall○ ISP○ Lots of backends
● Hacker always attack the weakness○ Load balancer / Proxy Server / DNS Server / ...
Hard to Avoid DDoS
● Pattern matching○ Not immediately respond ○ How about simulate general user○ Variant is easy
● Total solution○ 鎖國政策?○ ISP?
HoneyPot
● A trap set to detect an unauthorized user.○ 蜜罐 / 誘捕系統○ A logging system based on full / simulation system
● Concept○ Assume should be hacked○ Logging○ Analysis
HoneyPot (cont’d)
● Low-interaction○ Dionae / HoneyD / Kippo / Glastopf / Conpot
● High-interaction○ Honeypot / Sebek
● Real Honeypot○ HonEeeBox○ Raspberry PI (潮)
HoneyPot + Analysis
● SPAM○ Register a never used mail domain○ Receive mail => SPAM which send to random addr
● SandBox○ Simulate human behavior○ Analysis the system status
HoneyPot + Analysis
● HoneyPot always be hacked○ Too many events○ Hard to analysis by trace the log one-by-one
● Visualization ○ 潮
CTF Time
● Capture the Flag○ Problem solve○ Put flat on the website○ Protect your server
● Under the rule○ you can do anything…
What’s CTF
HoneyCon - CTF Rules1. Honeycon2014會 議 期 間 參 賽 隊 伍 可 隨 時 連 線 至
WarGame主機參賽。2. 參賽者必需維持所守護主機的網頁服務正常運作,並對外
公開服務。3. 刻意的D[D]oS行為將被取消比賽資格。4. 任何防礙遊戲進行之行為,將被取消比賽資格。5. 攻防行為僅限於WarGame環境中進行。6. 遊戲中會有GM一同參與。7. 遊戲中可能會有中毒的風險。8. 獲獎隊伍需進行技術分享。
Why CTF
● Practice as a hacker in legal way
● Simulate how hacker to attack
● Defence hacker
How CTF
● In the open network○ On-line○ Give a hink (IP address with service / binary)○ Find the flag
● In the closed network○ Non-limit○ All device in subnet can be hacked
PenTest Flow
● Social Engineering● Scan by nmap [9] (DDoS…)● Choice one target / service
○ Web / SSH / SMB / FTP / UPnP / IRC / ...● Hacking
Reference1. http://www.honeynet.org/2. http://www.i-security.tw/learn/tips_content.asp?Tid=1343. http://www.zone-h.org/archive4. http://hexus.net/tech/news/network/61245-easy-exploit-backdoor-
found-several-d-link-router-models/5. http://techorange.com/2013/07/30/9th-hitcon-are-we-the-loser-in-
the-cyber-war/6. https://blog.damballa.com/archives/3307. http://www.ewdna.com/2014/05/phishing.html8. http://www.ithome.com.tw/special_report/heartbleed9. http://nmap.org/
10. http://www.ithome.com.tw/node/83226
Thanks for your attentionQ&A