搶旗攻防競賽(Capture the Flag, CTF)在國內外是相當盛行的資安競賽，主辦方透過逆向工程(Reverse)、弱點或漏洞分析(Pwnable)、加解密(Crypto)、鑑識(Forensics)以及較難分類的綜合型題目(Misc)等領域知識設計題目，但是題目始終為題目設計者刻意設計出來，使每項題目之間是毫無關聯，參賽者在解題過程中，往往會依照設計者的思考邏輯、設計者最近所關注的事物或者特別的漏洞進行解題，只是為解題而解題，無法從中學習資安知識；有鑑於此，本論文主要以進階持續性威脅(Advanced Persistent Threat, APT)之網路攻擊鏈(Cyber Kill Chain)為參考架構，提出一套以網路攻擊鏈為基礎的搶旗攻防競賽(Cyber Kill Chain CTF, kCTF)，題目設計不再只是一個單點單面，而是經由溯因法(Abduction)的方式從網路攻擊鏈的關鍵攻擊步驟中，根據任務目標慢慢地反推回來設計題目、並融入現在解謎式CTF題目內容，透過虛擬資源的技術，模擬出多個既可不對外又仿真的網路模擬環境，從而達到每位使用者都有獨立且相同的模擬環境。實驗結果顯示，本研發之系統有效提供給予對於資安懵懂的初學者，有更好的模擬環境練習，既可避免真實攻擊別人時觸犯法律，同時從真實案例中學習駭客思維，進而有效提升防禦駭客攻擊的能力與有效降低企業網路的資安威脅，本論文整合的網路攻擊鏈架構亦有助於，日後國內相關的中文教材撰寫、探討每個階段步驟的攻擊手法、技術工具、程序以及相關實際案例。

Capture the Flag is the most popular cyber security competition all over the world. The competition organizer designs many types of quizzes, including Reverse, Pwnable, Crypt, Forensics, Misc ,and etc. These designed for security competitions on purpose. Every quiz doesn’t have relation. Concept of quizzes are very subjective due to designers. People can’t learn cyber security knowledge from this type of Capture the Flag. Because of that, this thesis implements a new type of Capture the Flag which is base on Cyber Kill Chain of Advanced Persistent Threat called Cyber Kill Chain CTF. At the beginning, Cyber Kill Chain CTF designs from the goal of Cyber Kill Chain not only design for learning but also include Jeopardy. Through virtualization technique, it can simulate many type of enterprise internet environment in a intranet and every user has independent enterprise environment。The experiment result of this thesis shows that the beginners of cyber security have better learning platform not only can prevent the beginners breaking the law but also can learn from Cyber Kill Chain of Advanced Persistent in real case. Cyber Kill Chain CTF can improve defensing attackers and decrease cyber threat of enterprise effectively. This thesis’ Cyber Kill Chain structure also can help educators write teaching material and study every stage of Tactics, Techniques, Procedures and Cyber Threat in real case.

摘　　要 i
Abstract ii
誌　　謝 iii
目　　錄 iv
表目錄 vi
圖目錄 vii
第一章　緒論 1
1.1 前言 1
1.2 研究動機 2
1.3 研究貢獻 2
1.4 論文結構 2
第二章　相關背景與技術回顧 3
2.1 網路攻擊鏈 – Cyber Kill Chain 3
2.2 虛擬化管理平台 – oVirt 5
2.3 集中式帳號密碼管理 – freeIPA 5
2.4 搶旗攻防競賽平台 – Root The Box 5
2.5 虛擬區域網路 – VLAN 6
2.6 獨立計算環境簡單協定 – SPICE 7
2.7 提權與橫向擴散 – Escalate Privileges & Lateral Movement 7
2.8 活動目錄 – Active Directory 7
2.9 傳遞雜湊 – Pass-the-Hash, PtH 8
2.10 滲透工具 – Penetration Tools 9
2.10.1開源資安弱點檢測與滲透測試工具 – Metasploit 9
2.10.2驗證弱點利用與滲透測試工具 – Mimikatz 9
第三章　系統架構 11
3.1 整體系統架構 11
3.2 Cyber Kill Chain CTF 12
3.3 網路攻擊鏈之攻擊端與目標受害端環境配置 13
第四章　實驗環境設置 15
4.1 環境架設 – oVirt虛擬化管理平台 15
4.1.1 oVirt host 虛擬化主機設定 16
4.1.2 oVirt engine管理平台設定 17
4.1.3 oVirt engine管理平台進階設定 19
4.1.4 提高oVirt 虛擬機器操作 21
4.2 環境架設-kCTF平台 22
4.3 環境架設-freeIPA 24
4.4 環境架設-網路攻擊鏈演練模擬實驗環境(Cyber Kill Chain) 27
第五章 實驗成果 30
5.1 kCTF – 網路攻擊鏈 30
5.2 攻擊步驟與相關指引 31
5.2.1 外網偵蒐 32
5.2.2 準備與派送武器 33
5.2.3 獲得初始感染點並查探基本資訊 35
5.2.4 監控與提權 36
5.2.5 內部偵蒐與橫向擴散(不成功的橫向擴散為例) 38
5.2.6 內部偵蒐與橫向擴散(成功的橫向擴散為例) 40
5.2.7 執行目標任務 41
5.2.8 持續維運 42
5.2.9 清除軌跡 43
第六章 結論與未來展望 45
6.1 結論 45
6.2 未來展望 45
參考文獻 46
附錄 50
附錄一 oVirt API 透過樣本方式(Template)新增kCTF虛擬環境 50
附錄二 oVirt API 虛擬機器設定操作權限、網卡資訊加入虛擬機器快照 52
附錄三 碩士論文投影片 56
簡 歷 63

[1]陳書正，「前端資安事件自動化安全部署與營運管理」，健行科技大學，碩士論文，民國一百零四年。
[2]黃冠龍，「以企業網路威脅模擬環境之實驗案例探討Windows雜湊傳遞Pass-the-Hash攻擊」，健行科技大學，碩士論文，民國一百零四年。
[3]宋皓榮，「以企業網路威脅模擬環境之實驗案例探討Windows憑證傳遞Pass-the-Ticket攻擊」，健行科技大學，碩士論文，民國一百零四年。
[4]Microsoft TechNet。2016。淺談 ( Pass the Hash ) PtH 與 PtT ( Pass the Ticket ) 攻擊對企業的衝擊（上）。TechNet Taiwan。網址：https://blogs.technet.microsoft.com/technet_taiwan/2016/03/29/pass-the-hash-pth-ptt-pass-the-ticket-2/#C。上網日期2017-07-21。
[5]Microsoft TechNet。2016。淺談 ( Pass the Hash ) PtH 與 PtT ( Pass the Ticket ) 攻擊對企業的衝擊（下）。TechNet Taiwan。網址： https://blogs.technet.microsoft.com/technet_taiwan/2016/04/13/pass-the-hash-pth-ptt-pass-the-ticket/。上網日期2017-07-21。
[6]Alex Harrell. 2016. The Active Directory Handbook – Everything You Need To Know About Active Directoy. 1st ed. USA: Emereo Publishing.
[7]Dobromir Todorov. 2007. Windows User Authentication Architecture.In Machanics of User Identification and Authentication – Fundamentals of Identity Management. 1st ed.,139-299. USA: Auerbach Publications.
[8]Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. 2011. Intelligence-Driven Computer Network Defense. In:” Leading Issuse in Information Warfare & Security Research”. 80-106. eds.Dr. Julie Ryan.
[9]Sean T. Malone. 2016. Using an Expanded Kill Chain Model to Increase Attack Resiliency. Black Hat USA. Available at: www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf. Accessed 21 July 2017.
[10]Panda Security. Understanding Cyber-Attacks. Available at: resources.pandasecurity.com/enterprise/solutions/ad360/1704-WHITEPAPER-CKC-EN.pdf. Accessed 21 July 2017.
[11]oVirt. Open-Source Virtualization Management Platform. Available at: www.ovirt.org. Accessed 21 July 2017.
[12]OpenStack. Open source software for creating private and public clouds. Available at: www.openstack.org. Accessed 21 July 2017.
[13]vCenter. VMware''s vCenter Server manages your virtual infrastructure from a single console with ease. Available at: www.vmware.com/products/vcenter-server.html. Accessed 21 July 2017.
[14]freeIPA. Identity, Policy, Trusts Security Management Solution. Available at: www.freeipa.org/page/Main_Page. Accessed 21 July 2017.
[15]Red Hat Identity Management Server. Introduction to Red Hat Identity Management. Available at: access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/introduction.html. Accessed 21 July 2017.
[16]Root The Box. Real-time scoring engine for a computer wargames where hackers can practice and learn. Available at: root-the-box.com. Accessed 21 July 2017.
[17]VLAND. Broadcast Domain That is Partitioned and isolated in a Computer Network at the Data link layer (OSI layer 2). Available at: en.wikipedia.org/wiki/Virtual_LAN. Accessed 21 July 2017.
[18]SPICE. Provide Improved Remote Desktop Capabilities in a fork of the KVM Codebase. Available at: www.spice-space.org/index.html. Accessed 21 July 2017.
[19]RDP. Proprietary Protocol Developed by Microsoft. Available at: msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx. Accessed 21 July 2017.
[20]M-Trends FireEye. A VIEW FROM THE FRONT LINES: Threat Report. M-Trends 2015. Report. Available at: www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf. Accessed 21 July 2017.
[21]Centralized Network Security Management: Combining Defense in Depth with Manageable Security. SANS Institute InfoSec Reading Room. Available at: www.sans.org/reading-room/whitepapers/bestprac/centralized-network-security-management-combining-defense-in-depth-manageable-security-659. Accessed 21 July 2017.
[22]Hohnny L. Waddell. Basic Security Issues of Active Directory. SANS Institute InfoSec Reading Room. Available at: www.sans.org/reading-room/whitepapers/win2k/basic-security-issues-active-directory-191. Accessed 21 July 2017.
[23]Jonathan Gohstand. Getting the Most from Active Directory in the Enterprise. Enterprise System Journal (ESJ). Available at: esj.com/articles/2010/06/15/active-directory-in-the-enterprise.aspx. Accessed 21 July 2017.
[24]Isode Ltd. Why Deploy an Enterprise Directory?. Available at: www.isode.com/whitepapers/ic-6083.html. Accessed 21 July 2017.
[25]Karsten Brauer. Authentication and Security Aspects in an International Multi-user Network (Bachelor’s Thesis, USA). Bachelor’s Thesis, USA, Turku University of Applied Sciences. Available at: www.theseus.fi/bitstream/handle/10024/30738/Karsten_Brauer.pdf?sequence=1. Accessed 21 July 2017.
[26]Microsoft. Windows Authentication Services System Overview. MS-AUTHSO. Available at: download.microsoft.com/download/5/0/1/501ED102-E53F-4CE0-AA6B-B0F93629DDC6/Windows/[MS-AUTHSO].pdf. Accessed 21 July 2017.
[27]Ondrej Sevecek. Windows Authentication Concepts. GOPAS. Available at: www.sevecek.com/Presentations/GOC172/gopas-goc-172-01-Authentication-Concepts.pdf. Accessed 21 July 2017.
[28]Microsoft. Cached and Stored Credentials Technical Overview. Microsoft TechNet. Available at: technet.microsoft.com/en-us/library/hh994565 (v=ws.11).asp. Accessed 21 July 2017.
[29]Jim Mulder. Mimikatz Overview, Definses and Detection. SANS Institute InfoSec Reading Room. Available at: www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780. Accessed 21 July 2017.
[30]Joey Niem. Why Crack When You Can Pass the Hash?. SANS Institute InfoSec Reading Room. Available at: www.sans.org/reading-room/whitepapers/testing/crack-pass-hash-33219. Accessed 21 July 2017.
[31]Baris Saydag and Seth Moore. Defeating Pass-the-Hash (Whitepaper). BlackHat 2015. Available at: www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-the-Hash-Separation-Of-Powers-wp.pdf. Accessed 21 July 2017.
[32]NSA. Reducing the Effectiveness of Pass-the-Hash. National Security Agency/Central Security Service Information Assurance Directorate. Available at: www.iad.gov/iad/library/reports/reducing-the-effectiveness-of-pass-the-hash.cfm. Accessed 21 July 2017.
[33]Sean Metcalf. Red vs. Blue: Modern Active Directory Attacks & Defense. DerbyCon 2015. Available at: adsecurity.org/wp-content/uploads/2016/03/DerbyCon-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Presented-Final.pdf. Accessed 21 July 2017.
[34]Bashar Edaida. Pass-the-hash attacks: Tools and Mitigation.SANS Institute InfoSec Reading Room. Available at: www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283. Accessed 21 July 2017.
[35]Miguel SORIA-MACHADO, Didzis ABOLINS,Ciprian BOLDEA, Krzysztof SOCHA. Kerberos Golden Ticket Protection.Whitepaper. Available at: cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf. Accessed 21 July 2017.
[36]M-Trends FireEye. A VIEW FROM THE FRONT LINES: Threat Report.M-Trends 2016.Report. Available at: www2.fireeye.com/rs/848-DID-242/images/M-trends-2016-EMEA.pdf. Accessed 21 July 2017.
[37]Microsoft. Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.Documents. Available at: download.microsoft.com/download/7/7/a/77abc5bd-8320-41af-863c-6ecfb10cb4b9/mitigating%20pass-the-hash%20 (pth)%20attacks%20and%20other%20credential%20theft%20techniques_english.pdf. Accessed 21 July 2017.
[38]Microsoft. Mitigating Pass-the-Hash and Other Credential Theft,version 2.Documents. Available at: download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf. Accessed 21 July 2017.
[39]Chris Martin. Detecting Lateral Movement From ‘Pass the Hash’ Attacks.Blog. Available at: logrhythm.com/blog/detecting-lateral-movement-from-pass-the-hash-attacks. Accessed 21 July 2017.
[40]Tim Rains. New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash.Blog. Available at: blogs.microsoft.com/cybertrust/2012/12/11/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash. Accessed 21 July 2017.
[41]Mark Russinovich and Nathan Ide. Pass-the-Hash: How Attackers Spread and How to Stop Them.RSACONFERENCE2014. Available at: www.rsaconference.com/writable/presentations/file_upload/hta-w03-pass-the-hash-how-attackers-spread-and-how-to-stop-them.pdf. Accessed 21 July 2017.
[42]Mark Russinovich and Nathan Ide. Pass-the-Hash II: How Attackers Spread and How to Stop Them. RSACONFERENCE2015. Available at: www.rsaconference.com/writable/presentations/file_upload/hta-r03-pass-the-hash_ii-the-wrath-of-hardware_final.pdf. Accessed 21 July 2017.
[43]Metasploit. Metasploit: Put your Defenses to the test. Available at: www.rapid7.com/products/metasploit. Accessed 21 July 2017.
[44]Benjamin Delpy. Unofficial Guide to Mimikatz & Command Reference. Available at: adsecurity.org/?page_id=1821. Accessed 21 July 2017.
[45]Mimikatz. Overpass-the-hash.Blog. Available at: blog.gentilkiwi.com. Accessed 21 July 2017.
[46]Jim Mulder. Mimikatz Overview, Definses and Detection.SANS Institute InfoSec Reading Room. Available at: www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780. Accessed 21 July 2017.
[47]ATT&CK. Adversarial Tactics, Techniques & Common Knowledge. Available at: attack.mitre.org/wiki/Main_Page. Accessed 21 July 2017.
[48]Abductive reasoning. a form of logical inference. Available at: en.wikipedia.org/wiki/Abductive_reasoning. Accessed 21 July 2017.
[49]Cyberbit Range. The most widely deployed cybersecurity training and simulation platform. Available at: www.cyberbit.com/solutions/cyber-range. Accessed 21 July 2017.