Your SlideShare is downloading. ×
C0C0N 2013 - OWASP Skanda
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

C0C0N 2013 - OWASP Skanda

314
views

Published on

Infiltrating the intranet using Skanda

Infiltrating the intranet using Skanda

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
314
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Port Scan – First thing that comes in mind, NmapBut firewall prevents and IDS detects the attackOver all, nothing is done
  • A vulnerability that allows an attacker to force server interface into sending packets initiated by the victim server to the local interface or to another server behind the firewall
  • SSRF is not a vulnerability, it’s rather a way of attack.XXE,RFI,CRLF injections are SSRF’s FriendsAnything that opens a socket can be SSRFed
  • In case of nmap, Request TCP SYN packetsResponse SYN+ACK or RST packet
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Doing a port scan on the SSRF vulnerable web server
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Http Clients don’t check a protocol but send data immediately after connect.
  • First IP of the network is the router’s IP (excluding .0 & .255 , they are broadcast IPs)
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Transcript

    • 1. HELLO
    • 2. SKANDA Jayesh Singh Chauhan @jayeshsch
    • 3. ABOUT ME • Author/Project Leader – OWASP Skanda • Author of CSRF PoC Generator • Pen Tester, Coder, B33rHead • Snooker (Crazy Fan !!!)
    • 4. Port Scan • Nmap ??? • Firewall/IDS • NO GAIN
    • 5. SSRF • Web Apps • Scan/Attack • Enumerate/Attack Services
    • 6. SSRF • A class of attack • XXE, RFI, CRLF Injections • If opens socket, can be SSRFed
    • 7. Normal Attack
    • 8. SSRF Attack
    • 9. What makes it possible • HTTP Client -> No Protocol Check • Invalid packets ->Service doesn’t close • Protocol that you can forge fit with the protocols .
    • 10. Let’s dive into Skanda • Port Scan • Network Discovery
    • 11. XSPA/SSRF • Error based XSPA • Blind XSPA • Closed Port
    • 12. DEMO • Port Scanning using Skanda
    • 13. Intranet
    • 14. Intranet Discovery • Router -> First IP • Checks whether any router is up • If(IP==found): enter subnet • Analyze every node’s response
    • 15. DEMO • Network Discovery using Skanda
    • 16. Q & A ? Got ‘em ? Ask ‘em ?
    • 17. Special Thanks to.. • Lavakumar Kuppan, @lavakumark • Riyaz Walikar, @riyazwalikar • Ajith Chandran, @r3dsm0k3 • ONsec Lab, @Onsec_lab