HELLO
SKANDA
Jayesh Singh Chauhan
@jayeshsch
ABOUT ME
• Author/Project Leader – OWASP Skanda
• Author of CSRF PoC Generator
• Pen Tester, Coder, B33rHead
• Snooker (Cr...
Port Scan
• Nmap ???
• Firewall/IDS
• NO GAIN
SSRF
• Web Apps
• Scan/Attack
• Enumerate/Attack Services
SSRF
• A class of attack
• XXE, RFI, CRLF Injections
• If opens socket, can be SSRFed
Normal Attack
SSRF Attack
What makes it
possible
• HTTP Client -> No Protocol Check
• Invalid packets ->Service doesn’t close
• Protocol that you ca...
Let’s dive into Skanda
• Port Scan
• Network Discovery
XSPA/SSRF
• Error based XSPA
• Blind XSPA
• Closed Port
DEMO
• Port Scanning using Skanda
Intranet
Intranet Discovery
• Router -> First IP
• Checks whether any router is up
• If(IP==found):
enter subnet
• Analyze every no...
DEMO
• Network Discovery using Skanda
Q & A ?
Got ‘em ? Ask ‘em ?
Special Thanks to..
• Lavakumar Kuppan, @lavakumark
• Riyaz Walikar, @riyazwalikar
• Ajith Chandran, @r3dsm0k3
• ONsec Lab...
C0C0N 2013 - OWASP Skanda
C0C0N 2013 - OWASP Skanda
Upcoming SlideShare
Loading in …5
×

C0C0N 2013 - OWASP Skanda

714 views

Published on

Infiltrating the intranet using Skanda

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
714
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Port Scan – First thing that comes in mind, NmapBut firewall prevents and IDS detects the attackOver all, nothing is done
  • A vulnerability that allows an attacker to force server interface into sending packets initiated by the victim server to the local interface or to another server behind the firewall
  • SSRF is not a vulnerability, it’s rather a way of attack.XXE,RFI,CRLF injections are SSRF’s FriendsAnything that opens a socket can be SSRFed
  • In case of nmap, Request TCP SYN packetsResponse SYN+ACK or RST packet
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Doing a port scan on the SSRF vulnerable web server
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Http Clients don’t check a protocol but send data immediately after connect.
  • First IP of the network is the router’s IP (excluding .0 & .255 , they are broadcast IPs)
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Http Clients don’t check a protocol but send data immediately after connect.
  • Http Clients don’t check a protocol but send data immediately after connect.
  • C0C0N 2013 - OWASP Skanda

    1. 1. HELLO
    2. 2. SKANDA Jayesh Singh Chauhan @jayeshsch
    3. 3. ABOUT ME • Author/Project Leader – OWASP Skanda • Author of CSRF PoC Generator • Pen Tester, Coder, B33rHead • Snooker (Crazy Fan !!!)
    4. 4. Port Scan • Nmap ??? • Firewall/IDS • NO GAIN
    5. 5. SSRF • Web Apps • Scan/Attack • Enumerate/Attack Services
    6. 6. SSRF • A class of attack • XXE, RFI, CRLF Injections • If opens socket, can be SSRFed
    7. 7. Normal Attack
    8. 8. SSRF Attack
    9. 9. What makes it possible • HTTP Client -> No Protocol Check • Invalid packets ->Service doesn’t close • Protocol that you can forge fit with the protocols .
    10. 10. Let’s dive into Skanda • Port Scan • Network Discovery
    11. 11. XSPA/SSRF • Error based XSPA • Blind XSPA • Closed Port
    12. 12. DEMO • Port Scanning using Skanda
    13. 13. Intranet
    14. 14. Intranet Discovery • Router -> First IP • Checks whether any router is up • If(IP==found): enter subnet • Analyze every node’s response
    15. 15. DEMO • Network Discovery using Skanda
    16. 16. Q & A ? Got ‘em ? Ask ‘em ?
    17. 17. Special Thanks to.. • Lavakumar Kuppan, @lavakumark • Riyaz Walikar, @riyazwalikar • Ajith Chandran, @r3dsm0k3 • ONsec Lab, @Onsec_lab

    ×