Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

SSRF - Port Scanning with Skenpot

Muhammad Fikri Ahmad Fadzil

1 vote(s)

Port scanning is one of the many methods to identify open ports on a server. Such information is good to have, especially evident throughout the reconnaissance’s phase as it may be useful to assists in further attacks. In today’s practice, the use of firewall has become the de facto standard within many organisations. Furthermore, there are many other organisations that are willing to spend thousands of dollars to have Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) deployed in their IT environment.

For that reason, port scanning has become more challenging as the effort may end at the deployed firewalls. Alternatively, the same activity can be performed via Server-Side Request Forgery (SSRF) vulnerability. As defined by CWE-918, the vulnerability works in a way that the server itself will make requests on behalf of the attacker. Due to that, this is a good way-out to bypass firewalls’ rules which disallow port scanning.

Skenpot is a Burp extender which is developed for the purpose of scanning and exploiting SSRF vulnerabilities. It has been equipped with various payloads which will be used to identify the vulnerability. Besides that, Skenpot can also be used to perform port scanning via the result gathered from the vulnerability scanning. It is also worth to mention that the method for port scanning in Skenpot is also equipped with a technique named Port Overflow which will bypass any port number that has been blacklisted in the backend code.

About Fikri Fadzil

Fikri Fadzil is a Security Consultant at SEC Consult Malaysia. He has both local and international experience in Cyber Security, mainly in penetration testing. Throughout his career, he has performed penetration tests and source code reviews for numerous local and international agencies.