Operation n

JavaScript Network Mapper (v1.0)
author: david.kierznowski_at_gmail.com
http://michaeldaw.org

I have been doing alot of research into JavaScript Port Scanning lately. This tool is an initial attempt to correlate my ideas into a single project.

Download the latest version of jsscan.tar.gz here.

Synopsis:
function webPingScan() {
s = new jsscanner(”192.168.1.1/30″);
s.jssWebPing();
}

Usage:
s = new jsscanner(”IP/Range”);
s.jssWebPing(); OR
s.jssWebScript(); OR
s.jssWebImage();

TODO:
+ Complete jssWebScript Scanner (Half done)
Add Additional Fingerprints
see: http://michaeldaw.org/projects/jsescanner/
+ Write jssWebImage Scanner (DONE)
Add OS Fingerprints
see: http://www.spidynamics.com/spilabs/js-port-scan/
+ Add port selection
Include Browser Port Restrictions
see: http://michaeldaw.org/projects/web_browser_port_restrictions/
+ Add some validation

Credits:
pdp (http://gnucitizen.org)
I hope to incorporate this project into pdp’s AttackAPI at some point.
It currently uses AttackAPI’s IP Calculator script.

Some of my notes regarding Browser Port Restrictions.

Internet Explorer:

Anything goes. I need to look into this more.

Opera 9:

Resticts access to Ports 22,25,53 and 110. All other services seem accessible, I need to do more work here - It was interesting to note that my CPU was cranked up to 100% when requesting a restricted port. A “-1″ port will cause Opera to wrap to 65535 (although this could be the default). Its late and I’m going to bed.

Firefox (tested on 1.5.0.7):

Restricts common services such as Telnet and SSH. However, it allows most services. Some of the more interesting ports allowed include:

Service | Port
bootps | 67/tcp
snmp | 161/tcp
netbios-ns | 137/tcp
netbios-dgm | 138/tcp
microsoft-ds | 445/tcp
ldaps | 636/tcp # Firefox blocks ldap (unencrypted version)
imaps | 993/tcp # Firefox blocks imap (unencrypted version)
pop3s | 995/tcp
socks | 1080/tcp
nessusd | 1241/tcp
ms-sql-s | 1433/tcp
ms-sql-m | 1434/tcp
oracle TNS | 1521/tcp
mysql | 3306/tcp
RDP | 3389/tcp
postgresql | 5432/tcp

Current JavaScript or other Client Side Scanning Techniques:

1. IMG Scanner - using (img src=)
http://www.gnucitizen.org/projects/javascript-port-scanner/
http://www.spidynamics.com/spilabs/js-port-scan/

Limitations:
This is a nice technique for scanning but can be easily mitigated by disallowing external images. This effectively breaks both scanners (tested in Firefox). This includes SPI Dynamics PING feature. You can turn off external images as follows (instructions for Firefox):
> Tools
> Options
> Click “for the originating Web Site only”

2. XML Port Scanning - Haven’t looked into this to much
http://www.sift.com.au/36/172/xml-port-scanning-bypassing-restrictive-perimeter-firewalls.htm

3. JSEScanner - using (script src=)
http://michaeldaw.org/projects/jsescanner/

4. JSWebPing - using iframes
http://michaeldaw.org/projects/jswebping/

JavaScript Web Ping
Author: david.kierznowski_at_gmail.com
http://michaeldaw.org

The Idea:
1. We setup an Iframe
2. We dynamically load our target address with a timeout
3. If the document is loaded, we flag the host as being up.
4. If the host is down, the timeout is reached and we flag the host as down.

This concept can also be extended to perform port scanning for open web services.

Also see:
http://michaeldaw.org/projects/jsescanner/
http://www.gnucitizen.org/projects/javascript-port-scanner/
http://www.spidynamics.com/spilabs/js-port-scan/

The source for the tool is available here
The full tool is available here

Update: Removed JavaScript Example
Update: Removed tables due to cross browser issues.

JavaScript External File Scanner (JSEScanner)
Author: david.kierznowski_at_gmail.com
http://michaeldaw.org

JSEScanner is a simple idea:
1. Use uses <script src=”"> to request a JavaScript file.
2. Use typeof to verify its existence.
3. Use result in fingerprint.

This technique can be used to enumerate internal web servers and/or applications via a clients browser. It is limited in that it can only detect web servers as it uses <script src=”"> for connections and relies on detecting JavaScript functions for callback.

It is possible to add Iframe Timeouts to extend its port scanning capabilities. However, this is nothing new. I may add it later.

This tool was inspired by Spidynamics recent IMG based JavaScript port scanner (or was this Jeremiah Grossman’s idea…?).

Due to the limitations of client-side scanning, additional techniques are required to produce more accurate results. I can see a JavaScript Scanning Suite on its way. I wouldn’t be surprised if it were named, “jmap”.

Please email fingerprints as you play around.

Fingerprinting Web Server Software:
Device | JavaScript File | Valid JavaScript Function
Linksys Wireless Router | Gozila.js | LogButton_check
IIS ASP.NET | $JSVALDIR/$VER/WebUIValidation.js | ValidatorUpdateDisplay

Note: See http://michaeldaw.org/projects/asp-auditor-v2/ for more information regarding ASP.NET’s JS Validate directories.

Fingerprint Applications on Web Servers:
Device | JavaScript File | Valid JavaScript Function
TWiki | /pub/TWiki/TWikiJavascripts/twiki.js | initForm
bblog | /bblogg/bblog/script/index.js | removeFocusBorders
wordpress | /wp-admin/xfn.js | GetElementsWithClassName

The source for the tool is available here