JSEScanner - JavaScript Port Scanner

September 28th, 2006 by dk

Update: Removed JavaScript Example
Update: Removed tables due to cross browser issues.

JavaScript External File Scanner (JSEScanner)
Author: david.kierznowski_at_gmail.com
http://michaeldaw.org

JSEScanner is a simple idea:
1. Use uses <script src=”"> to request a JavaScript file.
2. Use typeof to verify its existence.
3. Use result in fingerprint.

This technique can be used to enumerate internal web servers and/or applications via a clients browser. It is limited in that it can only detect web servers as it uses <script src=”"> for connections and relies on detecting JavaScript functions for callback.

It is possible to add Iframe Timeouts to extend its port scanning capabilities. However, this is nothing new. I may add it later.

This tool was inspired by Spidynamics recent IMG based JavaScript port scanner (or was this Jeremiah Grossman’s idea…?).

Due to the limitations of client-side scanning, additional techniques are required to produce more accurate results. I can see a JavaScript Scanning Suite on its way. I wouldn’t be surprised if it were named, “jmap”.

Please email fingerprints as you play around.

Fingerprinting Web Server Software:
Device | JavaScript File | Valid JavaScript Function
Linksys Wireless Router | Gozila.js | LogButton_check
IIS ASP.NET | $JSVALDIR/$VER/WebUIValidation.js | ValidatorUpdateDisplay

Note: See http://michaeldaw.org/projects/asp-auditor-v2/ for more information regarding ASP.NET’s JS Validate directories.

Fingerprint Applications on Web Servers:
Device | JavaScript File | Valid JavaScript Function
TWiki | /pub/TWiki/TWikiJavascripts/twiki.js | initForm
bblog | /bblogg/bblog/script/index.js | removeFocusBorders
wordpress | /wp-admin/xfn.js | GetElementsWithClassName

The source for the tool is available here

4 Comments so far

  1. Jess L @ September 29th, 2006

    The IP address and port used to test for Linksys wireless router are also valid for the wired (cable connected) Lynksys broadband firewall router

  2. david.kierznowski @ September 29th, 2006

    Jess L,

    Its always useful trying defaults first. Although, you could scan an internal IP range. There are a few ways to do this:
    1. Using Iframe Timeout Technique

    see: Spidynamics (or Jeremiah Grossman’s :) )
    http://www.spidynamics.com/spilabs/js-port-scan/
    OR
    PDP (architect)

    http://www.gnucitizen.org/projects/attackapi/build/inf/interfaces/PortScanner.htm

    2. Then of course, you could use my JSEScanner technique which uses typeof. There are also variations on typeof that can be used. However, this technique is limited to enumeration of web servers only.

    Also, I would be intersted in getting the Linksys Broadband Firewalls’ fingerprint. See post for details, or email me.

  3. nkumah @ January 15th, 2007

    how can this improve port efficiency

  4. Operation n » Same Origin Gets half-broken @ January 17th, 2007

    […] This reminded me of my work done on my “JavaScript External Scanner” technique, where we use “script src=” and DHTML to request remote .js files for fingerprinting and port scanning. Anurag has taken this a step further. […]

Leave a reply

Recent

Sponsored links