JavaScript/HTML Portscanning and HTTP Auth

Thursday, November 30. 2006

Thursday, November 30. 2006



Several people were researching HTML portscanning during the last days. Basically this is nothing more than requesting stuff through the link tag, because it halts page rendering and checking how long it took. A typical timing attack that people nowadays even use to break RSA keys. The funny thing about this new JavaScript-less portscanning is however that they do not mention how they want to get an IP range to scan in. A person that disables JavaScript will most probably not have Java activated and without Java there is no public method to get the victim's local IP. Considering the HTML scanning speed it might take months to scan all possible private IP addresses. If you can scan a Class-C subnet in 2 minutes then you will need more than 91 days to scan only the private IP addresses in the 10.x.x.x subnet. Have fun with that... (and especially if the interesting sites are not reachable by IP but only by hostname. So you might find out that a server is up, but you still cannot attack it.)


Well so far the current public development. I thought it would be time to show people a few JavaScript/HTML scanning tricks I was thinking about during the last weeks. The first trick I wanted to share is the easiest way I discovered to get around the HTTP auth popups that the current scanning methods throw. I have several totally different tricks to do that. Because browsers all behave different the first question that comes to mind is: Can you use the "attacked" server to get around the HTTP auth popups.


And yes you can. The trick is to make the server reject the request before it tries to decode it or before it realises that the ressource is HTTP auth protected. The easiest way to do this, is requesting an url like http://192.168.1.1/%. The broken URL encoding will result in a HTTP 400 Bad Request error on many servers (tested against Apache, IIS and some home routers). The only culprit is Internet Explorer 7 which is unwilling to send such requests. (Similiar results were made with requests like http://192.168.1.1/%2e%2e ).


However there are more tricks to make servers refuse requests that will work even in Internet Explorer. The simplest one is to request a very long URL. Something like http://192.168.1.1/AAA...LOTS_OF_AAAA..... (which even works against Google's homemade server).


So far so good... Now you know how you can use simple HTML to not even scan, but also scan without triggering HTTP auth popus.


To be continued...


Posted by Stefan Esser in Security, PHP at 20:55
Comments (5)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Ants Aasma ()
[quote]... and especially if the interesting sites are not reachable by IP but only by hostname.[/quote]
I'm sorry but that is just not possible. If you're not using IPX or some similar archaic system, then hostnames *ALWAYS* get transformed to IP's. You cannot target an IP packet using a hostname, you can only address packets using an IP address.
posted on Thursday, November 30. 2006
#1.1 Stefan Esser wrote (Link) ()
You misunderstood me...

If the server at 192.168.1.1 is configured to only react on vhost 'internal1' then the information that 192.168.1.1 is up and running a webserver is worthless, because you cannot perform further attacks against the installed webapplications, because you don't know the hostname 'internal1'.
posted on Thursday, November 30. 2006
#2 Ilia Alshanetsky wrote (Link) ()
Most people use the 192.168.1.X and 192.168.0.X ranges for their local networks, so to find mask is not too hard. However, even 2 minutes is a long time, most people won't spend 2 minutes on a page unless watching a video or a flash animation.

The idea behind this attack is that you can make several local request without the use of JavaScript. So for example if you know of URL strings that would crash a router, usually sitting on a X.X.X.1 you could send it disconnecting the user. Same can be done if the router performs some administrative task via GET. Since for most users the browser remembers HTTP AUTH the settings are automatically applied and you transparently take over the user's account.

That said the same could be done with an image tag, however that means you need an image per-attack, the approach I've talked about on my blog allows you to execute the scan via a single URL.
posted on Thursday, November 30. 2006
#2.1 Stefan Esser wrote (Link) ()
Ilia, I am well aware of the risks of JavaScript/HTML scanning.

However the interesting targets are companies and not home users. All enterprise companies I worked with use the 10.x.x.x IP range. And in many of these companies Java was disabled.

And for home users. I log into my router maybe once a month when it died for whatever reason. HTTP Auth data is nearly never stored in my browser and therefore the JavaScript/HTML attacks will stop in the moment the router asks me for the password.

BTW: Silencing HTTP Auth is only step one for bruteforcing HTTP Auth passwords... And there is still the possibility that someone discloses a way to get the user's IP without the need of Java... Maybe... Maybe.. ;-)
posted on Thursday, November 30. 2006
#3 pi3ch wrote (Link) ()
Nice trick man!
I had discovered this trick sine 6 month.
notice that it's work for apache server v1.x.x not 2.
isn't it?
posted on Saturday, December 9. 2006

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back September '09
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Archives
September 2009
August 2009
July 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP