Javascript Network Scanner With Remote Logging

[DarrenRainey]

Hello everyone just though I would say my JavaScript network scanner project here : https://github.com/DarrenRainey/JavaScript-Network-Scanner

 

Currently I it will scan and fingerprint devices based upon what files exist or don't exist on the device and once it fingerprints or can connect to a device it sends a post request with the fingerprint such as the routers model, the internal ip address and the user-agent from the victims PC. This code could be embedded into any website and sent a victim for recon. Currently it only scans a few predefined ip address's in the test.html file but I plan to make it scan the local subnet automatically and report any found devices to the attacker web server.

 

The scanning code is based of lan-js with some custom code for identifying and sending the data to the attacker.

[DarrenRainey]

Sample data

[DarrenRainey]

https://imgur.com/a/rdBgb

[i8igmac]

This has been on my todo list. this is a nice poc. you could go far with something like this. From any device at any time you should always know what's on the network and if any services are exploitable. Automate the shit out of this!  

 

I have used meterpreter on my android to pivit exploit code from a remote machine onto a local network...  the exploit goes through the tunnel but the shell is directly reverse tcp back to remote desktop. I have also made a reverse proxy to pivot exploit code in the same manner. (Might have some videos)

 

With debian now running In my pocket (android) the possibilities are incredible. My networking kung fu is dangerously scary.

[DarrenRainey]

Just now, i8igmac said:

With debian now running In my pocket (android) the possibilities are incredible. My networking kung fu is dangerously scary.

I used to have nethunter with nexmon installed on my Nexus 5 so I could use monitor mode with aircrack but now I use a cheap android phone with no sim card and set it up as mobile hotspot for my netbook in my backpack that way I can use an SSH client like JuiceSSH on my phone to do stuff like metasploit, aircrack or other programs.

 

With the ability's of JavaScript and the insecurity's of some routers its even possible to attack internal devices for example a while ago there was a bug in some netgear routers that you could run any command simply by visiting a specific url so by expanding on this payload you could detect any devices vulnerable to a similar attack then run almost any command you would want on the internal network simply by getting someone to visit a site with the JavaScript embedded

[i8igmac]

25 minutes ago, DarrenRainey said:

I used to have nethunter with nexmon installed on my Nexus 5 so I could use monitor mode with aircrack but now I use a cheap android phone with no sim card and set it up as mobile hotspot for my netbook in my backpack that way I can use an SSH client like JuiceSSH on my phone to do stuff like metasploit, aircrack or other programs.

 

With the ability's of JavaScript and the insecurity's of some routers its even possible to attack internal devices for example a while ago there was a bug in some netgear routers that you could run any command simply by visiting a specific url so by expanding on this payload you could detect any devices vulnerable to a similar attack then run almost any command you would want on the internal network simply by getting someone to visit a site with the JavaScript embedded

there are so many directions you could go. my mind wonders down this path almost daily. Smb exploits, brute force defaults, autopwn stuff.

 

The idea of doing this all from the browser with web sockets I thought was undocumented until this post. I was going to do it from a ruby rails web application.

 

this is the first time I see someone think like me.

[DarrenRainey]

55 minutes ago, i8igmac said:

this is the first time I see someone think like me.

Good to know I'm not alone :)

 

I really like the idea for abusing some of the lesser known features of a modern web browser. I wrote a PHP script a while ago that could identify what device a user was visiting based upon the user-agent and then serve the appropriate exploit for example if it was a device running Android < 5.1 maybe serve a stagefright exploit otherwise act normal.

 

There are so many things that people tend to take for granted for example I built a wifi probe sniffer using a nodemcu for £3 with that I can see what the devices around me are looking for and combine that with airodump and strings on my laptop I can get a idea of who owns a device based upon the search history and by using the devices mac address and looking for unique wifi names such as BTHub5-XXXX I can plot the locations they have connected to before. Essentially passive tracking for really cheap using nothing but the public data you phone broadcasts when looking for networks. If you setup a few of the nodemcu's overtime you could see patterns of where the device has been and goes to.

 

Edit: Found the netgear vuln I was talking about - CVE-2016-6277 - https://www.kb.cert.org/vuls/id/582384 so basically you could use that code to check if its a netgear device and if it send a request to http://192.168.1.X/cgi-bin/;COMMAND

Edited March 28, 2018 by DarrenRainey

[i8igmac]

18 hours ago, DarrenRainey said:

Good to know I'm not alone :)

 

I really like the idea for abusing some of the lesser known features of a modern web browser. I wrote a PHP script a while ago that could identify what device a user was visiting based upon the user-agent and then serve the appropriate exploit for example if it was a device running Android < 5.1 maybe serve a stagefright exploit otherwise act normal.

 

There are so many things that people tend to take for granted for example I built a wifi probe sniffer using a nodemcu for £3 with that I can see what the devices around me are looking for and combine that with airodump and strings on my laptop I can get a idea of who owns a device based upon the search history and by using the devices mac address and looking for unique wifi names such as BTHub5-XXXX I can plot the locations they have connected to before. Essentially passive tracking for really cheap using nothing but the public data you phone broadcasts when looking for networks. If you setup a few of the nodemcu's overtime you could see patterns of where the device has been and goes to.

 

Edit: Found the netgear vuln I was talking about - CVE-2016-6277 - https://www.kb.cert.org/vuls/id/582384 so basically you could use that code to check if its a netgear device and if it send a request to http://192.168.1.X/cgi-bin/;COMMAND

Cve-2016-6277 metasploit module.

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb

I have used this before. if you search from msfconsole netgear, dlink, tp-link, linksys etc you can find more.

[DarrenRainey]

1 hour ago, i8igmac said:

Cve-2016-6277 metasploit module.

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb

I have used this before. if you search from msfconsole netgear, dlink, tp-link, linksys etc you can find more.

Yes but the thing I like about these kinds of exploit is that they only need a browser to execute so it can be easy to setup a malicious website to take over this devices using JavaScript or even plain HTML.

[i8igmac]

7 hours ago, DarrenRainey said:

Yes but the thing I like about these kinds of exploit is that they only need a browser to execute so it can be easy to setup a malicious website to take over this devices using JavaScript or even plain HTML.

I understand you 

I hope to have some free time. I have been doing things with live streaming by leaving the http/tcp connection between the client<-->server always in a open state. (3way hand shake)

 

This allows me to send data to the client, waiting for a response then send more data based on some ruby server side if expressions.

 

If response.include?('netgear exist  10.0.0.1')

  Send(payload.html)

 

this is not the simple way but I believe it will broaden the possibilities.

Edited March 30, 2018 by i8igmac

[i8igmac]

On 3/28/2018 at 1:07 AM, DarrenRainey said:

Hello everyone just though I would say my JavaScript network scanner project here : https://github.com/DarrenRainey/JavaScript-Network-Scanner

 

Currently I it will scan and fingerprint devices based upon what files exist or don't exist on the device and once it fingerprints or can connect to a device it sends a post request with the fingerprint such as the routers model, the internal ip address and the user-agent from the victims PC. This code could be embedded into any website and sent a victim for recon. Currently it only scans a few predefined ip address's in the test.html file but I plan to make it scan the local subnet automatically and report any found devices to the attacker web server.

 

The scanning code is based of lan-js with some custom code for identifying and sending the data to the attacker.

I forgot about this... I will test this tonight... it looks clean. I do hope to get some free time to produce some working examples related 

Edited August 8, 2018 by i8igmac