Paid Advertising
web application security lab
« Mhtml MSIE Exploitation Framework
Firefox Save As Complete Issue »

NATted IP Without an Applet

Jeremiah had a nice short post on how you can find an internal IP address without the use of an Applet. His example still requires that you have JavaScript and Java turned on, it only works in Firefox and others have pointed out that this issue has been around for a while, but still, it’s a neat and clean way that not a lot of people know about to get the internal address of the target who visits your site.

This is particularly useful when combined with Intranet (RFC1918) port scanning as you know what IP range to start scanning from. The last thing you want to do is start scanning 192.168.*.* when the IP range is 10.10.*.*. It’s a waste of time. Beyond that this is interesting for fingerprinting users who may have a direct connection but are hiding behind proxies (Tor was mentioned of course). Very cool stuff.

This entry was posted on Thursday, February 1st, 2007 at 11:50 am and is filed under XSS, Webappsec. You can leave a response as well.

8 Responses to “NATted IP Without an Applet”

  1. yawnmoth Says:
    February 1st, 2007 at 1:30 pm

    Does this method offer any advantages over using a straight applet? It seems like it might be a little faster, maybe, but aside from that, are there any distinct advantages?

  2. kuza55 Says:
    February 1st, 2007 at 2:02 pm

    Its also easier to implement beause you’re just writing aditional javascript, and for the same reason its easier to integrate with the rest of your code.

  3. Jeremiah Grossman Says:
    February 1st, 2007 at 3:03 pm

    Right. There is no real speed increase, just makes things easier and more self contained.

  4. Jungsonn Says:
    February 1st, 2007 at 4:51 pm

    Funny to see that no one knew this before jeremiah started about it :) I used something like it in my Tor Sniffer, it was a little snippet from PDP. Anyway, it certainly works.

    For anyone who missed my Tor Sniffer:

    http://www.jungsonnstudios.com/blog/?i=47&bin=101111

  5. Jeremiah Grossman Says:
    February 1st, 2007 at 5:02 pm

    :) I’m just wondering what else I’ve been missing if your guy’s code.

  6. kuza55 Says:
    February 2nd, 2007 at 5:36 am

    @jungsonn
    Well, I can’t comment for other people, but I’ve seen it before in pdp’s code and Atom database: http://www.gnucitizen.org/projects/atom (scroll down to GETNETINFO)

  7. Jungsonn Says:
    February 2nd, 2007 at 6:47 am

    Yeah ineed, and I don’t know who started it first that isn’t the point I guess because many did not know that it could be done (to my surprise :) ), to my knowledge PDP was the first who came up with it, anyway to find something on your own, like Jeremiah did certainly is difficult enough.

    Isn’t this a good call for a hacker Wiki, or a repository guys? where we all can place snippets of code and other pieces of software to share?
    so we never miss something crucial like such scripts.

  8. Kanatoko Says:
    February 5th, 2007 at 12:26 am

    >Does this method offer any advantages over using a straight applet?

    We can now use Java ( especially Socket ) in XSS attacks :)

Respond here or Discuss On the Forums