Cenzic 232 Patent
Paid Advertising
web application security lab

Jikto Leaked

Update: Just to be clear this was not intentionally leaked. The source was in fact stolen by one of the audience participants. See the comments for details.

Well, I’m back! No, all that mess yesterday was not for real - I did not get an offer from Google, and I did not sell my site to a 13 year old girl. It might come to a surprise to some of you, but I do like to have fun once in a while. ;) Anyway, back to the webappsec stuff. This weekend the source of Jikto was officially leaked. How long did that take? Anyone time it? So much for this statement: “Although I will not be releasing the source code of Jikto….” There are a few things to note, although I haven’t gotten through all of it.

Firstly, it is only made up of a test HTML page, a single .JS file and a command and control file. Secondly, by the time I had received it, it had already been modified at least a few times, perhaps to test it, but nevertheless it is no longer the original function. Here’s a few snippets from the modification (cleaned up, for readability if you can believe that):

var GUIURL = rot13(”uggc://jjj.cragrfg.vg/wvxgb/pbageby.gkg”); //http://www.pentest.it/jikto/control.txt //http://localhost/JiktoControl/Collect.aspx?type= // uggc://ybpnyubfg/WvxgbPbageby/Pbyyrpg.nfck?glcr=

And…

//var startUrlString = rot13(”uggc://mreb.jronccfrphevgl.pbz/”);
var startUrlString = rot13(”uggc://oynpxung-sbehzf.pbz/cucOO2/vaqrk.cuc”); //http://blackhat-forums.com/phpBB2/index.php uggc://oynpxung-sbehzf.pbz/cucOO2/vaqrk.cuc

If you don’t know what rot13 is, it’s just a really simple shifting cipher that rotates letters 13 places in the alphabet. Anyway, I’m not quite sure why the system uses rot13 at all, since that doesn’t actually stop anyone who can read even basic JavaScript from knowing what URLs it uses, and it just slows down the transmission of the code, but anyway, I am nowhere near combing through the code. The point being it’s on the loose. Oops!

18 Responses to “Jikto Leaked”

  1. Billy Hoffman Says:

    Actually, SPI didn’t leak the code. In fact, I took great steps to keep it a secret. But don’t take my word for it because the person who snatched a copy during my Shmoocon presentation even tells how he did it!

    More details here:
    http://portal.spidynamics.com/blogs/spilabs/archive/2007/04/02/Jikto-in-the-wild.aspx

  2. Liquidmatrix Security Digest » Jikto Has Been Leaked Says:

    […] Ha.ckers.org: This weekend the source of Jikto was officially leaked. How long did that take? Anyone time it? So […]

  3. RSnake Says:

    I’m confused, how is putting it on the public internet and visiting that URL at a hacker conference while showing each request you are making going to “great steps to keep it a secret”?

    No offense, Billy, but you have to know how silly that sounds. I’m glad to hear it wasn’t on purpose, though.

    What was the rot13 for, btw?

  4. Billy Hoffman Says:

    Well, I did everything I could do to protect it will still performing a demo :-)

    I’m writing a whitepaper about Jikto now. rot13 is there because some proxy sites like the-cloak search for literal URLs and replace it with “http://the-proxy-site.com/fetch/[LITERAL URL HERE]” I had to rot13 stuff so the proxy didn’t replace the url of the site to scan or the URL of the GUI with a “proxified” url.

  5. RSnake Says:

    Gotcha, that makes more sense. I knew there had to be a better reason than just obfuscation for human eyes.

  6. LogicX » Blog Archive » Jikto Source Code Situation Says:

    […] RSnake’s comment, I believe Billy did actually go to great lengths to protect the code, and still perform his […]

  7. pdp Says:

    Billy,

    you can as easily prefix every URL with javascript: and un-prefix when you gather all the links.

    that eliminates a few lines from your code

  8. bubbles Says:

    I would like to play with it, but have been unable to find a working link, anyone mind posting it?

  9. busin3ss Says:

    Hey bubbles -> http://busin3ss.name/jikto-in-the-wild

  10. nEUrOO Says:

    I think that Billy should release it now, since it’s quite easy to *find* or ask for it…

  11. pooper Says:

    what da shine does that Jikto do? Can’t figure out. Is that just sending simple AJAX requests on the background when someone visits your website?

  12. RSnake Says:

    Somewhat, and that in turn allows you to control a victim’s actions, allowing you to use their machine as a proxy on your behalf. It also has some pre-built recon stuff in it like intranet port scanning.

  13. Chris Says:

    I was in the audience at Shmoocon, and I’d like to clarify Billy’s comments.

    As much as he’d like to claim that the source was “stolen”, he is wrong.

    Billy’s presentation was very much nudge-nudge, wink-wink. At one point, he even said out loud (something to the effect of) “whoops, there is the url for the source code. I guess i’ll have to remove that as soon as the presentation is over”

    The url for the jikto source repeatedly came up on the screen during his presentation. There was really no effort made to hide it (i.e. hide the navigation bar in firefox, etc).

    I respect Billy for putting it online - but to put a url on screen in big letters during a hacker-con, repeatedly pausing while audience members pull out their laptops and type in the url so that they can ‘wget’ the source code, and then later claiming that the code was stolen - it’s just not true.

  14. RSnake Says:

    Whoah… that’s a first! That’s not good at all. Especially since he and everyone else who was involved was aware of the risks involved in releasing that.

  15. RSnake Says:

    Yah, it kinda looks like that (minutes 44-49)

    http://www.shmoocon.org/2007/videos/JavaScript%20Malware%20for%20a%20Grey%20Goo%20Tomorrow%20-%20Billy%20Hoffman.mp4

    Doesn’t look that good. I won’t make assumptions about motives, but you’re right, it does look an awful lot like it was intentional.

  16. f0rge Says:

    Ok..i think its a good thing it leaked.. you have to understand that not everybody understands xss fully and would learn to learn more by testing it themselves. i got the source for jikto..but i dont know what all they hype is about as there isnt much in it..well it might be that i dont really understand the structure of it..i heard what was released was not the complete thing that there is a server side component…is this true Rsnake? But i dont know why all they hype about this tool as there are others before it like beef and backframe ( cp ), xsshell.. well i want to know if the jikto.zip is the complete thing and can be use.Pardon me if i sound offhand. Thanks..Great site Rsnake keep it up.

  17. RSnake Says:

    It is true that there is a server side component. It’s based heavily off of Jeremiah Grossman’s server side solution for his intranet scanning. Although they didn’t give him much credit I believe it’s almost entirely the same.

  18. Anon Says:

    Here are some mirrors of the file:

    http://qooy.com/files/0Q7YMUOM/jitko.zip
    http://www.rapidspread.com/file.jsp?id=vooj0tkrdi
    http://www.uploadjockey.com/download/l7m0tv50/jitko.zip