Enumerate Windows Users In JS
Sergey Vzloman is at it again… He sent over a really interesting piece of demo code (he tested it in IE6.0 and FF - I was only able to test it in Firefox) that enumerates users on Windows systems. Right now, as the code stands in his demo (with only minor tweaks from me) it only tries four accounts and is intentionally noisy to show what it’s doing, but it works pretty well Click here to see the demo.
Dan Veditz has already commented on this saying the resource:// issue is already fixed in 2.0.0.4 and 1.5.0.12 versions of Firefox. But for now and for previous versions, this will continue to work. It may be a little slow to enumerate users, but if you know it’s one of a few hundred combinations of a user’s name you can quickly enumerate through it.
Of course there are other ways to do this, like get them to connect to you through a file:///\\ URL as discussed before, but it’s good to have all of this documented since one or more of these may stop working. Nice work, Sergey!
May 18th, 2007 at 12:17 pm
This does not work for me in Firefox 2.0.0.3 or current IE6.
May 18th, 2007 at 12:32 pm
Weird, it works for me in 2.0.0.3. What OS are you using for Firefox? Did you make sure to have JS turned on?
May 18th, 2007 at 3:48 pm
I like the idea, pity it is very slow.
But isn’t this the same as enumerating with a small image over this:
[code]
file:///C:/DOCUME~1/RSnake/My Documents/My Pictures/Sample Pictures/Sunset.jpg” onLoad=”alert(’Yes! RSnake is alive…’);”
[/code]
%3Cimg+src%3D%22file:///C:/DOCUME~1/RSnake/My+Documents/My+Pictures/Sample+Pictures/Sunset.jpg%22+onLoad%3D%22alert(’Yes!+RSnake+is+alive…’)%3B%22%3E
May 18th, 2007 at 3:53 pm
Didn’t work for me in IE6 on a Win2k machine, but worked fine in Firefox 2.0.0.3 on same machine.
May 19th, 2007 at 12:23 am
re: R/ van den H/
Yes, you can use images like file:///C:/…/Sample Pictures/Sunset.jpg
while “ntuser.ini” is located directly in C:\Docume~1\(..USER..)\
And handle on(load/error) events to find out user profile. But i use Russian Windows where this image is placed to C:\Docume~1\(..USER..)\Документы\Мои рисунки\Образцы рисунков\Закат.jpg
re: Mephisto Says
Probaby you have installed on IE debuger on error handling software. If this code is bugged and you be able to find out any positive fixies, please post its to me. After some of tests i found that this source can be patched to work in IE7 and Opera(Add timeout handlers for some cases).
By the way if your account is not administrative on local/network domain here is no chances to read foreign ntuser.ini(Owned by other profile). Restricted user has no access to other’s profiles…
In the present state this code may not work…. Just testing… Only triks
–
I think, to brute loooong account names (like “ANY ACCOUNT 317″), at first you can find its short-name (ANYACC~1). First 6 letters known. Brute others… N
Accounts “Administrator” and “Administrator_From_Hell” are different at one byte “Admini~1″ and “Admini~2″. If exists “Admini~1″, whiy not try “Admini~2″?…
May 19th, 2007 at 12:24 am
re: R/ van den H/
Yes, you can use images like file:///C:/…/Sample Pictures/Sunset.jpg
while “ntuser.ini” is located directly in C:\Docume~1\(..USER..)\
And handle on(load/error) events to find out user profile. But i use Russian Windows where this image is placed to C:\Docume~1\(..USER..)\Документы\Мои рисунки\Образцы рисунков\Закат.jpg
re: Mephisto Says
Probaby you have installed on IE debuger on error handling software. If this code is bugged and you be able to find out any positive fixies, please post its to me. After some of tests i found that this source can be patched to work in IE7 and Opera(Add timeout handlers for some cases).
By the way if your account is not administrative on local/network domain here is no chances to read foreign ntuser.ini(Owned by other profile). Restricted user has no access to other’s profiles…
In the present state this code may not work…. Just testing… Only triks
–
I think, to brute loooong account names (like “ANY ACCOUNT 317″), at first you can find its short-name (ANYACC~1). First 6 letters known. Brute others… N
Accounts “Administrator” and “Administrator_From_Hell” are different at one byte “Admini~1″ and “Admini~2″. If exists “Admini~1″, whiy not try “Admini~2″?…
May 19th, 2007 at 3:20 am
On my firefox disallowed remote access to file:///c:/… through image tag. Therefore i used resource in Firefox and file protocol in IE.
May 19th, 2007 at 8:01 am
@Sergey Vzloman Nice… very clever idea.
Well, I’m not so interested in bruteforcing users, I rather tought about making a list with possible names of people I know. But the most interesting thing I guess is to detect if the user is logged in as Administrator.
May 19th, 2007 at 9:52 pm
Look at my comment on this page,
http://www.gnucitizen.org/projects/pdf-strikes-back/
I think this will tell you the correct user name (and that it has been fixed).
May 20th, 2007 at 4:19 am
RSnake, web pages cannot load file:/// URLs in Firefox, I think this changed around Firefox 1.0 already. So anything involving file:/// URLs will not work there.
May 20th, 2007 at 4:50 am
This is the reason why I’ve always disabled JavaScript in Adobe.
May 20th, 2007 at 7:26 am
@Ronald van den Heetkamp
I can helo you
1. I if you detected user with name “ANY” through ntuser.ini try access to ntuser.dat. If file is loaded user is not currently logged, if you have not access to file, it is opened and logged user name is “ANY”.
2. If you have acces to “c:/Doc…/ANY/ntuser.ini”, try “\\127.0.0.1\c$\doc..\ANY\ntuser.ini” if fule is opening you are administrator on Local System (Domain)
Lets collect user names! I needed its too
May 20th, 2007 at 7:51 am
You can try file:///\\127.0.0.1\c$\boot.ini. In this case User name is unknown, but administrator privileges can be detected…
May 21st, 2007 at 8:00 am
hi!
just wanted to add that my old IE keeps crashing after I confirm the javascript popup.
OS: WinXP, SP2, latest hotfixes
IE: 6.0.2900.2180 SP2
I thought that could be interesting …