Firefox 3.5+ JavaScript "Ping" Sweep

This is a demonstration of how you can abuse Firefox 3.5's new cross domain XMLHTTPRequest to perform "ping" sweeps across the Internet - or more interestingly, across the victim's own Intranet. Of course it's not a real ping using ICMP but instead using HTTP. There are several things missing from this demonstration. First is logging - normally you'd want to log this information. Second you might notice there aren't many IP's or hostnames checked - that's purely because this takes a while to run and I wanted to make a simple demo. Lastly, because of that last fact, I didn't adjust the timing at all, to account for the delays associated with the prior asyncronous tests which would normally be a requirement if you added too many more IPs to this. As it stands, you probably couldn't do more than 60 or so requests before you'd need to re-write this to take the lag into account.

This technique has a few nice side effects though. It doesn't care if the port is open or not - only that the server is reachable. If the IP exists, regardless if it's port is open or not, it'll report back immediately (difference between a RST/FIN and a browser thread TTL, I assume). If there's nothing there, it'll take a while (north of 20 seconds or 20,000 milliseconds - and I've seen it go as high as 75 seconds on certain networks) to tell you that it's unreachable. So normally what you'd do is search part of a class C in RFC1918 space, and once you found something you'd continue searching, rather than blindly searching all of the 10.* network and so on. So that part is also technically missing. But this is just a demo.

Please be patient - the demo can take more than 75 seconds to timeout the pages that aren't valid (this could probably be sped up in real life using timeouts). Click the button below to begin the "ping" sweep, if you have Firefox 3.5 or higher: