Wednesday, January 31, 2007

Goodbye Applet, Hello NAT'ed IP Address

To perform some Intranet Hacking we need the web browser's internal NAT'ed IP Address (ie: 192.168.xxx.xxx). While not the most elegant solution, Java Applets (MyAddress) are the only real way to go. It turns out JavaScript can invoke Java classes directly (Firefox), including java.net.Socket, and can achieve same results. No Applet required making the proof-of-concept code a lot easier.

Firefox Only! (1.5 – 2.0) tested on OS X and WinXP. Please me know if anyone knows a way to invoke Java classes from JavaScript in Internet Explorer.

function natIP() {
var w = window.location;
var host = w.host;
var port = w.port || 80;
var Socket = (new java.net.Socket(host,port)).getLocalAddress().getHostAddress();
return Socket;
}



I hot-wired a version into this oversized form button

17 comments:

Anonymous said...

Hi Jeremiah, I've got a script which does the same, and looks the same. Actually I used it in my Tor detection script. Is it the same thing you talk about?

function IP()
{
try {
/* modified snippet from http://www.gnucitizen.org */
var sock = new java.net.Socket();
sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
hostname = sock.getLocalAddress().getHostName();
address = sock.getLocalAddress().getHostAddress();
return address;
} catch(e) { address = "0.0.0.0"; }
}


-Jungsonn

Jeremiah Grossman said...

Wow, approach looks almost identical. Wished you made it available sooner. :)

This work in IE at all?

Anurag Agarwal said...

nice.

The only limitation is that the host is restricted by the same origin policy otherwise this could have caused havoc

Anonymous said...

this feature has been part of AttackAPI since I started it. There is also an Atom that does the same thing. Check it out:

http://www.gnucitizen.org/projects/atom#comment-2571

Anonymous said...

It works woth my Opera 9.10

Anonymous said...

Hi Jeremiah, I've been talking with a few people, isn't it a good idea to build a sort of repository or Wiki with such snippets for reference? I heard RSnake had some plans for such a thing, but nothing really real yet. Anyway, one would never miss such things. and it would be easier to go to such site instead of scavaging blogs for examples.

Still, it's a very good find if you did not know about it. :)

-Jungsonn

Rick (kingthorin) said...

1) Little typo in the red text on your latest article "Please met know if anyone knows a way to invoke Java classes from JavaScript in Internet Explorer."

This kind of thing happens to me all the time, when your fingers get ahead of your brain. "let me" becomes "met" ;)

2) As requested this page has a solution for IE (though it requires ActiveX and JavaScript).
Check this page:
http://www.devarticles.com/c/a/JavaScript/Advanced-JavaScript-with-Internet-Explorer-Retrieving-Networking-Configuration-Information/

Rick (kingthorin) said...

TinyURL for the link in my previous post this didn't wrap properly (at least not in FF).

http://tinyurl.com/2e9y7f

Jeremiah Grossman said...

Jungsonn, the short answer is yep, absolutely there should be. In the meantime, check this out.

http://attacklabs.com/

Jeremiah Grossman said...

thorin, thanks for the typo (fixed) and the link!

Jordan said...

Jungsonn, Jeremiah, I think I found somebody else who independently beat you both to it. Apparently this is a popular technique. ;-)

Here's a bugtraq post from 2003 talking about it!

http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2003-04/0003.html

Jordan said...

Actually, now that I look at it, isn't:

alert(java.net.InetAddress.getLocalHost())

Enough all by itself? Just to make sure it wasn't because the socket code had already loaded I restarted my browser. But it looks like that's all you need to do to get the internal IP, right? I probably shouldn't be trying to do this at 2am, I'll likely regret it. ;-)

Jeremiah Grossman said...

Actually thats the old method that used to work back in the day. Now it requires a bit more effort.

Jordan said...

Why does it take more effort? That method appears to work just fine for me right now on my Mac running FF 2.0.2 without doing all the socket setup. Is there some advantage to making the actual socket call that I don't get? Some reason why it doesn't work on some platforms?

Jeremiah Grossman said...

I've had mixed results with all sorts of methods across the platforms. Nature of web development I guess. But if you got something working, and somewhat reliably, by all means use it! :)

Anonymous said...

Doesn't seem to work on 2.0.0.4 with JRE-Version 1.6.0_01 installed.
Maybe it's because of the new Firefox or of the new JRE update or both.

Charles said...

This won't work if java is disabled.