samyk/webscan samyk/webscan

  • Stars
    star
    411
  • Rank 101,917 (Top 3 %)
  • Language
    JavaScript
  • Created over 3 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
samyk/webscan
github

samyk

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Browser-based network scanner & local-IP detection

webscan

webscan is a browser-based network IP scanner and local IP detector. It detects IPs bound to the user/victim by listening on an RTP data channel via WebRTC and looping back to the port across any live IPs, as well as discovering all live IP addresses on valid subnets by monitoring for immediate timeouts (TCP RST packets returned) from fetch() calls or hidden img tags pointed to valid subnets/IPs. Works on mobile and desktop across all major browsers and OS's. Beta version is extensible to allow the addition of multiple techniques.

webscan takes advantage of the fact that non-responsive img tag sockets can be closed to prevent browser & network-based rate limiting by altering the src attribute to a non-socket URI (removing from DOM ironically does not close the socket), or by using fetch()'s signal support of the AbortController() interface.

try webscan live here
beta version here

by @SamyKamkar
released 2020/11/07
more fun projects at samy.pl

webscan works like so

  1. webscan first iterates through a list of common gateway IP addresses
  2. for each IP, use fetch() to make fake HTTP connection to http://common.gateway.ip:1337
  3. if a TCP RST returns, the fetch() promise will be rejected or img tag onerror will trigger before a timeout, indicating a live IP
  4. to prevent browser or network rate limiting, non-responsive fetch() sockets are closed via AbortController() signal while img-tags have the src redirected to non-socket URI, closing the socket
  5. when live gateway detected, step 1-3 reran for every IP on the subnet (e.g. 192.168.0.[1-255])
  6. a WebRTC data channel is opened on the browser, opening a random port on the victim machine
  7. for any IPs that are found alive on the subnet, a WebRTC data channel connection is made to that host
  8. if the WebRTC data channel is successful, we know we just established a connection to our own local IP

implementation

// wait for scan to finish
let scanResults = await webScanAll()
 
// or get callbacks when ips are found with a promise
let ipsToScan = undefined // scans all pre-defined networks if null
let scanPromise = webScanAll(
  ipsToScan, // array. if undefined, scan major subnet gateways, then scan live subnets. supports wildcards
  {
    rtc: true,   // use webrtc to detect local ips
    logger: l => console.log(l),  // logger callback
    noRedirect: false, // if true, doesn't redirect from http to http - Chrome doesn't scan detect network IPs proprly on https atm
    localCallback:   function(ip) { console.log(`local ip callback: ${ip}`)   },
    subnetCallback:  function(ip) { console.log(`router ip callback: ${ip}`)  },
    networkCallback: function(ip) { console.log(`network ip callback: ${ip}`) },
  }
)

returns

scanResults = {
  "local": ["192.168.0.109"], // local ip address
  "network": { // other hosts on the network and how fast they respond
    "192.168.0.1": 97,
    "192.168.0.2": 82,
    "192.168.0.100": 46,
    "192.168.0.109": 0,
    "192.168.0.117": 74,
    "192.168.0.113": 17,
    "192.168.0.112": 21,
    "192.168.0.114": 25,
    "192.168.0.116": 25,
    "192.168.0.115": 25,
    "192.168.0.105": 57,
    "192.168.0.107": 63,
    "192.168.0.103": 64,
    "192.168.0.108": 31
  }
}

Todo

  • use iframe to perform scans in blocks
    • when the frame is torn down, i assume this helps guarantee the connections are torn down
    • how do multiple iframes scanning multiple blocks work? perhaps this allows us to bypass browser connection rate limiting
  • support both fetch() and img as scanner cores (completed in beta)
    • Safari
      • note: img tag works really well in some browsers like Safari
      • caveat: changing the .src doesn't seem to abort the connection
      • potential solution: see iframe note above
    • Chrome
      • caveat: chrome will not abort the connection if you remove the img from dom
      • solution: chrome will abort the connection of an img if you adjust the .src, this is great!
      • caveat: changing the img.src to '#' makes another request to the same parent page
      • caveat: changing the img.src to 'about:' produces a warning in console, is there something else to use that won't make a request?
  • use img timing as a local ip detection mechanism

Tested on

  • Chrome 87.0.4280.47 (macOS)
  • Edge 86.0.622.63 (Windows)
  • Firefox 82.0.2 (macOS)
  • Firefox 82.0.2 (Windows 10)
  • Safari 13.1.2 (macOS)
  • mobile Safari (iOS)
  • mobile Chrome (iOS)

More Repositories

1

poisontap

Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.
JavaScript
6,161
star
2

evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
JavaScript
4,320
star
3

magspoof

A portable device that can spoof/emulate any magnetic stripe, credit card or hotel card "wirelessly", even on standard magstripe (non-NFC/RFID) readers. It can disable Chip&PIN and predict AMEX card numbers with 100% accuracy.
C
3,787
star
4

pwnat

The only tool/technique to punch holes through firewalls/NATs where multiple clients & server can be behind separate NATs without any 3rd party involvement. Pwnat is a newly developed technique, exploiting a property of NAT translation tables, with no 3rd party, port forwarding, DMZ, DNS, router admin requirements, STUN/TURN/UPnP/ICE, or spoofing.
C
2,846
star
5

slipstream

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by anyone on the victim's network visiting a website
Perl
1,865
star
6

skyjack

A drone engineered to autonomously seek out, hack, and wirelessly take full control over any other Parrot or 3DR drones within wireless or flying distance, creating an army of zombie drones under your control.
JavaScript
1,636
star
7

usbdriveby

USBdriveby exploits the trust of USB devices by emulating an HID keyboard and mouse, installing a cross-platform firewall-evading backdoor, and rerouting DNS within seconds of plugging it in.
Arduino
1,230
star
8

keysweeper

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
Eagle
1,076
star
9

opensesame

OpenSesame attacks wireless garages and can open most fixed-code garages and gates in seconds using a Mattel toy
C
818
star
10

samytools

Simple tools to make reverse engineering and console cowboying easier, primarily by data translation and manipulation + file handle piping. Mostly *nix tools with an emphasis on macOS.
Perl
555
star
11

proxygambit

Anonymize and fracture network traffic/Internet access over a point-to-point wireless link or through TCP->GSM->wifi tunnel (advanced resurrection of ProxyHam)
Arduino
349
star
12

combobreaker

Motorized, portable, 3D printed, Arduino-based combination lock cracker
C++
232
star
13

dingdong

Digital Ding Dong Ditch -- RTL-SDR + Arduino + GSM/SMS/FONA + RF + GQRX to hack a wireless doorbell from a text message
C++
229
star
14

quickjack

Quickjack is a point-and-click tool for intuitively producing advanced clickjacking and frame slicing attacks.
JavaScript
227
star
15

frisky

Instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS and macOS
C++
197
star
16

glitchsink

Voltage glitcher to bypass instructions/bootloader protections *without* target modification
C++
114
star
17

jiagra

Javascript/Website Performance Enhancement
JavaScript
107
star
18

easel-driver

Easel driver for Linux, Mac, Windows, ARM, Raspberry Pi, Intel, FTDI, CH340, CH341, CP210x, FTDI clones, local, and remote access to GRBL-based CNC controllers
Shell
93
star
19

myo-osc

OSC bridge for the Thalmic Myo gesture control armband (cross-platform)
C++
80
star
20

BPL

The Blind Public License is a restrictive license that does not allow any person to read, view, interpret, emulate, debug, disassemble, reverse engineer, or execute ("Observing") any included code, schematics or engineering diagrams (the "Technology").
57
star
21

sqlpp

feature-rich, multi-database interfacing, multi-connection, colorful console-based SQL client
Perl
53
star
22

samyk

50
star
23

bgrid

wireless balloon LED network w/ATtiny24 + nRF24L01+ (PCB + firmware + TouchDesigner)
C++
46
star
24

buspirate

Bus Pirate (cross-platform, cleaned up for OS X)
C
42
star
25

crak

Crash Royale Attack Kit
JavaScript
39
star
26

openrTMS

Open rTMS (Transcranial Magnetic Stimulation)
C++
26
star
27

NRF24-BTLE-Decoder

Sniff and decode NRF24L01+ and Bluetooth Low Energy using RTL-SDR
C
25
star
28

amazonshelper

TamperMonkey script (browser extension) for Amazon to add price by volume for materials and to hide useless UI elements
JavaScript
24
star
29

lcventilator

Low cost ventilator based on Dr. Jeffrey Ebin's design
C++
21
star
30

specs

Public specifications for easy accessibility
18
star
31

pinning

#PINNING is a browser extension (currently TamperMonkey script) to improve Pinterest's desktop browsing UX
JavaScript
15
star
32

glitchisnk

Voltage glitcher to bypass instructions/bootloader protections without target modification
14
star
33

microscopy

files for (ΞΌ)scope projects
11
star
34

motoaudio

Inspecting the Moto Audio application running on Motorola Android devices
9
star
35

testimg

chrome blocks downloading images from my github :(
9
star
36

openraman

Low cost, high performance open source Raman spectrometer
C++
5
star
37

mains-logs

log files for mains project
2
star
38

mains

monitoring mains line voltage
Perl
1
star