When I say 'Network Reconnaissance' then most of you would immediately think Nmap! Some of the more hardcore geeks would also be thinking about Scapy. Both are awesome tools and are probably the best of their class but what happens when you want to do a quick network recon from a machine where
- no tools are installed
- you donot have administrative rights
- you cannot install or download any binaries or zip files due to proxy filtering
The above three points are a fair accurate representation of the status of the internal network of a lot of companies. Along with these restrictions if access to command prompt is blocked then you cannot use ping/telnet for your recon as well.
Figure 1 : Port Scans
- Port Scans
- Network Scans
- Detecting private IP address
Figure 2 : Network Scans
Figure 3 : Detecting Private IP
It is currently a windows only tool and works on modern browsers that support Cross Origin Requests or WebSockets. I have personally found Chrome to be the ideal browser to run this.
Using JS-Recon is very straight forward, it has a simple UI where the user selects the type of scan, enters the target IP addresses, port numbers and hits 'Start'.
Cross domain XHR has five possible readystate statuses and WebSocket has four possible readystate statuses. When a new connection is made to any service the status of the readystate property changes based on the state of the connection. This transition between different states can be used to determine if the remote port to which the connection is being made is either open, closed or filtered.
Figure 4: Port Status
When a WebSocket or COR connection is made to a specific port of an IP address in the internal network the initial state of WebSocket is readystate 0 and for COR its readystate 1. Depending on the status of the remote port, these initial readystate statuses change sooner or later. The below table shows the relation between the status of the remote port and the duration of the initial readystate status. By observing how soon the initial readystate status changes we can identify the status of the remote port.
The port scanning technique can be applied to perform horizontal network scans of internal networks. Since both an open port and a closed port can be accurately identified, horizontal scans can be made for specific ports that would be allowed through the personal firewalls of most corporate systems.
As explained above the port status determination is majorly dependent on timing, therefore the location of the destination server is very important. JS-Recon is tuned for targets that are located in the internal network, if the user wishes to scan targets across the internet then he has to retune it.
A more detailed description of how Port scans, Network scans and Internal IP Detection work is mentioned in the JS-Recon Manual [http://www.andlabs.org/tools/jsrecon/jsrecon.html].