JS-Recon : JavaScript Network Reconnaissance Tool

March 6, 2011, by | Start Discussion

When I say 'Network Reconnaissance' then most of you would immediately think Nmap! Some of the more hardcore geeks would also be thinking about Scapy. Both are awesome tools and are probably the best of their class but what happens when you want to do a quick network recon from a machine where

  1. no tools are installed
  2. you donot have administrative rights
  3. you cannot install or download any binaries or zip files due to proxy filtering

The above three points are a fair accurate representation of the status of the internal network of a lot of companies. Along with these restrictions if access to command prompt is blocked then you cannot use ping/telnet for your recon as well. 

Port Scans

Figure 1 : Port Scans


JS-Recon is a network reconnaissance tool written in JavaScript by making use of HTML5 features like Cross Origin Requests(CORs) and WebSockets.  JS-Recon can perform:

  • Port Scans
  • Network Scans
  • Detecting private IP address

Network Scans

Figure 2 : Network Scans

Detecting Private IP address

Figure 3 : Detecting Private IP

It is currently a windows only tool and works on modern browsers that support Cross Origin Requests or WebSockets. I have personally found Chrome to be the ideal browser to run this.

Using JS-Recon is very straight forward, it has a simple UI where the user selects the type of scan, enters the target IP addresses, port numbers and hits 'Start'.

The underlying base of any of thses scans is the ability to identify if a remote port is open or closed by using JavaScript. These are not socket-level scans like those done by Nmap but are application-level scans. To get the best out of the tool the user has to understand the underlying scanning technique employed by JS-Recon.

Cross domain XHR has five possible readystate statuses and WebSocket has four possible readystate statuses. When a new connection is made to any service the status of the readystate property changes based on the state of the connection. This transition between different states can be used to determine if the remote port to which the connection is being made is either open, closed or filtered.

Port Status

Figure 4: Port Status

When a WebSocket or COR connection is made to a specific port of an IP address in the internal network the initial state of WebSocket is readystate 0 and for COR its readystate 1. Depending on the status of the remote port, these initial readystate statuses change sooner or later. The below table shows the relation between the status of the remote port and the duration of the initial readystate status. By observing how soon the initial readystate status changes we can identify the status of the remote port.

The port scanning technique can be applied to perform horizontal network scans of internal networks. Since both an open port and a closed port can be accurately identified, horizontal scans can be made for specific ports that would be allowed through the personal firewalls of most corporate systems.

As explained above the port status determination is majorly dependent on timing, therefore the location of the destination server is very important. JS-Recon is tuned for targets that are located in the internal network, if the user wishes to scan targets across the internet then he has to retune it.

A more detailed description of how Port scans, Network scans and Internal IP Detection work is mentioned in the JS-Recon Manual [http://www.andlabs.org/tools/jsrecon/jsrecon.html]. 

Happy Scanning!

Lavakumar is the author of IronWASP, the advanced Web Security Testing Platform. He has also authored many other security tools like ‘Shell of the Future’, JS-Recon, Imposter and the HTLM5 based Distributed Computing System – Ravan. He has spoken at multiple conferences like BlackHat, OWASP AppSec Asia, ClubHack, Securitybyte, Nullcon, etc.

Leave a Reply