No lies., it a plain old “JavaScript” that can scan a network, fingerprint all the Web-enabled devices found an even works through firewalls.

How does it work ???

The scanner begins by scanning for targets. This is accomplished by implementing a “ping” feature using the JavaScript Image object. The source attribute of an Image points to the IP address the scanner wants to ping. Using a timer and the onload/onerror functions, the scanner can determine whether there is a host at that address. While the Image object probe will detect whether the host is there, it will not detect whether there is a Web server listening on the host. To confirm the presence of a Web server, the scanner uses an HTML IFrame tag with a timer and an onload function. If the onload event occurs before the timer does, the scanner knows it is receiving HTTP traffic from the host, confirming the existence of a Web server.

Once the scanner has detected a host and confirmed it has a Web server, the scanner tries to fingerprint the Web server to determine its type and version number. This is done using the Image object to retrieve graphics from well known locations on the device. For example, most Microsoft IIS Web server’s have an image /pagerror.gif that is 36 by 48 pixels in size. Most installations of the Apache Web server have an image /icons/c.gif that is 20 by 22 pixels. More specific applications can also be detected. Linksys WRK54G wireless routers have an image /UI_Linksys.gif that is 165 by 57 pixels while the Plone wiki applications have an image /plone_powered.gif that is 80 by 15 pixels. By testing for several images and checking their respective sizes the scanner can more accurately fingerprint an application and can even detect the versions of the application.

And then …

Fingerprinting the application lets us know what type and version number we are dealing with. The scanner can look for applications it knows are vulnerable to different attacks. By dynamically building HTML forms and automatically submitting them, the scanner can send attacks using either GET or POST against the application. At the very least, the information collected from scanning and fingerprinting can be sent to the attacker to assist in planning another attack.

Demo

As we all want to witness it: A Demo can be found here.

Is it something like XSS ???

The code can be part of a Cross-site scripting (XSS) attack payload, thereby increasing the damage XSS can do.

Who did it ???

SPI Dynamics Research in their paper Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript.