1. InfoconDB
  2. DEF CON
  3. DEF CON 31 (2023)
  4. Your Clocks Have Ears — Timing-Based Browser-Based Local Network Port Scanner

Your Clocks Have Ears — Timing-Based Browser-Based Local Network Port Scanner

Presented at DEF CON 31 (2023), Aug. 12, 2023, 4:30 p.m. (20 minutes)

What can a website do? So many things these days. But, have you ever considered that it can port scan your LAN? It will fingerprint you with pinpoint precision and uncover hidden internal devices. Surely, a browser wouldn't allow that? With this presentation, I will introduce a short primer on timing-based, browser-based port scanning using Fetch. Based on this primer, I will discuss three techniques that can scan open ports on the localhost, a NAT router’s presence on the LAN, and open ports of the clients on the LAN. A demo of the proof of concept exploit will be provided, with closing remarks on possible mitigation strategies. REFERENCES: [1] https://blog.nem.ec/2020/05/24/ebay-port-scanning/ [2] https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/ [3] https://www.crunchbase.com/organization/threatmetrix [4] https://coveryourtracks.eff.org/learn [5] https://web.archive.org/web/20060813034434/http://www.spidynamics.com/assets/documents/JSportscan.pdf [6] https://github.com/Flu1dTeam/PortScanner [7] https://medium.com/tenable-techblog/using-webrtc-ice-servers-for-port-scanning-in-chrome-ce17b19dd474 [8] https://www.incolumitas.com/2021/01/10/browser-based-port-scanning/ [9] https://docs.google.com/document/d/1a8sUFQsbN5uve7ziW61ATkrFr3o9A-Tiyw8ig6T3puA/edit [10] https://developer.chrome.com/articles/cors-rfc1918-feedback/ [11] https://wicg.github.io/local-network-access/

Presenters:

  • Dongsung “Donny” Kim - IT-Security Expert at Security Office part of Truesec
    Dongsung (Donny) Kim is an IT-Security expert at Security Office part of Truesec. Their software interests vary widely from frontend to DevSecOps, with research interests spanning from reverse engineering to web security. Equipped with both professional and academic experience, they want to reconcile two seemingly opposite ideas: understanding user-facing software problems without compromising security. Bluesky: @kidi.ng Discord: kiding

Links:

Similar Presentations: