Presented at
BSidesSF 2017,
Feb. 13, 2017, 4:50 p.m.
(30 minutes)
Traditional attacks to air-gapped networks have looked at vectors such as USB memory sticks (thanks Stuxnet), audio signals (thanks BadBIOS) and even cellular frequencies (thanks GSMem). But it's not entirely uncommon for portable devices (laptops, smart phones) to go from network to network, even connecting to potentially sensitive corporate networks. In fact, every day many corporate devices connect to the local coffee shop wifi on the way into the office. And it's here where things get interesting. Advanced mitigations to these vectors include things like host-health check, upon re-connecting to ‘secure' networks. But what's the chance that these scans will pick up on JavaScript that may be running in the DOM?
Leveraging a number of existing browser technology, such as WebRTC, Web-Workers and good old fashioned XMLHttpRequest objects we have everything we need to plant a JavaScript hook and monitor the local network interface for changes in connectivity. From here, we can start scanning different local subnets looking for available hosts. Once identified, we can even determine if they have any listening ports.
This presentation will discuss existing methods of subnet discovery & scanning, persistence methods and ways in which dormant JavaScript objects can periodically scan the local browser's network to discover new attack surfaces, even those that may be air-gapped. (Bloody JavaScript...)
Presenters:
-
xntrik
Christian is an app sec nerd who currently works at , previously at LinkedIn. Originally from Australia, Christian helped start an awesome, Perth-based security consulting firm, Asterisk Information Security. Christian has a deep love/hate relationship with JavaScript, and his involvement with BeEF resulted in him toiling away in the salt-mines as a co-author of the Browser Hacker's Handbook (by Wiley). When not hacking apps, Christian spends his time either ranting about appsec or pining to get behind his drumkit.
Links:
Similar Presentations: