Lazy Authorization Forcer http://www.gnucitizen.org/projects/javascript-authorization-forcer/ This is an idea I am still developing but here you go POC is available and it works. The malicious JavaScript presented here will try to guess URLs that contain credentials. It is sort of Basic Authentication/FTP Authentication bruteforcer. The POC works well in IE6, IE7, Firefox and Opera. I wasn't able to suppress the Basic Authentication dialog when trying to create Basic Authentication Bruteforcer. However, I came up with this lazyForce implementation. A typical attack vector will be as the following: 1. The attacker discovers your internal IP 2. Based on your IP a class C range is enumerated using the Port Scanning or Visited Link Scanning technique. 3. Once a target is discovered a large enough dictionary is used to find valid credentials associated with each IP. In order to make IE work a style sheet that is embeded inside the current document needs to be reused. Read the provided source code for more information. Visited Link Scanner http://www.gnucitizen.org/projects/javascript-visited-link-scanner/ This is a technique that I've learned from Jeremiah Grossman (http://jeremiahgrossman.blogspot.com/) and his presentation on JavaScript malware. Please, keep all the credits for this finding to Jeremiah. http://www.gnucitizen.org/projects/javascript-visited-link-scanner/visitedlinkscanner.js The POC presented here is my improved version of the POC presented in BlackHat. I made it work well in IE6, IE7, Firefox and Opera. IE6 has very nasty disabilities when dealing with dynamically generated style sheets. However, these can be easy sorted out by reusing the current style sheet. If you are interested how it works just read the provided source code. Well, this is it. -- pdp (architect) http://www.gnucitizen.org
