Local network scanner with JavaScript

Some days ago I played around with HTML images and the JavaScript onload and onerror functionsThe onload event triggers when the image is loading, the onerror event triggers if the image can not be loaded. Furthermore I noticed that following:

  • If the image exists, the onload events triggers (obviously)
  • If the image does not exist on the remote server the onerror event triggers (after a very short time)
  • If the  server does not exists the onerror event triggers after a longer period of time.

This behaviour can be used to ‘ping’ a hosts on the local network of the user:

  1. Create image with src attribute pointing to a local IP address.
  2. Set a timeout for the image (~ 1000ms).
    1. The onerror event fires after a short period of time -> the local host exist (because the image is not present)
    2. The onerror event fires after a long period of time -> the timeout gets triggered before -> there is no local host with this IP address.
    3. The onload event fires -> The host is exists, and the image is present.

Note that only hosts running with a open port 80 can be detected this way. In combination with AJAX I made a short PoC, which provides astonishing good results. You can run the live demo here.

Beside the fact that a local network scanner with JavaScript is quite interesting, I think that this offers lots of new possibilities for attackers and trackers. It’s possible to exploit local devices for example routers and loT gadgetry. Its also possible to fingerprint the local devices, finding software versions of routers, IP cams, etc. this offers the opportunity for trackers and the advertisement industry to fingerprint the users based on their local network. Browsers should restrict the “access” to local devices,  and no informations should be leaked by timouts and error events.

Leave a Reply

Your email address will not be published. Required fields are marked *