Traditional attacks to air-gapped networks have looked at vectors such as USB memory sticks (thanks Stuxnet), audio signals (thanks BadBIOS) and even cellular frequencies (thanks GSMem). But it's not entirely uncommon for portable devices (laptops, smart phones) to go from network to network, even connecting to potentially sensitive corporate networks. In fact, every day many corporate devices connect to the local coffee shop wifi on the way into the office. And it's here where things get interesting. Advanced mitigations to these vectors include things like host-health check, upon re-connecting to ‘secure’ networks. But what’s the chance that these scans will pick up on JavaScript that may be running in the DOM?
Leveraging a number of existing browser technology, such as WebRTC, Web-Workers and good old fashioned XMLHttpRequest objects we have everything we need to plant a JavaScript hook and monitor the local network interface for changes in connectivity. From here, we can start scanning different local subnets looking for available hosts. Once identified, we can even determine if they have any listening ports.
This presentation will discuss existing methods of subnet discovery & scanning, persistence methods and ways in which dormant JavaScript objects can periodically scan the local browser's network to discover new attack surfaces, even those that may be air-gapped. (Bloody JavaScript...)
