Post Exploitation with PhantomJS

Sunday, June 17, 2012

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

If you have never heard of PhantomJS ( http://phantomjs.org/ ) before, it's a "Full Web Stack with No Browser Required", basically it a GUI-less browser.

One of the magical "example" files that it has is called "rasterize.js"

Rasterize.JS essentially renders a URL, screen shots it and give it to you in a number of different formats, here's it's usage:

Usage: rasterize.js URL filename [paperwidth*paperheight|paperformat]
paper (pdf output) examples: "5in*7.5in", "10cm*20cm", "A4", "Letter"

PhantomJS is sweet for sweeping a ton of IPs and suspected HTTP/S sites, and look through a gallery of them to start figuring out which looks the most interesting… and we are going to essentially just that, except from a Victim machine.

First, download the Win32 static bins for PhantomJS from: http://code.google.com/p/phantomjs/downloads/list

Pull out phantomJS.exe and rasterize.js from the zip, and upload it to your victim.

Make a special directory for your renderings (I use imgs), this also makes it easy for Meterpreter to download it since Meterpreter supports directories and download targets.

Now make a BAT file with the following in it:

FOR /F "skip=3 delims=\ " %%A IN ('NET VIEW') DO start /b phantomjs.exe examples\rasterize.js http://%%A imgs\%%A.png
FOR /F "skip=3 delims=\ " %%A IN ('NET VIEW') DO start /b phantomjs.exe examples\rasterize.js https://%%A imgs\%%A.png

There are some cool tricks in here. First we are using 'net view' as our target list, we are using the 'start /b' command to throw everything into the background to run so we don't have to wait for each to finish (a crude way to thread actions in BAT files).

And finally we are checking for both HTTP and HTTPS. We we are not doing however is doing any logging, so if you want to catch errors it's all you, just remember that when trying to pipe output from a command started with 'start' you have to prefix the > with a ^ so it looks like:

start echo blah ^> blah.txt

You are ALMOST ready to rock. There is a slight bug in Rasterize.js, if it can't resolve the address or otherwise can't contact the web server (which is going to be the majority of the case for us) it hangs in an open state.

This is bad, we don't want to have a thousand phantomjs.exe processes running hanged. Simply make a new line after LINE 20, and add 'phantom.exit();' so it knows to exit if it encounters a failed connection.

That's it, happy hunting from both inside and outside.

P.S. PhantomJS supports SOCKS and HTTP proxies, so if you use them (Tor) or run into them internally, support is there. A quick mod to your batch file and you're golden:

--proxy=address:port Sets the network proxy (e.g. "--proxy=192.168.1.42:8080")
--proxy-auth=username:password Sets authentication details for the proxy (basic auth)
--proxy-type=[http|socks5] Sets the proxy type, either "http" (default) or "socks5"

Cross-posted from Room 362

Possibly Related Articles:
20157
Network->General
Information Security
Hacking Penetration Testing Exploits Network Security Scanning Meterpreter Website Security PhantomJS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.