Intranet port forwarding
It has been known for a month or so now that proxy bypass is an effective way of breaking DNS pinning on Java applets.
It's been known since forever that Java applets can interact with scripts on the parent page (same origin restrictions apply, IIRC).
It's been known for a few years now that it's really easy to do nice async data transfer to a remote server with fancy AJAXy stuff; there's even Comet to keep latencies down on the upstream.
So here's what you can do:
- Write an ajax service on 'attacker' that allows you to forward the data from a connection on a local port to JS on a page on the victim's browser.
- Load an applet in victim's browser from 'attacker', change 'attacker' DNS entry as soon as connection to download the applet jar is established. Don't break pinning on the browser.
- Have the applet attempt a connection to 'attacker'; this will resolve to 'target'.
- On connection, the applet phones home via the browser; pinning's not broken so the ajax call goes to the original server which results in the port being opened.
- Voila! Browser based intranet port forwarding. This could work for TCP or UDP; the possibilities are endless...
There's nothing new here but it's interesting to see the combination. Let me know what you think.