[Dshield] IP addresses from little experiment....

Johannes B. Ullrich jullrich at euclidian.com
Thu Mar 3 13:58:06 GMT 2005


Richard Golodner wrote:
> 	I think what people are wondering is how does the NMap scan cull the
> ip address from hosts behind the firewall. For example host address is
> 192.168.1.70 behind Pix 6.3 or something like that. I am wondering anyway.
> 							Richard Golodner
> 

Not sure if I already responded to this...

nmap didn't play a role in getting your "behind the firewall IP".

The IP was extracted using a small Java applet. Essentially, the java 
applet instructed your system to reload the page, and add the local ip 
address to the URL. If you look closely, you may see that first you hit
http://www.amihacked.com/index.html
then the page will reload and the url will change to
http://www.amihacked.com/index.html?IP=10.10.10.10

I am not sure if this is even considered a bug in Java. I could probably 
extract more about your system using that method. For example some OS 
details, or like another reader pointed out, information about other 
java programs running on your system.

However, I should not be able to access any files, unless you permit the 
applet to do so. But past java bugs allowed applets to "break out" of 
the java virtual machine and bypass these restrictions.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050303/ce5b4669/signature.bin


More information about the list mailing list