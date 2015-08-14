Sonar.js is a framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration, WebSocket host scanning, and external resource fingerprinting.

sonar.js will use WebRTC to enumerate what internal IPs the user loading the payload has.

sonar.js then attempts to find live hosts on the internal network via WebSockets.

If a live host is found, sonar.js begins to attempt to fingerprint the host by linking to it via <img src="x"> and <link rel="stylesheet" type="text/css" href="x"> and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.

It works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.





An example fingerprint database can be seen below:

var fingerprints = [ { 'name': "ASUS RT-N66U", 'resources': ["/images/New_ui/asustitle.png","/images/loading.gif", "/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images /New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png", "/index_style.css","/form_style.css","/NM_style.css","/other.css"], 'callback': function( ip ) { // Insert exploit here }, }, { 'name': "Linksys WRT54G", 'resources': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif", "/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"], 'callback': function( ip ) { // Insert exploit here }, }, ]

Upon loading the sonar.js payload in a modern web browser the following will happen: