Looking for creative uses for everyday things can be a lot of fun.
Anybody who has learnt to use Nmap proficiently knows about Idle Scans (or Zombie Scans, which is a way cooler name). Leaving aside the technical details of its inner workings, we could say this kind of scan can be very handy in situations where stealth is a must. The problem, of course, is that this ancient scan technique is very well known and very well thwarted on most machines you are going to find out there. But worry not my friend, Web 2.0 apps come to the rescue.
Lots of services like Reddit, Imgur, Facebook, Digg, Tinypic, Tineye et cetera allow users to specify their content submissions by URL. These apps then try to retrieve by themselves the resource by usually performing a HTTP GET request on the submitted URL before trying to process the contents. So we basically have remote public scripts we can command to perform connections on arbitrary resources of our choice. Interesting.
On first thoughts one could anticipate these scripts would filter bogus URLs that do not look like the kind of submissions everybody else is doing. But guess what, they don’t. Let’s then try to submit URLs pointing to interesting ports and see how the service responds. The case in hand is Imgur but you could use any other service of this kind.
Apparently despite whether the remote service is a web server or any other daemon, Imgur tries to retrieve the resource. Obviously the operation will fail, but we can infer the status of the remote port from the time Imgur spends responding to our submitted request, and we can do it particularly well if there’s a firewall in play. Since filtered ports usually “hang” connection attemps, Imgur will respond later when we send some URL to a filtered port. This way we can slowly map which ports are filtered by the firewall and which are open or closed.
Our scan resuls are similar to those obtained from a classic ACK Scan to map firewall rulesets (kicking the ball past the goalie!). They are not perfect but considering our target will be completely blind after performing it, the trade-off seems reasonable. As always automation is bliss, so I wrote a little python as a proof of concept.