Okay, I know we’ve talked about Intranet port scanning to death, but I’ve been toying with an idea for around three years now regarding how I might be able to turn off JavaScript and perform intranet port scanning. Jer had some good ideas around delayed CSS timing (I even got that working at one point). But I still wanted to get the CSS history hack working with forced browsing and see if I could possibly turn that into a crude port scanner. Yeah, I have a few items on my plate, so it took me this long to finally sit down and hack it out. It turns out it was trivial once I got started, because CSS history testing is instant, you don’t have to force a re-load of your test to see if it was successful.
That’s the good news. Here’s the bad news. 1) It only works in Firefox so far in my testing. It didn’t work in IE8 (false negatives), Opera (false positives) or Safari (false negatives). 2) It’s slow. Since it has to wait for all the HTTP requests to fire it’s pretty unwieldy once you get over a few dozen requests. 3) It’s noisy. If you’re dealing with NTLM/basic or digest auth, not to mention any other popups or sounds or what-have-you, you’re talking a pretty noisy port scanner. But all that said, it seems to work fairly well. You can check out the demo here.