A question about obtaining user browser information

[Track404]

I was wondering out of curiosity if it was possible to obtain user browser information
by an IP address alone. I've tried to google for websites that offer a whois/browser info. option without success. I'm thinking if indeed a user is surfing the Internet looking at what ever it is there looking at then there is evidence of their activity.

If it is possible to know that a user is correctly browsing the Internet, then I'm thinking it must be possible to get this information passed some how through without their knowledge. It is well known that visiting certain sites record this information, some others allow the user to examine this information for themselves.

I really don't know much about how the Internet works behind the scenes but I assume that a port would have to open momentarily to allow the information to pass through each time a user browses to a new page.

Which is why I thought that maybe someway this browser information stealing idea is possible in perhaps other ways. I would appreciate anyones feedback whether this is possible or not.

Thank you

[streaker69]

Quote:

Originally Posted by Track404

I really don't know much about how the Internet works behind the scenes but I assume that a port would have to open momentarily to allow the information to pass through each time a user browses to a new page.

Thank you

I think you should study up on how the intertubes work before you venture onto anything more complicated like MiTM.

[lupin]

I can think of three different methods by which user browser information can be obtained:

• By the User-Agent HTTP header that is included, by default, by the browser in every web page request it makes. This can be recorded in the web server logs or accessed by server side scripting languages.
• By client side scripting commands (e.g. Javascripts navigator.userAgent and navigator.appVersion), which can then be accessed by the web server via GET or POST requests.
• By directly accessing files or configuration databases on the client system which include browser details (e.g. the Windows registry). Getting at this type of information requires file reading or code execution privilges on the target system - this should generally not be possible using a HTTP connection unless a software exploit is used.

It may also be possible to fingerprint a browser by analysis of its communication methods even if the User-Agent strig is missing or modified, by looking at header order and any peculiarities in the way that it responds to certain stimulus. I know that certain web servers even modify TCP segments that they use for communication - Im not sure if clients do this as well. Keep in mind that this point is just an untested theory of mine.

So how do you get at this browser information? You could sniff a HTTP session, hack a client or access a webserver to obtain the browser details of clients that have connected to that web server (by checking the http access logs for example).

EDIT: Also gave thread a better title than "A general question"

[Track404]

Thank you both for your quick responses and input:

Streaker69: Your right I really should learn how each connection to the Internet
starts at it's beginning. But you know how curiosity blinds you. So now I'm more eager to
learn how to perform a MiTM attack from one state to another than to start from the
beginning of how the Internet works.

Lupin: I was under the impression that it was possible to do a where is command sort of
which will return forums.remote-exploit.org in my case. To add to that a script to ask the
user's computer to freely give this information out as it does when visiting a site, if
setup in it's default state.

So basically you would have to have a user visit your site, or use other methods to gain this
information from other sites, if the user has not been compromised. Thankyou for clearing
that up for me.

Thank you both for your time.

[lupin]

Quote:

Originally Posted by Track404

Lupin: I was under the impression that it was possible to do a where is command sort of which will return forums.remote-exploit.org in my case. To add to that a script to ask the
user's computer to freely give this information out as it does when visiting a site, if setup in it's default state.

You could do something like a netstat command to show an active connection to forums.remote-exploit.org if you are in the process of making a request to the site (unless the request was being proxied in which case the connection would go to the proxy). Something like Ettercap would also show the connection. You could then sniff that connection to get the User-Agent string when its passed over the wire or you could perform a MiTM attack on that connection and insert an appropriate script into a HTTP response to the client so it runs that script.

Quote:

Originally Posted by Track404

So basically you would have to have a user visit your site, or use other methods to gain this information from other sites, if the user has not been compromised. Thankyou for clearing that up for me.

Or you could sniff or MiTM attack an appropriate connection between a user and a server to get the information that way, as mentioned above.

[Track404]

Thank you once Lupin for your responses:

Just to clarify to everyone, I'm not looking to do any mischief essentially this is purely for educational purposes. As it does apply to everyone that is connected in some way to the internet.

So taking everything into account it is possible than to perform a trace-route on a victims IP address and some how get between them and there Internet provider or a popular website they might be visiting and perform a MiTM attack from 1000's of miles away rather than to be within wireless range.

I find this topic very interesting because unlike BeEF's (browser exploitation framework) where you lure a user to
your evil.domain: Here a slew of users might be vulnerable to this type of attack.

Since Metasploit has demonstrated it's power to exploit some of these very additions that users have installed which basically admits it when ever asked, provided the user has not blocked it. I would think twice before allowing this information to be collected.

Who ever coined the phrase "The Internet is evil" is absolutely right. Most people think that as long as you don't click that link or visit that site everything will be alright. It wouldn't be long until viruses come looking for you.

[hhmatt81]

Quote:

Originally Posted by Track404

It wouldn't be long until viruses come looking for you.

This is nothing new. There have been many viruses that probe and spread across networks using well-known exploits.

[lupin]

Quote:

Originally Posted by Track404

So taking everything into account it is possible than to perform a trace-route on a victims IP address and some how get between them and there Internet provider or a popular website they might be visiting and perform a MiTM attack from 1000's of miles away rather than to be within wireless range.

OK I missed this the last time I read your post. No, what you mentioned (quoted above) is not possible. To perform a man in the middle attack you actually need to be "in the middle" - so the traffic going between the two parties has to actually go past/through a system that you have control over. So you need to either control one of these systems already, or you need to redirect the traffic via some sort of routing attack so that it does go through a system you control.

Routing attacks are an advanced subject, so I'd suggest that if you actually want to try a MiTM attack, that you have a presence between the two hosts (and of course you need to have permission, which goes without saying.)

[Track404]

Thank you Lupin for clearing things up for me. I can assure you that I have no malicious intent. It was more out of curiosity for my own sake that I brought this topic up. If I were to ever perform a MiTM attack outside of my own network I would by all means get approval before anything.

Hhmatt81: I really didn't think that it was possible for a virus to find and attack a flaw on a users computer that was just idling on Google. Without having been compromised to begin with.

[lupin]

Quote:

Originally Posted by Track404

I really didn't think that it was possible for a virus to find and attack a flaw on a users computer that was just idling on Google. Without having been compromised to begin with.

Yes its possible. Read up on Worms.

And of course there are always drive by downloads, where legitimate sites get compromised to spread malware. I haven't heard of Google getting caught by this yet, but I have personally seen the website of a major Australian bank as well as the website of a major Australian magazine spreading malware to visitors. The bank caught and resolved the issue very quickly (between the time a users PC got infected and I investigated 30 minutes later), I only know the banks website was the source because a cached copy of the page was left in the browser cache, with malicious inserted javascript included.