I was wondering out of curiosity if it was possible to obtain user browser information
by an IP address alone. I've tried to google for websites that offer a whois/browser info. option without success. I'm thinking if indeed a user is surfing the Internet looking at what ever it is there looking at then there is evidence of their activity.
If it is possible to know that a user is correctly browsing the Internet, then I'm thinking it must be possible to get this information passed some how through without their knowledge. It is well known that visiting certain sites record this information, some others allow the user to examine this information for themselves.
I really don't know much about how the Internet works behind the scenes but I assume that a port would have to open momentarily to allow the information to pass through each time a user browses to a new page.
Which is why I thought that maybe someway this browser information stealing idea is possible in perhaps other ways. I would appreciate anyones feedback whether this is possible or not.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
I can think of three different methods by which user browser information can be obtained:
- By the User-Agent HTTP header that is included, by default, by the browser in every web page request it makes. This can be recorded in the web server logs or accessed by server side scripting languages.
- By directly accessing files or configuration databases on the client system which include browser details (e.g. the Windows registry). Getting at this type of information requires file reading or code execution privilges on the target system - this should generally not be possible using a HTTP connection unless a software exploit is used.
It may also be possible to fingerprint a browser by analysis of its communication methods even if the User-Agent strig is missing or modified, by looking at header order and any peculiarities in the way that it responds to certain stimulus. I know that certain web servers even modify TCP segments that they use for communication - Im not sure if clients do this as well. Keep in mind that this point is just an untested theory of mine.
So how do you get at this browser information? You could sniff a HTTP session, hack a client or access a webserver to obtain the browser details of clients that have connected to that web server (by checking the http access logs for example).
EDIT: Also gave thread a better title than "A general question"
Thank you both for your quick responses and input:
Streaker69: Your right I really should learn how each connection to the Internet
starts at it's beginning. But you know how curiosity blinds you. So now I'm more eager to
learn how to perform a MiTM attack from one state to another than to start from the
beginning of how the Internet works.
Lupin: I was under the impression that it was possible to do a where is command sort of
which will return forums.remote-exploit.org in my case. To add to that a script to ask the
user's computer to freely give this information out as it does when visiting a site, if
setup in it's default state.
So basically you would have to have a user visit your site, or use other methods to gain this
information from other sites, if the user has not been compromised. Thankyou for clearing
that up for me.
Thank you both for your time.
Thank you once Lupin for your responses:
Just to clarify to everyone, I'm not looking to do any mischief essentially this is purely for educational purposes. As it does apply to everyone that is connected in some way to the internet.
So taking everything into account it is possible than to perform a trace-route on a victims IP address and some how get between them and there Internet provider or a popular website they might be visiting and perform a MiTM attack from 1000's of miles away rather than to be within wireless range.
I find this topic very interesting because unlike BeEF's (browser exploitation framework) where you lure a user to
your evil.domain: Here a slew of users might be vulnerable to this type of attack.
Since Metasploit has demonstrated it's power to exploit some of these very additions that users have installed which basically admits it when ever asked, provided the user has not blocked it. I would think twice before allowing this information to be collected.
Who ever coined the phrase "The Internet is evil" is absolutely right. Most people think that as long as you don't click that link or visit that site everything will be alright. It wouldn't be long until viruses come looking for you.
Routing attacks are an advanced subject, so I'd suggest that if you actually want to try a MiTM attack, that you have a presence between the two hosts (and of course you need to have permission, which goes without saying.)
Thank you Lupin for clearing things up for me. I can assure you that I have no malicious intent. It was more out of curiosity for my own sake that I brought this topic up. If I were to ever perform a MiTM attack outside of my own network I would by all means get approval before anything.
Hhmatt81: I really didn't think that it was possible for a virus to find and attack a flaw on a users computer that was just idling on Google. Without having been compromised to begin with.