Jikto Leaked
Update: Just to be clear this was not intentionally leaked. The source was in fact stolen by one of the audience participants. See the comments for details.
Well, I’m back! No, all that mess yesterday was not for real - I did not get an offer from Google, and I did not sell my site to a 13 year old girl. It might come to a surprise to some of you, but I do like to have fun once in a while. Anyway, back to the webappsec stuff. This weekend the source of Jikto was officially leaked. How long did that take? Anyone time it? So much for this statement: “Although I will not be releasing the source code of Jikto….” There are a few things to note, although I haven’t gotten through all of it.
Firstly, it is only made up of a test HTML page, a single .JS file and a command and control file. Secondly, by the time I had received it, it had already been modified at least a few times, perhaps to test it, but nevertheless it is no longer the original function. Here’s a few snippets from the modification (cleaned up, for readability if you can believe that):
var GUIURL = rot13(”uggc://jjj.cragrfg.vg/wvxgb/pbageby.gkg”); //http://www.pentest.it/jikto/control.txt //http://localhost/JiktoControl/Collect.aspx?type= // uggc://ybpnyubfg/WvxgbPbageby/Pbyyrpg.nfck?glcr=
And…
//var startUrlString = rot13(”uggc://mreb.jronccfrphevgl.pbz/”);
var startUrlString = rot13(”uggc://oynpxung-sbehzf.pbz/cucOO2/vaqrk.cuc”); //http://blackhat-forums.com/phpBB2/index.php uggc://oynpxung-sbehzf.pbz/cucOO2/vaqrk.cuc
If you don’t know what rot13 is, it’s just a really simple shifting cipher that rotates letters 13 places in the alphabet. Anyway, I’m not quite sure why the system uses rot13 at all, since that doesn’t actually stop anyone who can read even basic JavaScript from knowing what URLs it uses, and it just slows down the transmission of the code, but anyway, I am nowhere near combing through the code. The point being it’s on the loose. Oops!
April 2nd, 2007 at 9:48 am
Actually, SPI didn’t leak the code. In fact, I took great steps to keep it a secret. But don’t take my word for it because the person who snatched a copy during my Shmoocon presentation even tells how he did it!
More details here:
http://portal.spidynamics.com/blogs/spilabs/archive/2007/04/02/Jikto-in-the-wild.aspx
April 2nd, 2007 at 9:53 am
[…] Ha.ckers.org: This weekend the source of Jikto was officially leaked. How long did that take? Anyone time it? So […]
April 2nd, 2007 at 9:58 am
I’m confused, how is putting it on the public internet and visiting that URL at a hacker conference while showing each request you are making going to “great steps to keep it a secret”?
No offense, Billy, but you have to know how silly that sounds. I’m glad to hear it wasn’t on purpose, though.
What was the rot13 for, btw?
April 2nd, 2007 at 10:11 am
Well, I did everything I could do to protect it will still performing a demo
I’m writing a whitepaper about Jikto now. rot13 is there because some proxy sites like the-cloak search for literal URLs and replace it with “http://the-proxy-site.com/fetch/[LITERAL URL HERE]” I had to rot13 stuff so the proxy didn’t replace the url of the site to scan or the URL of the GUI with a “proxified” url.
April 2nd, 2007 at 10:14 am
Gotcha, that makes more sense. I knew there had to be a better reason than just obfuscation for human eyes.
April 2nd, 2007 at 12:49 pm
[…] RSnake’s comment, I believe Billy did actually go to great lengths to protect the code, and still perform his […]
April 2nd, 2007 at 1:55 pm
Billy,
you can as easily prefix every URL with javascript: and un-prefix when you gather all the links.
that eliminates a few lines from your code
April 2nd, 2007 at 2:29 pm
I would like to play with it, but have been unable to find a working link, anyone mind posting it?
April 2nd, 2007 at 8:04 pm
Hey bubbles -> http://busin3ss.name/jikto-in-the-wild
April 2nd, 2007 at 9:30 pm
I think that Billy should release it now, since it’s quite easy to *find* or ask for it…
April 4th, 2007 at 6:42 am
what da shine does that Jikto do? Can’t figure out. Is that just sending simple AJAX requests on the background when someone visits your website?
April 4th, 2007 at 7:31 am
Somewhat, and that in turn allows you to control a victim’s actions, allowing you to use their machine as a proxy on your behalf. It also has some pre-built recon stuff in it like intranet port scanning.
April 8th, 2007 at 12:36 am
I was in the audience at Shmoocon, and I’d like to clarify Billy’s comments.
As much as he’d like to claim that the source was “stolen”, he is wrong.
Billy’s presentation was very much nudge-nudge, wink-wink. At one point, he even said out loud (something to the effect of) “whoops, there is the url for the source code. I guess i’ll have to remove that as soon as the presentation is over”
The url for the jikto source repeatedly came up on the screen during his presentation. There was really no effort made to hide it (i.e. hide the navigation bar in firefox, etc).
I respect Billy for putting it online - but to put a url on screen in big letters during a hacker-con, repeatedly pausing while audience members pull out their laptops and type in the url so that they can ‘wget’ the source code, and then later claiming that the code was stolen - it’s just not true.
April 8th, 2007 at 10:37 am
Whoah… that’s a first! That’s not good at all. Especially since he and everyone else who was involved was aware of the risks involved in releasing that.
April 9th, 2007 at 10:15 am
Yah, it kinda looks like that (minutes 44-49)
http://www.shmoocon.org/2007/videos/JavaScript%20Malware%20for%20a%20Grey%20Goo%20Tomorrow%20-%20Billy%20Hoffman.mp4
Doesn’t look that good. I won’t make assumptions about motives, but you’re right, it does look an awful lot like it was intentional.
April 9th, 2007 at 4:01 pm
Ok..i think its a good thing it leaked.. you have to understand that not everybody understands xss fully and would learn to learn more by testing it themselves. i got the source for jikto..but i dont know what all they hype is about as there isnt much in it..well it might be that i dont really understand the structure of it..i heard what was released was not the complete thing that there is a server side component…is this true Rsnake? But i dont know why all they hype about this tool as there are others before it like beef and backframe ( cp ), xsshell.. well i want to know if the jikto.zip is the complete thing and can be use.Pardon me if i sound offhand. Thanks..Great site Rsnake keep it up.
April 10th, 2007 at 10:00 am
It is true that there is a server side component. It’s based heavily off of Jeremiah Grossman’s server side solution for his intranet scanning. Although they didn’t give him much credit I believe it’s almost entirely the same.
March 27th, 2009 at 2:37 am
Here are some mirrors of the file:
http://qooy.com/files/0Q7YMUOM/jitko.zip
http://www.rapidspread.com/file.jsp?id=vooj0tkrdi
http://www.uploadjockey.com/download/l7m0tv50/jitko.zip