Post Exploitation with PhantomJS


If you have never heard of PhantomJS ( ) before, it’s a “Full Web Stack with No Browser Required”, basically it a GUI-less browser. One of the magical “example” files that it has is called “rasterize.js”

Rasterize.JS essentially renders a URL, screen shots it and give it to you in a number of different formats, here’s it’s usage:

Usage: rasterize.js URL filename [paperwidth*paperheight|paperformat]
 paper (pdf output) examples: "5in*7.5in", "10cm*20cm", "A4", "Letter"

PhantomJS is sweet for sweeping a ton of IPs and suspected HTTP/S sites, and look through a gallery of them to start figuring out which looks the most interesting… and we are going to essentially just that, except from a Victim machine.

First, download the Win32 static bins for PhantomJS from:

Pull out phantomJS.exe and rasterize.js from the zip, and upload it to your victim.

Make a special directory for your renderings (I use imgs), this also makes it easy for meterpreter to download it since meterpreter supports directories and download targets.

Now make a BAT file with the following in it:

FOR /F "skip=3 delims= " %%A IN ('NET VIEW') DO start /b phantomjs.exe examplesrasterize.js http://%%A imgshttp_%%A.png
FOR /F "skip=3 delims= " %%A IN ('NET VIEW') DO start /b phantomjs.exe --ignore-ssl-errors=yes examplesrasterize.js https://%%A imgshttps_%%A.png

There are some cool tricks in here. First we are using ’net view’ as our target list, we are using the ‘start /b’ command to throw everything into the background to run so we don’t have to wait for each to finish (a crude way to thread actions in BAT files). And finally we are checking for both HTTP and HTTPS. We we are not doing however is doing any logging, so if you want to catch errors it’s all you, just remember that when trying to pipe output from a command started with ‘start’ you have to prefix the > with a ^ so it looks like:

start echo blah ^> blah.txt

You are ALMOST ready to rock. There is a slight bug in Rasterize.js, if it can’t resolve the address or otherwise can’t contact the web server (which is going to be the majority of the case for us) it hangs in an open state. This is bad, we don’t want to have a thousand phantomjs.exe processes running hanged. Simply make a new line after LINE 20, and add ‘phantom.exit();’ so it knows to exit if it encounters a failed connection.

Thats it, happy hunting from both inside and outside.

P.S. PhantomJS supports SOCKS and HTTP proxies, so if you use them (Tor) or run into them internally, support is there. A quick mod to your batch file and you’re golden:

--proxy=address:port Sets the network proxy (e.g. "--proxy=")  
--proxy-auth=username:password Sets authentication details for the proxy (basic auth)  
--proxy-type=[http|socks5] Sets the proxy type, either "http" (default) or "socks5"