TeamSpeak 3 AJAX XMLHttpRequest

[Asphyxia]

I came across a neat PoC (Proof-of-Concept) for a TCP/AJAX connection script. This creates a button and allows stopping/starting a server assuming the server id is 1.

Here is a demonstration video:

If anyone finds anything cool with this, please reply here. This works best in FireFox from my testing.

 

[rofl cake]

Interesting work, I'm liking the PoC (Proof-of-Concept).

 

[EscuderoKevin]

I came across a neat PoC (Proof-of-Concept) for a TCP/AJAX connection script. This creates a button and allows stopping/starting a server assuming the server id is 1.

Here is a demonstration video:

If anyone finds anything cool with this, please reply here. This works best in FireFox from my testing.

Amazing ♥

 

[Asphyxia]

As I mentioned on the YouTube comments, one would not just do this because the credentials are right there of course. You would want to apply a JavaScript encryption library for the auth information and use a master password to auth.

 

[MyNamee]

Hello,
Super tutorial, but the security is unfortunately not at the rendezvous since the password serveradmin is written in raw.

Do you have a way for this?

Regards,

 

[bobddk]

Hello,
Super tutorial, but the security is unfortunately not at the rendezvous since the password serveradmin is written in raw.

Do you have a way for this?

Regards,

literally read above your post

 

[SimoleS]

If you want Portect your serveradmin password use www.javascriptobfuscator.com

 

[Derp]

If you want Portect your serveradmin password use www.javascriptobfuscator.com

Just....don't x)

 

[Jackbox]

Obfuscation is inappropriate in this case, we do not want to obfuscate or obscure the password, but rather secure the password with modern cryptography and a master password or encryption key.

I would link directly to a JavaScript cryptography library, but there are multiple ones and I believe people should research them and if they'd like, post results in response to this thread:

https://www.google.com/search?q=best javascript cryptography library&rct=j&safe=active&ssui=on

 

[ehthe]

Why would you want to protect the password when it is then sent in clear on the wire (HTTP prot)

 

[Jackbox]

Why would you want to protect the password when it is then sent in clear on the wire (HTTP prot)

That is a great question really. My best guess is that so someone couldn't just read the info right from the hard drive if you were storing it that way. Beyond that, the server query should use SSL/TLS in my opinion.

 

[Asphyxia]

Is anyone interested in starting up a Github repository for this PoC? I think over a period of time, together everyone could build upon this and turn it into somewhat of an administration utility that uses AJAX. The goal is to not use PHP, because this is something that could be downloaded to the client machine and used locally, without requiring a web server. This is portable, simple, and useful. If we could figure out a way to secure this, that would be awesome.

This will work on Android and iOS devices, I do believe. With further research, this could be a really powerful and lightweight tool for managing TS3 servers.

 

[Denis_Minin]

Nice work, but you can create script which will send command to cmd and its easy

 

[Asphyxia]

Nice work, but you can create script which will send command to cmd and its easy

I did not want to create this in cmd, because distributing that looks like this:
1. User loads page.
2. User downloads .bat file (assuming Windows Command Prompt)
3. User must now right click file, edit.
4. User must save edits.
5. User must execute the batch.
I mean.. you could generate the files for the user, but in my opinion using AJAX is much cooler.
I suppose you could make the batch inquire for the user's server/credential info too. It should be noted though, if you just make a batch file or bash script, you must worry about platform. Then you have to assume Telnet is enabled which is rarely the case by default in Windows anymore. You may have to instruct the user to launch the script as an admin, etc. It's just hell. AJAX simply works for all browsers, all platforms.. because it uses the browser. The browser worries about being compatible, instead of us using system scripts.

With AJAX:
1. User navigates to link.
2. Enters credentials.
3. It works

 

[Asphyxia]

After doing further research I have come up with a few helpful links:

http://stackoverflow.com/questions/12407778/connecting-to-tcp-socket-from-browser-using-javascript
and
https://www.w3.org/TR/raw-sockets/

So, right now.. to lay out some options there is XHR (XMLHttpRequest) which is essentially what is demonstrated in the video. There is also Websockets ( https://www.html5rocks.com/en/tutorials/websockets/basics/ ) which I did not try. For us to accomplish what I am trying, browsers need more support for TCP connections. What is most cool about the idea of browsers having better protocol support is one could potentially launch a bot connection to a TeamSpeak 3 server, then use something like WebRTC ( https://webrtc.github.io/samples/src/content/getusermedia/audio/ ) to access TeamSpeak 3 servers via the web. That is quite further into the future though. Support for Mumble would likely be much easier since both the client and server are open-source.

It is worth mentioning there are security controls in place which make things slightly challenging to setup. An example is with XHR, there is a cross-domain policy which disables you from just grabbing the response because this could potentially allow someone to grab information from a client and pass it on to a server. I am going to continue researching the technologies behind the possibilites of this, but as of right now it just looks like we can push the commands to the server query via AJAX which is fine and allows for useful admin commands being easily passed by simply clicking a button. Getting the responses from the commands would be very useful, but seems like a challenge.

If anyone is researching this, feel free to report your findings back to this thread.