The assault requires a sufferer on the goal community to easily comply with a hyperlink, or be proven an HTML advert containing a malicious iframe. From their, the sufferer’s net browser is used like a proxy to immediately entry different hosts related to their residence community. These goal machines and companies would in any other case be unavailable to the attacker from the Internet. The distant attacker could not know what these companies are, or what IP addresses they occupy on the sufferer’s community, however DNS Rebind Toolkit handles this by brute forcing a whole bunch of seemingly IP addresses.
payloads/listing. These payloads embody info exfiltration (and rickroll tom-foolery) assaults towards a couple of well-liked IoT units, together with Google Home and Roku merchandise.
This toolkit is the product of unbiased safety analysis into DNS Rebinding assaults. You can examine that unique analysis here.
# clone the repo git clone https://github.com/brannondorsey/dns-rebind-toolkit.git cd dns-rebind-toolkit # set up dependencies npm set up # run the server utilizing root to supply entry to privileged port 80 # this script serves recordsdata from the www/, /examples, /share, and /payloads directories sudo node server
server.js serves payloads concentrating on Google Home, Roku, Sonos audio system, Phillips Hue gentle bulbs and Radio Thermostat units working their companies on ports 8008, 8060, 1400, 80 and 80 respectively. If you’ve got obtained considered one of these units on your property community, navigate to http://rebind.network for a pleasant shock ;). Open the developer’s console and watch as these companies are harmlessly exploited inflicting information to be stolen from them and exfiltrated to
API and Usage
DNSRebindAttack: This object is used to launch an assault towards a susceptible service working on a recognized port. It spawns one payload for every IP tackle you select to focus on.
DNSRebindAttackobjects are used to create, handle, and talk with a number of
DNSRebindNodeobjects. Each payload launched by
DNSRebindAttackshould comprise a
DNSRebindNode: This static class object ought to be included in every HTML payload file. It is used to focus on one service working on one host. It can talk with the
DNSRebindAttackobject that spawned it and it has helper features to execute the DNS rebinding assault (utilizing
DNSRebindNode.rebind(...)) in addition to exfiltrate information found through the assault to
These two scripts are used collectively to execute an assault towards unknown hosts on a firewall protected LAN. A primary assault appears like this:
- Attacker sends sufferer a hyperlink to a malicious HTML web page that launches the assault: e.g.
launcher.htmlcomprises an occasion of
- The sufferer follows the attacker’s hyperlink, or visits a web page the place
http://instance.com/launcher.htmlis embedded as an iframe. This causes the
launcher.htmlto start the assault.
DNSRebindAttackmakes use of a WebRTC leak to discover the native IP tackle of the sufferer machine (e.g.
192.168.10.84). The attacker makes use of this info to decide on a variety of IP addresses to focus on on the sufferer’s LAN (e.g.
launcher.htmllaunches the DNS rebinding assault (utilizing
DNSRebindAttack.assault(...)) towards a variety of IP addresses on the sufferer’s subnet, concentrating on a single service (e.g. the undocumented Google Home REST API accessible on port
- At an interval outlined by the consumer (200 milliseconds by default),
DNSRebindAttackembeds one iframe containing
launcher.htmlweb page. Each iframe comprises one
DNSRebindNodeobject that executes an assault towards port 8008 of a single host outlined within the vary of IP addresses being attacked. This injection course of continues till an iframe has been injected for every IP tackle that’s being focused by the assault.
- Each injected
payload.htmlfile makes use of
DNSRebindNodeto try a rebind assault by speaking with a whonow DNS server. If it succeeds, similar-origin coverage is violated and
payload.htmlcan talk with the Google Home product immediately. Usually
payload.htmlshall be written in such a approach that it makes a couple of API calls to the goal machine and exfiltrates the outcomes to
instance.comearlier than ending the assault and destroying itself.
Note, if a consumer has one Google Home machine on their community with an unknown IP tackle and an assault is launched towards your complete
192.168.1.0/24 subnet, then one
DNSRebindNode‘s rebind assault shall be profitable and 254 will fail.
An assault consists of three coordinated scripts and recordsdata:
- An HTML file containing an occasion of
- An HTML file containing the assault payload (e.g.
payload.html). This file is embedded into
DNSRebindAttackfor every IP tackle being targetted.
- A DNS Rebinding Toolkit server (
server.js) to ship the above recordsdata and exfiltrate information if want be.
Here is an instance HTML launcher file. You can discover the whole doc in
Here is an instance HTML payload file. You can discover the whole doc in
This script is used to ship the
payload.html recordsdata, in addition to obtain and save exifltrated information from the
DNSRebindNode to the
information/ folder. For growth, I often run this server on localhost and level
DNSRebindAttack.assault(...) in the direction of
127.0.0.1. For manufacturing, I run the server on a VPS cloud server and level
DNSRebindAttack.assault(...) to its public IP tackle.
# run with admin privileged in order that it could possibly open port 80. sudo node server
utilization: server [-h] [-v] [-p PORT] DNS Rebind Toolkit server Optional arguments: -h, --help Show this assist message and exit. -v, --version Show program's model quantity and exit. -p PORT, --port PORT Which ports to bind the servers on. May embody a number of like: --port 80 --port 1337 (default: -p 80 -p 8008 -p 8060 -p 1337)
I’ve included an instance susceptible server in
examples/susceptible-server.js. This susceptible service MUST be run from one other machine in your community, because it’s port MUST match the identical port as
server.js. To run this instance assault your self, do the next:
# clone the repo git clone https://github.com/brannondorsey/dns-rebind-toolkit cd dns-rebind-toolkit # launch the susceptible server node examples/susceptible-server # ... # susceptible server is listening on 3000
node server --port 3000
Now, navigate your browser to http://localhost:3000/launcher.html and open a dev console. Wait a minute or two, if the assault labored you must see some dumped credz from the susceptible server working on the secondary laptop.
Check out the
payloads/ directories for extra examples.
Files and Directories
server.js: The DNS Rebind Toolkit server
payloads/: Several HTML payload recordsdata hand-crafted to focus on a couple of susceptible IoT units. Includes assaults towards Google Home, Roku, and Radio Thermostat for now. I might like to see extra payloads added to this repo sooner or later (PRs welcome!)
examples/: Example utilization recordsdata.
information/: Directory the place information exfiltrated by
This toolkit was developed to be a useful gizmo for researchers and penetration testers. If you’d prefer to see a few of the analysis that led to it is creation, try this post. If you write a payload for one more service, take into account making a PR to this repository in order that others can profit out of your work!