Networking / Payloads

DNS Rebinding

Posted by

DNS rebinding is a technique used by attackers to gain unauthorized access to a target device or network by manipulating Domain Name System (DNS) resolution. The attacker tricks the target device into connecting to a malicious website by redirecting the DNS resolution to a different IP address than the intended one. Once the target device connects to the malicious website, the attacker can use it to exploit vulnerabilities and gain access to the device or network. To prevent DNS rebinding attacks, it is recommended to use a firewall or other security measures to block incoming traffic from untrusted sources and to keep software and operating systems up to date.

Tools for DNS Rebinding

There are a few tools that can be used to test for and prevent DNS rebinding attacks. These include:

  1. dnsrebind.py: This is a python script that can be used to test whether a device or network is vulnerable to DNS rebinding attacks.
  2. mitmproxy: This is a free and open-source tool that can be used to intercept and modify network traffic, making it a useful tool for testing and mitigating DNS rebinding attacks.
  3. Fiddler: This is a web debugging tool that can be used to intercept and modify network traffic. It is useful for testing and mitigating DNS rebinding attacks, as well as for other types of security testing.
  4. OWASP-ZAP: This is a free and open-source web application security scanner that can be used to find vulnerabilities in web applications, including those that could be exploited through DNS rebinding.
  5. Browser extension: Some browser extension can be used to protect the user from DNS rebinding attacks by blocking the malicious requests.

It’s worth noting that DNS rebinding is a complex attack, and that no single tool is a complete solution. It’s important to use a combination of tools and techniques to protect against these attacks.

Exploit for DNS Rebinding

There are several ways to exploit DNS rebinding vulnerabilities, but the basic steps of an attack typically involve the following:

  1. The attacker registers a domain name that they control and configures it to resolve to a specific IP address.
  2. The attacker then sends a link or a malicious advertisement to the target, tricking them into visiting the attacker-controlled domain.
  3. The target’s device or network sends a DNS request to resolve the attacker-controlled domain to an IP address. The attacker-controlled DNS server responds with the IP address of the attacker’s server.
  4. The target’s device or network connects to the attacker’s server, which serves a web page that contains JavaScript code that can exploit vulnerabilities in the target’s device or network.
  5. The JavaScript code can change the DNS resolution of the attacker-controlled domain to point to a different IP address, such as the target’s internal network.
  6. The JavaScript code can then use this new connection to exploit vulnerabilities in the target’s internal network, potentially giving the attacker access to sensitive information or control of the target’s device or network.

It’s important to note that DNS rebinding attacks can be difficult to detect, since they appear as legitimate network traffic. To protect against these attacks, it is recommended to use a firewall or other security measures to block incoming traffic from untrusted sources, and to keep software and operating systems up to date.

Exploitation

First, we need to make sure that the targeted service is vulnerable to DNS rebinding. It can be done with a simple curl request:

curl --header 'Host: <arbitrary-hostname>' http://<vulnerable-service>:8080

If the server returns the expected result (e.g. the regular web page) then the service is vulnerable. If the server returns an error message (e.g. 404 or similar), the server has most likely protections implemented which prevent DNS rebinding attacks.

Then, if the service is vulnerable, we can abuse DNS rebinding by following these steps:

  1. Register a domain.
  2. Setup Singularity of Origin.
  3. Edit the autoattack HTML page for your needs.
  4. Browse to “http://rebinder.your.domain:8080/autoattack.html&#8221;.
  5. Wait for the attack to finish (it can take few seconds/minutes).

Protection Bypasses for DNS Rebinding

There are several ways that attackers may attempt to bypass protections against DNS rebinding attacks. Some of these include:

  1. Using multiple domains: Attackers may register multiple domains and use them in a coordinated attack to bypass protections that only block a single domain.
  2. Using subdomains: Attackers may use subdomains to bypass protections that only block the main domain.
  3. Using SSL: Attackers may use SSL encryption to hide the traffic and make it difficult for protections to detect and block the attack.
  4. Using IP addresses: Attackers may use IP addresses directly instead of domain names to bypass protections that only block domain names.
  5. Using Tor: Attackers may use the Tor network to hide their IP addresses and make it difficult to trace the attack back to its source.
  6. Using Server-side attacks: Attackers can use a server-side attack, where they control a server that is trusted by the target, to bypass client-side protections.
  7. Using local network: Attackers may use a local network to bypass protections that only block external traffic.

It’s important to note that DNS rebinding attacks are a complex attack that may involve multiple techniques, so it’s important to use multiple layers of protection to defend against them. This can include using a firewall or other security measures to block incoming traffic from untrusted sources, keeping software and operating systems up to date, and using browser extensions that protect against these attacks.

Most DNS protections are implemented in the form of blocking DNS responses containing unwanted IP addresses at the perimeter, when DNS responses enter the internal network. The most common form of protection is to block private IP addresses as defined in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Some tools allow to additionally block localhost (127.0.0.0/8), local (internal) networks, or 0.0.0.0/0 network ranges.

In the case where DNS protection are enabled (generally disabled by default), NCC Group has documented multiple DNS protection bypasses that can be used.

0.0.0.0

We can use the IP address 0.0.0.0 to access the localhost (127.0.0.1) to bypass filters blocking DNS responses containing 127.0.0.1 or 127.0.0.0/8.

CNAME

We can use DNS CNAME records to bypass a DNS protection solution that blocks all internal IP addresses. Since our response will only return a CNAME of an internal server, the rule filtering internal IP addresses will not be applied. Then, the local, internal DNS server will resolve the CNAME.

$ dig cname.example.com +noall +answer
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer
;; global options: +cmd
cname.example.com.            381     IN      CNAME   target.local.

localhost

We can use “localhost” as a DNS CNAME record to bypass filters blocking DNS responses containing 127.0.0.1.

$ dig www.example.com +noall +answer
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer
;; global options: +cmd
localhost.example.com.            381     IN      CNAME   localhost.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.