What is DNS Rebinding?
With DNS Rebind Toolkit attacker can bypass s firewall and directly interact with devices on the victim’s home network. After bypassing, attacker will be able to leak private information, even to gain full control over vulnerable devices. Target devices:
- Google Home, Roku, Sonos WiFi speakers, WiFi routers, “smart” thermostats, and other IoT devices.
If you follow the wrong link or click on a malicious banner, your browser will “become” proxy, which attacker will directly use to access other hosts connected to your network.
DNS Rebind Toolkit can be used develop and deploy your own DNS rebinding attacks.
/payloads directory contains several real-world attack payloads.
Clone it from the github repo:
$ git clone https://github.com/brannondorsey/dns-rebind-toolkit.git $ cd dns-rebind-toolkit
To install dependencies, run:
$ npm install
Run the server using root to provide access to privileged
port 80 :
$ sudo node server
This script serves files from the following directories:
server.js serves payloads targeting Google Home, Roku, Sonos speakers, Phillips Hue light bulbs and Radio Thermostat devices ports:
Server usage options:
usage: server [-h] [-v] [-p PORT] DNS Rebind Toolkit server Optional arguments: -h, --help Show this help message and exit. -v, --version Show program's version number and exit. -p PORT, --port PORT Which ports to bind the servers on. May include multiple like: --port 80 --port 1337 (default: -p 80 -p 8008 -p 8060 -p 1337)
DNS Rebind Toolkit provides two JS objects that you can use together to create DNS rebinding attacks:
- DNSRebindAttack: use this object to launch an attack against a vulnerable service running on a known port (it spawns one payload for each IP address you choose to target). DNSRebindAttack objects: create, manage, and communicate with multiple
- DNSRebindNode: this static class object can target one service running on one host (it should be included in each HTML payload file). It communicates with
DNSRebindAttackobject that spawned it. It also has helper functions to execute the DNS rebinding attack (
DNSRebindNode.rebind(...)) and the ability to exfiltrate data discovered during the attack to
Attack against unknown hosts on a firewall protected LAN looks something like this:
- Attacker sends victim a link to a malicious HTML page that launches the attack: e.g.
launcher.htmlcontains an instance of
- The victim follows the attacker’s link, or visits a page where
http://example.com/launcher.htmlis embedded as an iframe. This causes the
launcher.htmlto begin the attack.
DNSRebindAttackuses a WebRTC leak to discover the local IP address of the victim machine (e.g.
192.168.10.84). The attacker uses this information to choose a range of IP addresses to target on the victim’s LAN (e.g.
launcher.htmllaunches the DNS rebinding attack (using
DNSRebindAttack.attack(...)) against a range of IP addresses on the victim’s subnet, targeting a single service (e.g. the undocumented Google Home REST API available on port
- At an interval defined by the user (200 milliseconds by default),
DNSRebindAttackembeds one iframe containing
launcher.htmlpage. Each iframe contains one
DNSRebindNodeobject that executes an attack against port 8008 of a single host defined in the range of IP addresses being attacked.
- Each injected
DNSRebindNodeto attempt a rebind attack by communicating with a whonow DNS server. If it succeeds, same-origin policy is violated and
payload.htmlcan communicate with the Google Home product directly. Usually
payload.htmlwill be written in such a way that it makes a few API calls to the target device and exfiltrates the results to
example.combefore finishing the attack and destroying itself.
DNSRebindNode‘s rebind attack will fail. Only one will be successful.
An attack consists of three coordinated scripts and files:
- An HTML file containing an instance of
- An HTML file containing the attack payload (e.g.
payload.html), embedded into
launcher.htmlfor each IP address being targetted.
- A DNS Rebinding Toolkit server (
server.js) to deliver the above files and exfiltrate data if need be.
You can download those examples bellow: