DNS Rebinding Attacks with DNS Rebind Toolkit

Last Commit: 06/12/2018

DNS Rebinding Attacks with DNS Rebind Toolkit

Introduction

DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN).

What is DNS Rebinding?

DNS rebinding is a form of computer attack in which malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.  In other words, DNS rebinding is an exploit in which the attacker uses JavaScript in a malicious Web page to gain control of the victim’s router.

DNS Rebind Toolkit: Front-End JavaScript Framework For Creating DNS Rebinding Attacks

With DNS Rebind Toolkit attacker can bypass s firewall and directly interact with devices on the victim’s home network. After bypassing, attacker will be able to leak private information, even to gain full control over vulnerable devices.  Target devices:

  • Google Home, Roku, Sonos WiFi speakers, WiFi routers, “smart” thermostats, and other IoT devices.

If you follow the wrong link or click on a malicious banner, your browser will “become” proxy, which attacker will directly use to access other hosts connected to your network.

This tool makes use of a public whonow DNS server running on rebind.network:53 to execute the DNS rebinding attack and fool the victim’s web browser into violating the Same-origin policy. From their, it uses WebRTC to leak the victim’s private IP address, say 192.168.1.36. It uses the first three octets of this local IP address to guess the network’s subnet. Then inject 256 iframes, from 192.168.1.0-255 delivering a payload to each host that could possibly be on the network subnet.

DNS Rebind Toolkit

DNS Rebind Toolkit can be used develop and deploy your own DNS rebinding attacks. /payloads directory contains several real-world attack payloads.

Install

Clone it from the github repo:

$ git clone https://github.com/brannondorsey/dns-rebind-toolkit.git
$ cd dns-rebind-toolkit

To install dependencies, run:

$ npm install

Run the server using root to provide access to privileged port 80 :

$ sudo node server

This script serves files from the following directories:

  • www/
  • /examples
  • /share
  • /payloads 

server.js serves payloads targeting Google Home, Roku, Sonos speakers, Phillips Hue light bulbs and Radio Thermostat devices ports: 8008, 8060, 1400, and 80 respectively.

Server usage options:

usage: server [-h] [-v] [-p PORT]

DNS Rebind Toolkit server

Optional arguments:
  -h, --help            Show this help message and exit.
  -v, --version         Show program's version number and exit.
  -p PORT, --port PORT  Which ports to bind the servers on. May include 
                        multiple like: --port 80 --port 1337 (default: -p 80 
                        -p 8008 -p 8060 -p 1337)

API/Usage

DNS Rebind Toolkit provides two JS objects that you can use together to create DNS rebinding attacks:

  • DNSRebindAttack: use this object to launch an attack against a vulnerable service running on a known port  (it spawns one payload for each IP address you choose to target). DNSRebindAttack objects: create, manage, and communicate with multiple DNSRebindNode objects.
  • DNSRebindNode: this static class object can target one service running on one host (it should be included in each HTML payload file). It communicates with DNSRebindAttack object that spawned it. It also has helper functions to execute the DNS rebinding attack (DNSRebindNode.rebind(...)) and the ability to exfiltrate data discovered during the attack to server.js (DNSRebindNode.exfiltrate(...)).

Attack against unknown hosts on a firewall protected LAN looks something like this:

  1. Attacker sends victim a link to a malicious HTML page that launches the attack: e.g. http://example.com/launcher.htmllauncher.html contains an instance of DNSRebindAttack.
  2. The victim follows the attacker’s link, or visits a page where http://example.com/launcher.html is embedded as an iframe. This causes the DNSRebindAttack on launcher.html to begin the attack.
  3. DNSRebindAttack uses a WebRTC leak to discover the local IP address of the victim machine (e.g. 192.168.10.84). The attacker uses this information to choose a range of IP addresses to target on the victim’s LAN (e.g. 192.168.10.0-255).
  4. launcher.html launches the DNS rebinding attack (using DNSRebindAttack.attack(...)) against a range of IP addresses on the victim’s subnet, targeting a single service (e.g. the undocumented Google Home REST API available on port 8008).
  5. At an interval defined by the user (200 milliseconds by default), DNSRebindAttack embeds one iframe containing payload.html into the launcher.html page. Each iframe contains one DNSRebindNode object that executes an attack against port 8008 of a single host defined in the range of IP addresses being attacked.
  6. Each injected payload.html file uses DNSRebindNode to attempt a rebind attack by communicating with a whonow DNS server. If it succeeds, same-origin policy is violated and payload.html can communicate with the Google Home product directly. Usually payload.html will be written in such a way that it makes a few API calls to the target device and exfiltrates the results to server.js running on example.com before finishing the attack and destroying itself.
Note: If user has one Google Home device on their network with an unknown IP address, and you launch the against the entire 192.168.1.0/24 subnet, 254 DNSRebindNode‘s rebind attack will fail. Only one will be successful.

Examples

An attack consists of three coordinated scripts and files:

  • An HTML file containing an instance of DNSRebindAttack (e.g. launcher.html)
  • An HTML file containing the attack payload (e.g. payload.html), embedded into launcher.html for each IP address being targetted.
  • A DNS Rebinding Toolkit server (server.js) to deliver the above files and exfiltrate data if need be.

You can download those examples bellow:

Documentation Box
Download Box