ReDTunnel: Explore Internal Networks via DNS Rebinding Tunnel - Nimrod Levy & Tomer Zait

so Tomer Nimrod will be talking about red tunnel exploring internal networks by a DNS rebinding tunnel and this is a really interesting talk that we really wanted to be in this conference so this is for you guys thank you okay my name is Tom ersite I'm a security researcher at f5 networks I'm also a CTF competitor and creator and I'm an open source developer and that's it Nimrod so my name is Nemo Devi I am the CTO and co-founder at scorpianas I'm a play playing with CTF 2 and giving back the community with developing open source tools so today we will talk about the red tunnel first of all we will explain you how the DNS

rebinding is works and note that this presentation was in black at last year and will be in United States also so before we will explain what is the DNS rebinding we will talk about a little bit about the the browser destructions so we will talk a little bit about the same origin policy what is the same origin policy same origin policy is a security level that validate validate your hostname scheme and port and if something on this day on the this part is not correct is veiled you will block due to same origin policy and then if you have for example if you have a your domain appears in crusader you not will be blocked so this example to a

domain that you don't appear in the cross header and you will be blocked and if you have the same domain you will approved and you can get you will get the response on the same origin by the same origin you will get a response on the site so we need to talk a little bit about the DNS if you can see that you have a DNS response packet that contain the the direction to the host DNS translate names to host in order to direct you the specificall that you need and you can see that in the here in the DNS response you directed to the local host and you have a 150 to a TTL time so

how the DNS caching is walks when you send a request the TTL say to your DNS cache server and to how long time you need to store the information that you cached so you can see that we start initial go to the DNS record and achieve the information and after that you can see that in our DNS cache server we have 140 seconds to be in life back then you can see that we change the IP value to another IP and make a DNS cache request again and you can see that we have more time for the DNS a time to the TT a time to live is still remain 24 hour seconds time to live it's the time that your

information will be stored in the DNS cache we will have a time for questions so we will explain it and later well the the the TTL will be gone you will you can see that it's okay you can see that the DNS cast is empty and we when we recall the same domain we will update the DNS information about our record and the IP address will be changed to one three three seven so let's illustrate the process and we will explain how it smoke so first of all we send a request to evil.com domain and get our server IP when we get the server IP we will send a get request that achieve our a malicious JavaScript

code and you can see that this code is just call itself every one second until the title has been changed when the title has been changed the DNS rebinding process will will work because when the DNS will change the IP again and they and the DNS cache will gone if the others will be changed to 192 168 1 1 and you will get access to this internal host ok so now we'll talk about what happened before retinal so before retinal we had a DNS Tools process all DNS tools works almost the same you needed to gain information about your victim because if you don't know your victim you won't know that those automatic scripts will work then you

need it to scan the internal network you need to find hosts and ports and without it you have nothing you have just the local host now you need to choose a specific payload a JavaScript file that will attack the web application but it's specific javascript file data.txt specific web application you can change it you have only one way to to win just with this javascript file and just these feet worked correctly so what is the disadvantage it disadvantages disadvantages thank you thank you yeah so we need the information about the victim assets it's hard to get we need to configure the application DNS rebinding tool but it's hard or it's it's not available yes there is no

configuration you can configure it now we have the scanners so the scanners are mostly slows because they use only time out attacks and they inaccurate because they use oddly time out the text because time out is inaccurate and there is no victim management you need to management the victims we need to know where the victims are and their assets we need to use those the victims web applications and you just can't so the payloads are limited as I said the payloads use only one web application and web application is not what we want quantity we okay okay I thought something going to blow okay so after a panel I will say what retinol do the process of retinol so retinol will

get the internal IP adjust for you Oh romantic okay and it will scan for the internal hosts it will scan for open HTTP ports so if you have internal hosts it's not enough you want to know that the hosts behind it has HTTP ports with HTTP applications so it will scan for it automatically it will by a bypass browser limitations because we had so many problems with browsers and chrome is the best with problems and it will bypass those limitations for you because we done the work for you it will automate the DNS rebinding process and that's what you want it's a DNS rebinding tool now it will tunnel through the victims to Denny internal network but not automatically

you will be able to just surf the web like you serve any other web application you're just google.com or any other web application and you will be able to manage all the victims in one single page you will see the GUI it's great thanks Dima so a retinal architecture and this is how retinal looks like we have the core application the core application is actually the management and the victim side and the client side that protect the victim so we have the client browser behind the client browser we have a network with many servers and desktops and we know that the client browser the client actually click the link and this link contains the retinal

exploit it's not a real exploit it just uses the browser capabilities but exploit them and he served the web with the our Stoli terre game and he likes to play solitaire he have fun playing solitaire but now retinal is chatting to get internal IP address scanning the host can in the ports and rebinding all the ports and the hosts do different domains and actually how it works when it started scanning when we found the ports we create an iframe and this iframe tells the DNS server Oh someone opened this this URL and we have specific URLs that will tell the DNS to change the IP address and our JavaScript code will do the same as you saw in the

DNS rebinding process and but the difference is now the victim he's the server by itself the attacker can send commands to the victim it's not a real commands just surfing URLs from the management and he can get all the information and actually surf the web applications from its own computer in home it's like you had an internal network but you just put it in DMZ without asking anybody you'll see it it's nice so of course it's an open source software because we are open-source developers so we can download the source and now I will play a pray for the Democrats and I will try to make this demo works I will just open

ok so now we will see the web application this is the attacker the attacker has an admin controller commander Kushan ok you can see it so I will just set it to duplicate do it one sec I know okay don't worry now we can say it okay you could see it okay great so this is the admin panel you can manage all the victims here here's the targets and here's their configuration it's a really simple configuration you can just set the timeout set the pool size said the if it you want it to be a loopback only or you want it to shuffle the IP addresses do as you want you can add ports to the

scanner just have fun with it now when we saw the panel let's see the tool so here is the web application I will just okay what what happened

okay I need a killers of it

kids I can see the processor okay let's see if work somehow I will just start thing okay it works so I open Soul Eater and now the client think he playing Soul Eater now why I choose Soul Eater I will tell you while it's scanning I chose solitaire because I can't lose with solitaire if I chose Backman I could lose here and everyone made fun of me by losing the game so that way I can't lose it's too slow to lose and you can see their logs but I am scanning the ports and will see it here on the retinal so we see someone connected to the retina I see have other peoples trying to connect to a panel

it's not a good idea guys like if you want me to see your assets just ask so now we scan for the ports we have all ports here and we have logging and it's dark so you can see it and now we automated the the process of the scanner so now it's rebinding all the so now we automated the binding process and we should see it in a few seconds DNS rebinding could take time it's not me

let's see if there is something no just one webpage sound let's look it could take time so between the time that we're waiting that it will work it will get us all the hosts and now we get it so it's okay so now when we got the hosts we can just solve explore those hosts you can just serve the webpages so I will click on one host and you can see every host contains the IP address with dishes not dots and we have the port I hope you can see it okay you can see it and the diid of the victim so now when we want to just explore the applications some more we can just click on authentications

with basic identification ID already clicked it so i will need to do it from another browser I should think about it before so let's go to a tunnel we have the login

and we have the hosts now we'll choose this host with Tomcat and we can click the management app you can see the basic authentication popped up we can just know the dark mood what time why do I dark Vador where I find dark one now let's see nightlight now okay where's the video ok the video won't work also it's the same thing so we can just use the web application and get your spot back please help me what happened

let's see if you can see the the demo video maybe so the video works like the video works okay you can see the video fu demo gods no now we've done this sound so the victim surf the web application you can see it scanned for the hosts and now it will scan for the ports and you can see the ports right there and now after it scan for the ports you will see that it started the rebinding process I will just get it forward and you see the rebinding process finished and we have an internal DNS the domain service domain names for every ton of their application and now we just go to the application and we can

surf the application we can download binary files if you have binary files in this web application and you can see the IP address as I mentioned earlier now we'll go to another web application actually a vulnerable web application because if it's not vulnerable what show it and now I we serve to Apache we have popped up basic authentication we can just insert the credentials and get into the web application with the basic authentication but it's not enough we'll show you how you can exploit web application using other methods other than put a post or get we will use put so you can send every method tedious of web applications even though all the other tools are limited we'll just do

Who am I because Who am I to undo it so you'll see it work now Who am I and it's magic without hands so we send Who am I and now we'll go again to the web application to the retinal will choose another victim so or another host it's the same victim but other hosts in the internal networks we can explore this web application and the nicest thing in red tunnel is that you can use your own tools your own automatic tools like SQL map or other tools with retinal all you need to do is just saving the session so you have retinal session and without this session you will you will not be able to serve those web pages because

there were security people so it will be security so now we copy the the request file we'll save it because we want the session and it's the easiest thing to do in SQL mob we'll choose a PowerShell because it's the default and I did it had time to click on CMD and now we use SQL map to search for the users so we injection with doing the SQL injection attack through SQL map through the victim to its internal network to a specific host in the internal network so it sounds hard but everything is easy with the redundant so now it's just asking questions and we say no no no no no hell no I'm running forward

almost yes and now we have the users and password hash see no directory and that's it and I want to thank - Dima Belski for the awesome UI and to max rank for the perfect logo and now for your questions we have 10 minutes maybe a little bit less but you can ask questions we know that it happened in the wild with I think the servers of the World of Warcraft company Blizzard so the blizzard servers there was some DNS rebinding attacks in the world

yes

yes you have you the best ones is just to create HTTPS certificates and not allow HTTP you can also check for the hostname and if you check for the hostname we can just manipulate it in the browser so it will work and there's a few ways to protect yourself by disallowing the DNS server to but still I think the best solution is just to use HTTPS I have to say something when you think about the red tunnel concept you should know and understand that is the same concept like a CDN because if you for example open a Facebook in Israel and fly to United States and just to refresh the page the IP will be

different and change because CDN give you the the nearest the closest IP address that he have in order to make it fast so the operation of DNS rebinding it's very close to the CDN operation so the only way to close the this vulnerability is only to hardening your application and not your network because it's not a cool way to to close internal IPs from domains another question yes oh it's a nice question okay we have okay so he asked how the communication works between the client to the server because the clients need to be a server and the server returns their webpage like anything is it like it's a regular web application so we used WebSocket and

by using WebSocket you actually connect to the server but you have a push notification send push to the application now the thing about nodejs and it's really good for this example is that you can just take the response object store it in another dictionary and use it later like it's an it's an object that's still in the memory so we can we could store it in a global object and then use it when we call the webpage so when we call the webpage we wait for the response but the response will be achieved by getting the information we needed from the WebSocket connection and the WebSocket connection will just send a response will all the headers and the

information we need we created some techniques to make the browser understand that a redirection occurred using javascript but without it it's just how it works it was good enough for a desert I know it's hard to understand it but okay another question so thank you