-
Notifications
You must be signed in to change notification settings - Fork 70
Payloads
The web-discover
payload will fetch the browser's local IP address using WebRTC, and from there derive a /24
subnet.
It will proceed to use netmap.js
to scan the subnet for live web services on ports 80
and 8080
.
When the scan is complete it will open rebind iFrames for each web service found, configure the DNS records to point to the local services, and then fetch the services' index page.
It will POST the HTML responses back to dref, effectively exfiltrating data across origins.
The payload will take several minutes to run to completion.
dref/scripts/src/payloads/web-discover.js
To configure the payload, edit dref-config.yml
:
targets:
- target: "demo"
script: "web-discover"
The payload can be triggered by visiting http://demo.attacker.com/
.
This payload does not use DNS rebinding. It simply exfiltrates information about the browser that may be of use to an attacker, such as version information, configuration etc.
dref/scripts/src/payloads/sysinfo.js
To configure the payload, edit dref-config.yml
:
targets:
- target: "sysinfo"
script: "sysinfo"
The payload can be triggered by visiting http://sysinfo.attacker.com/
.
The Fast Rebind payload showcases the fastRebind
configuration key, which enables near-instant DNS rebinding. This sample payload will simply rebind to the target host
and port
and exfiltrate the supplied path
.
fastRebind
does not work all the time, and is inconsistent between browsers/OSs. This attack currently works 50% of the time on Chrome on MacOS (other platforms not tested). The attack can be improved to 100% success rate and this is on the roadmap.
The advantage of fastRebind
is that victims need only stay a couple of seconds on the website to run the full attack, instead of the 60 seconds required for the universal, stable, DNS rebinding attack.
Note that fastRebind
is set to true
in the targets
configuration below.
dref/scripts/src/payloads/fast-rebind.js
To configure the payload, edit dref-config.yml
:
targets:
- target: "fast-rebind"
script: "fast-rebind"
fastRebind: true
args:
host: "192.168.1.1"
port: 80
path: "/index.html"
The payload can be triggered by visiting http://fast-rebind.attacker.com/
.