Skip to content

Payloads

alxk edited this page Sep 1, 2018 · 9 revisions

Web Discover

Description

The web-discover payload will fetch the browser's local IP address using WebRTC, and from there derive a /24 subnet.

It will proceed to use netmap.js to scan the subnet for live web services on ports 80 and 8080.

When the scan is complete it will open rebind iFrames for each web service found, configure the DNS records to point to the local services, and then fetch the services' index pages.

It will POST the HTML responses back to dref, effectively exfiltrating data across origins.

The payload will take several minutes to run to completion.

Source

dref/scripts/src/payloads/web-discover.js

Usage

To configure the payload, edit dref-config.yml:

targets:
  - target: "demo"
    script: "web-discover"

The payload can be triggered by visiting http://demo.attacker.com/.

Sysinfo

Description

This payload does not use DNS rebinding. It simply exfiltrates information about the browser that may be of use to an attacker, such as version information, configuration etc.

Source

dref/scripts/src/payloads/sysinfo.js

Usage

To configure the payload, edit dref-config.yml:

targets:
  - target: "sysinfo"
    script: "sysinfo"

The payload can be triggered by visiting http://sysinfo.attacker.com/.

Fast Rebind

Description

The Fast Rebind payload showcases the fastRebind configuration key, which enables near-instant DNS rebinding. This does not work all the time, and is inconsistent between browsers/OSs. This attack will work 50% of the time on Chrome on MacOS (can and will be improved to 100%).

The advantage of fastRebind is that victims need only stay a couple of seconds on the website to run the full attack, instead of the 60 seconds required for the universal, stable, DNS rebinding attack.

Source

dref/scripts/src/payloads/fast-rebind.js

Usage

To configure the payload, edit dref-config.yml:

targets:
  - target: "fast-rebind"
    script: "fast-rebind"
    fastRebind: true
    args:
      host: "192.168.1.1"
      port: 80
      path: "/index.html"

The payload can be triggered by visiting http://fast-rebind.attacker.com/.

Help

If you encounter any issues with the payloads, come chat on gitter

Clone this wiki locally