Scorpiones Group

ReDTunnel - Explore Internal Networks With DNS Rebinding

A new tool enables manipulating DNS rebinding attack combined with JavaScript reconnaissance concepts in order to tunnel your internal network without information about the victim.

The internal network is where we connect our phones, laptops, and “smart” devices to each other and to the Internet and in turn, we improve our lives, from smart TVs and media players to home assistants, security cameras, refrigerators, door locks, and thermostats, our home network is full of devices.

Many of these devices offer limited or non-existent authentication to access and control their services. They use protocols like HTTP to communicate freely between one another but are inherently protected from inbound connections from the Internet by means of their router’s firewall.

But those networks are not protected, and a new tool actually shows how easy it is to attack a target, even without knowing anything about it.
Imagine that you could have a one-click setup that will provide you a magic tunnel from the outside world.
That's when we came up with the "ReD Tunnel" idea.

The design goal was to use tools that exist on the victim's device, like the browser,
rather than rely on 0days to stay below the radar of the most advanced AV.
To create this new capability, we decided to combine two concepts: JavaScript reconnaissance techniques and the DNS rebinding attack.
DNS rebinding is a class of exploit in which the attacker initiates repeated DNS queries to a domain under their control,
while the first query would return a valid response that passes security checks,
and the subsequent queries will return a malicious response that targets the internal network.
The DNS rebinding attack technique normally requires detailed knowledge of a target network,
but a new tool by security researchers Tomer Zait (Principal security researcher at F5 Networks) and Nimrod Levy (CTO, co-founder at Scorpiones) – dubbed ReDTunnel – means a hacker would need “zero knowledge about the target” in order to run an attack.
Using JavaScript in a malicious web page to gain control over a user’s internal network’s HTTP resources. The attack can bypass security controls such as cross-origin resource sharing (CORS).

The result is that you open your browser, wait until the victim visits your website, and then start browsing the internal websites in their network. It’s a great tool especially if you’re part of a red team.
Zait and Levy unveiled ReDTunnel during a presentation in the Arsenal stream at the Black Hat Asia security conference in Singapore last week.

Nimrod Levy and Tomer Zait
Tomer Zait (Left) & Nimrod Levy (Right) presents the RedTunnel at BlackHat Asia

How to protect your Internal Network?

  1. Implement SSL Certificate on each one of your web assets (i.e. your router, web repositories, storages that managed by HTTP, etc.)
  2. Disallow HTTP communication (e.g. redirect HTTP to HTTPS)
  3. Isolate your network via VLANs and block access to critical assets from employees that won’t need it.

Still not sure if your internal network is secured enough? Check out our Network Penetration Testing service for your business or contact us!.

Tags: DNS Red Team Penetration Testing Information Security Network Penetration Testing Exploit

Contact Us