GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → taviso → Rbndr

taviso / Rbndr

Licence: gpl-3.0
Simple DNS Rebinding Service

Programming Languages

c
50402 projects - #5 most used programming language

Labels

dnsvulnerability

Projects that are alternatives of or similar to Rbndr

Singularity
A DNS rebinding attack framework.
Stars: ✭ 621 (+81.05%)
Mutual labels:  dns, vulnerability
Whour
Tool for information gathering, IPReverse, AdminFInder, DNS, WHOIS, SQLi Scanner with google.
Stars: ✭ 18 (-94.75%)
Mutual labels:  dns, vulnerability
V3n0m Scanner
Popular Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
Stars: ✭ 847 (+146.94%)
Mutual labels:  dns, vulnerability
Vbscan
OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
Stars: ✭ 295 (-13.99%)
Mutual labels:  vulnerability
Gowapt
Go Web Application Penetration Test
Stars: ✭ 300 (-12.54%)
Mutual labels:  vulnerability
Rancher Letsencrypt
🐮 Rancher service that obtains and manages free SSL certificates from the Let's Encrypt CA
Stars: ✭ 318 (-7.29%)
Mutual labels:  dns
Dnslivery
Easy files and payloads delivery over DNS
Stars: ✭ 332 (-3.21%)
Mutual labels:  dns
Toriptables2
Tor Iptables script is an anonymizer that sets up iptables and tor to route all services and traffic including DNS through the Tor network.
Stars: ✭ 287 (-16.33%)
Mutual labels:  dns
Iblessing
iblessing is an iOS security exploiting toolkit, it mainly includes application information collection, static analysis and dynamic analysis. It can be used for reverse engineering, binary analysis and vulnerability mining.
Stars: ✭ 326 (-4.96%)
Mutual labels:  vulnerability
Pulsar
Network footprint scanner platform. Discover domains and run your custom checks periodically.
Stars: ✭ 314 (-8.45%)
Mutual labels:  dns
Dns
Retrieve DNS records
Stars: ✭ 313 (-8.75%)
Mutual labels:  dns
Jaadas
Joint Advanced Defect assEsment for android applications
Stars: ✭ 304 (-11.37%)
Mutual labels:  vulnerability
Hackertarget
🎯 HackerTarget ToolKit - Tools And Network Intelligence To Help Organizations With Attack Surface Discovery 🎯
Stars: ✭ 320 (-6.71%)
Mutual labels:  dns
Sonarsearch
A MongoDB importer and API for Project Sonars DNS datasets
Stars: ✭ 297 (-13.41%)
Mutual labels:  dns
Nacos
an easy-to-use dynamic service discovery, configuration and service management platform for building cloud native applications.
Stars: ✭ 20,691 (+5932.36%)
Mutual labels:  dns
Vinyldns
DNS Governance for streamlining DNS operations and enabling safe and secure DNS self-service
Stars: ✭ 293 (-14.58%)
Mutual labels:  dns
Containerdns
a fast DNS for Kubernetes clusters
Stars: ✭ 321 (-6.41%)
Mutual labels:  dns
Dt
DNS tool - display information about your domain
Stars: ✭ 313 (-8.75%)
Mutual labels:  dns
Api
Vulners Python API wrapper
Stars: ✭ 313 (-8.75%)
Mutual labels:  vulnerability
Fidl
A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research
Stars: ✭ 319 (-7%)
Mutual labels:  vulnerability
View All Similar Projects ➔

rbndr

Simple DNS Rebinding Service

rbndr is a very simple, non-conforming, name server for testing software against DNS rebinding vulnerabilities. The server responds to queries by randomly selecting one of the addresses specified in the hostname and returning it as the answer with a very low ttl.

https://en.wikipedia.org/wiki/DNS_rebinding

DNS rebinding is a form of TOCTOU (time of check, time of use) vulnerability. You would use it if you have a service that uses "preflight" checks incorrectly to modify security properties. For example, consider a (fictional) browser plugin that has an api like this:

AllowUntrustedAccess("foobar.com");
SendArbitraryRequests("foobar.com");

And AllowUntrustedAccess() simply sends a preflight HTTP request to the host:

GET /CanIDisableSecurity HTTP/1.1

If the service returns 200, then the plugin allows the hostpage complete access to that hostname. This might be a security vulnerability, because you can specify a rbndr hostname that will switch between a host you control and a host you don't. The plugin might allow complete access to an arbitrary ip address (e.g. an internal service, or localhost) even if that service would not normally permit the preflight check.

This might sound unrealistic, but that's exactly how Adobe Flash, Oracle Java and lots of other products worked in the past, and many other products still work.

Read about how Adobe tried to resolve this problem in Flash here, https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

For software that is vulnerable to this class of attack, rbndr is an easy way to test without having to modify /etc/hosts or setup your own nameserver. If the software associates the result with just the hostname and not the hostname and ip address, then you can grant yourself access to any ip address.

The format for hostnames is simply

<ipv4 in base-16>.<ipv4 in base-16>.rbndr.us

But you can use this website to convert from dotted quads if you prefer:

https://lock.cmpxchg8b.com/rebinder.html

For example, to switch between 127.0.0.1 and 192.168.0.1 you would encode them as dwords, and then use:

7f000001.c0a80001.rbndr.us

Let's test it out:

$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1

As you can see, the server randomly returns one of the addresses. You might do something like this (in pseudo-code):

// Keep calling api until it resolves to the address you control and you get granted access
while (AllowUntrustedAccesss("7f000001.c0a80001.rbndr.us") != true)
  ;

// Access granted, now wait for it to re-bind
while (ConnectToPort("7f000001.c0a80001.rbndr.us", 123) != true)
 ;
 
 // Now you have access to localhost:123 even though localhost did not opt-in to reduced security.
 SomethingEvil();
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].