DNS Rebind Toolkit
DISCLAIMER: This software is for educational purposes only. This software should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.
The attack requires a victim on the target network to simply follow a link, or be shown an HTML ad containing a malicious iframe. From their, the victim's web browser is used like a proxy to directly access other hosts connected to their home network. These target machines and services would otherwise be unavailable to the attacker from the Internet. The remote attacker may not know what those services are, or what IP addresses they occupy on the victim's network, but DNS Rebind Toolkit handles this by brute forcing hundreds of likely IP addresses.
Under the hood, this tool makes use of a public whonow DNS server running on rebind.network:53 to execute the DNS rebinding attack and fool the victim's web browser into violating the Same-origin policy. From their, it uses WebRTC to leak the victim's private IP address, say 192.168.1.36. It uses the first three octets of this local IP address to guess the network's subnet and then inject 256 iframes, from 192.168.1.0-255 delivering a payload to each host that could possibly be on the network subnet.
This toolkit can be used to develop and deploy your own DNS rebinding attacks. Several real-world attack payloads are included with this toolkit in the
payloads/ directory. These payloads include information exfiltration (and rickroll tom-foolery) attacks against a few popular IoT devices, including Google Home and Roku products.
This toolkit is the product of independent security research into DNS Rebinding attacks. You can read about that original research here.
# clone the repo git clone https://github.com/brannondorsey/dns-rebind-toolkit.git cd dns-rebind-toolkit # install dependencies npm install # run the server using root to provide access to privileged port 80 # this script serves files from the www/, /examples, /share, and /payloads directories sudo node server
server.js serves payloads targeting Google Home, Roku, Sonos speakers, Phillips Hue light bulbs and Radio Thermostat devices running their services on ports 8008, 8060, 1400, 80 and 80 respectively. If you've got one of these devices on your home network, navigate to http://rebind.network for a nice surprise ;). Open the developer's console and watch as these services are harmlessly exploited causing data to be stolen from them and exfiltrated to
API and Usage
DNSRebindAttack: This object is used to launch an attack against a vulnerable service running on a known port. It spawns one payload for each IP address you choose to target.
DNSRebindAttackobjects are used to create, manage, and communicate with multiple
DNSRebindNodeobjects. Each payload launched by
DNSRebindAttackmust contain a
DNSRebindNode: This static class object should be included in each HTML payload file. It is used to target one service running on one host. It can communicate with the
DNSRebindAttackobject that spawned it and it has helper functions to execute the DNS rebinding attack (using
DNSRebindNode.rebind(...)) as well as exfiltrate data discovered during the attack to
These two scripts are used together to execute an attack against unknown hosts on a firewall protected LAN. A basic attack looks like this:
- Attacker sends victim a link to a malicious HTML page that launches the attack: e.g.
launcher.htmlcontains an instance of
- The victim follows the attacker's link, or visits a page where
http://example.com/launcher.htmlis embedded as an iframe. This causes the
launcher.htmlto begin the attack.
DNSRebindAttackuses a WebRTC leak to discover the local IP address of the victim machine (e.g.
192.168.10.84). The attacker uses this information to choose a range of IP addresses to target on the victim's LAN (e.g.
launcher.htmllaunches the DNS rebinding attack (using
DNSRebindAttack.attack(...)) against a range of IP addresses on the victim's subnet, targeting a single service (e.g. the undocumented Google Home REST API available on port
- At an interval defined by the user (200 milliseconds by default),
DNSRebindAttackembeds one iframe containing
launcher.htmlpage. Each iframe contains one
DNSRebindNodeobject that executes an attack against port 8008 of a single host defined in the range of IP addresses being attacked. This injection process continues until an iframe has been injected for each IP address that is being targeted by the attack.
- Each injected
DNSRebindNodeto attempt a rebind attack by communicating with a whonow DNS server. If it succeeds, same-origin policy is violated and
payload.htmlcan communicate with the Google Home product directly. Usually
payload.htmlwill be written in such a way that it makes a few API calls to the target device and exfiltrates the results to
example.combefore finishing the attack and destroying itself.
Note, if a user has one Google Home device on their network with an unknown IP address and an attack is launched against the entire
192.168.1.0/24 subnet, then one
DNSRebindNode's rebind attack will be successful and 254 will fail.
An attack consists of three coordinated scripts and files:
- An HTML file containing an instance of
- An HTML file containing the attack payload (e.g.
payload.html). This file is embedded into
DNSRebindAttackfor each IP address being targetted.
- A DNS Rebinding Toolkit server (
server.js) to deliver the above files and exfiltrate data if need be.
Here is an example HTML launcher file. You can find the complete document in
Here is an example HTML payload file. You can find the complete document in
This script is used to deliver the
payload.html files, as well as receive and save exifltrated data from the
DNSRebindNode to the
data/ folder. For development, I usually run this server on localhost and point
127.0.0.1. For production, I run the server on a VPS cloud server and point
DNSRebindAttack.attack(...) to its public IP address.
# run with admin privileged so that it can open port 80. sudo node server
usage: server [-h] [-v] [-p PORT] DNS Rebind Toolkit server Optional arguments: -h, --help Show this help message and exit. -v, --version Show program's version number and exit. -p PORT, --port PORT Which ports to bind the servers on. May include multiple like: --port 80 --port 1337 (default: -p 80 -p 8008 -p 8060 -p 1337)
I've included an example vulnerable server in
examples/vulnerable-server.js. This vulnerable service MUST be run from another machine on your network, as it's port MUST match the same port as
server.js. To run this example attack yourself, do the following:
# clone the repo git clone https://github.com/brannondorsey/dns-rebind-toolkit cd dns-rebind-toolkit # launch the vulnerable server node examples/vulnerable-server # ... # vulnerable server is listening on 3000
node server --port 3000
Now, navigate your browser to http://localhost:3000/launcher.html and open a dev console. Wait a minute or two, if the attack worked you should see some dumped credz from the vulnerable server running on the secondary computer.
Check out the
payloads/ directories for more examples.
Files and Directories
server.js: The DNS Rebind Toolkit server
payloads/: Several HTML payload files hand-crafted to target a few vulnerable IoT devices. Includes attacks against Google Home, Roku, and Radio Thermostat for now. I would love to see more payloads added to this repo in the future (PRs welcome!)
examples/: Example usage files.
data/: Directory where data exfiltrated by
This toolkit was developed to be a useful tool for researchers and penetration testers. If you'd like to see some of the research that led to it's creation, check out this post. If you write a payload for another service, consider making a PR to this repository so that others can benefit from your work!