Setup and Installation

Requirements

• A DNS domain name from a domain registrar such as gandi or namecheap. You need be able to add and edit your own DNS records for your domain.
• A Linux server instance from a hosting provider such as Linode, Amazon AWS, Google Cloud, Microsoft Azure etc.
• Golang version 1.20 or newer

Setup

Let's say that we want to retrieve the homepage of a tool listening on localhost, port 8080, of a victim desktop machine from domain "dynamic.your.domain." You personally own/manage domain "your.domain." You will mount attacks from a server with IP address "ip.ad.dr.ss". This server will run the Singularity DNS and HTTP servers.

On the DNS Registrar Web Management Interface

Configure appropriate DNS records to delegate the management of a test subdomain ("dynamic.your.domain.") of a domain you own ("your.domain.") to the Singularity's DNS server that we will deploy shortly:

• A Name: "rebinder", IPv4: "ip.ad.dr.ss".
• NS Name: "dynamic", Hostname: "rebinder.your.domain.". Note that the ending dot "." in the hostname is required.

This sample setup informs DNS clients, including browsers, that "ip.ad.dr.ss" answers queries for any subdomains under ".dynamic.your.domain.", e.g. "foo.dynamic.your.domain.". This also permits one to access the Singularity management console using the "rebinder.your.domain" DNS name with a web browser.

If you would like to use the Hook and Control attack payload, you also need to setup a wildcard DNS record for your domain e.g. A Name: "*", IPv4: "ip.ad.dr.ss".

On the Attacker Host

Install Golang

Follow the instructions from the official Go Programming Language web site.

Obtain Singularity

Open a terminal and type the following commands:

git clone https://github.com/nccgroup/singularity

Compile

$ cd singularity/cmd/singularity-server
$ go build

Deploy

• Deploy the "html" directory in let's say "~/singularity".
• Deploy the singularity-server binary in "~/singularity".

$ mkdir -p ~/singularity/html
$ cp singularity-server ~/singularity/
$ cp -r ../../html/* ~/singularity/html/

Run

Change to the newly created directory (e.g. cd ~/singularity/) and start singularity-server with sudo ./singularity-server --HTTPServerPort 8080. This will use a DNS rebinding strategy based on the content of the DNS query by default e.g. s-ip.ad.dr.ss-127.0.0.1-<random_number>-fs-e.dynamic.your.domain will return first "ip.ad.dr.ss", the attacker host IP address, then "127.0.0.1" for subsequent queries for a limited period of time.

Note: You will need to verify that other services do not listen on ports required by Singularity.

Minimum required ports:

• UDP 53 (DNS)
• TCP 8080 (configurable default port for the manager web interface)
• The port where the vulnerable application is running (e.g. port 3000 for the Ruby on Rails Web Console or port 9333 for VS Code Chrome DevTools)

On Ubuntu 18.04 LTS, by default, systemd-resolved is listening on the localhost UDP port 53. This will prevent Singularity from starting. Disable systemd-resolved with this command: sudo systemctl disable --now systemd-resolved.service. Next, update the file /etc/resolv.conf to make sure it does not contain nameserver 127.0.0.53 but something like nameserver 8.8.8.8. Replace 8.8.8.8 with the IP address of the DNS server of your choosing (e.g. nameserver 169.254.169.254 on GCP).

Firewalls

Singularity requires multiple ports exposed to the Internet (or at least to the network from which you access the tool via your browser). The minimum required ports are UDP 53 for DNS and the port where the Singularity manager web interface is running. The default port for the manager web interface is TCP port 8080. Additionally, Singularity requires that the payload is served from the same port where the vulnerable/exploited application is running on to not violate the same-origin policy.

Minimum required ports are listed above.

Please check with your hosting provider to configure allowed inbound ports:

• AWS: Authorizing Inbound Traffic for Your Linux Instances
• GCP: Using Firewall Rules

Testing the Setup

On the Victim Host

• Deploy a local test service with python -c 'import BaseHTTPServer as bhs, SimpleHTTPServer as shs; bhs.HTTPServer(("127.0.0.1", 8080), shs.SimpleHTTPRequestHandler).serve_forever()' from a directory containing some test data files, on your client machine.
• Browse to "http://rebinder.your.domain:8080/manager.html".
• Ensure that the following fields contain the correct information:
  • "Attack Host Domain" e.g. "dynamic.your.domain"
  • "Attack Host" e.g. "ip.ad.dr.ss"
  • "Target Port" e.g. 8080
  • "Attack Payload", "payload-simple-fetch-get.html".
• Click on "Start Attack".
• The content of your victim host directory should be displayed within a few seconds/minutes in an alert box.