linkedinattic / jaqen Goto Github PK

View Code? Open in Web Editor NEW

70.0 7.0 15.0 20 KB

Jaqen - Simple DNS rebinding

License: BSD 2-Clause "Simplified" License

Go 82.41% HTML 4.08% JavaScript 13.51%

jaqen's Introduction

Jaqen

Dead simple reliable DNS rebinding for IPv4 and IPv6.

Usage

Jaqen abstracts away the complex steps required to perform a DNS rebind and exposes a HTML5 Fetch interface which transparently triggers a DNS rebind:

<script type="text/javascript" src="http://$JAQEN_HOST/v1.js"></script>
<script type="text/javascript">
let r = new DNSRebind();
const target = "http://internal.corp.acme.com/users";
r.fetch(target).then((resp) => resp.json()).then((users) => {
	alert("Extracted the following users:\n" + users.join("\n"));
}, (e) => console.error(e));
</script>

How it works

DNS Rebinding is notoriously unreliable and hard to debug. Jaqen offers a new approach by attempting multiple DNS Rebinding methods at the same time, selecting the first method to succeed then remembering that preferred method for future rebinds.

This is accomplished by maintaining a pool of IP addresses which can be used when executing rebind attacks. When a request is received resources are selected from the pool based on current utilization and reserved for the duration of the attack. Because Jaqen intelligently allocates and releases these binds when they are no longer in use it can be run with extermely minimal hardware requirements.

Depending on the target of the attack and runtime configuration Jaqen will select one or more of the following methods:

Rebinding Methods: TTLRebind

A TTL rebind is the most basic DNS rebinding attack and works by relying on the TTL expiration of DNS records. When the first request is recieved a response is sent with a short TTL (1, 2, 4, 8, 16 seconds) pointing to the Jaqen host (ex. 203.0.113.1):

;; QUESTION SECTION:
;00000000-0000-0000-0000-000000000000.jaqen.local.			IN	A

;; ANSWER SECTION:
00000000-0000-0000-0000-000000000000.jaqen.local.		2	IN	A	203.0.113.1

After the first request is sent all future responses point to the target of the rebind (192.168.1.1) relying on the automatic TTL expiration on the client:

;; QUESTION SECTION:
;00000000-0000-0000-0000-000000000000.jaqen.local.			IN	A

;; ANSWER SECTION:
00000000-0000-0000-0000-000000000000.jaqen.local.		2	IN	A	192.168.1.1

Rebinding Methods: ThresholdRebind

A Threshold rebind is a designed to target systems which trigger multiple DNS requests (common with server misconfigurations or when IDS is in use) or where unknown minimum TTLs are enforced. When a request is recieved a response is sent with a short TTL (1, 2, 4, 8, 16 seconds) pointing to the Jaqen host (ex. 203.0.113.1):

;; QUESTION SECTION:
;00000000-0000-0000-0000-000000000000.jaqen.local.			IN	A

;; ANSWER SECTION:
00000000-0000-0000-0000-000000000000.jaqen.local.		2	IN	A	203.0.113.1

All the requests are answered with the same Jaqen host response until a threshold of requests (1, 2, 3, 4, etc) is recieved after which all future responses point to the target of the rebind (192.168.1.1):

;; QUESTION SECTION:
;00000000-0000-0000-0000-000000000000.jaqen.local.			IN	A

;; ANSWER SECTION:
00000000-0000-0000-0000-000000000000.jaqen.local.		2	IN	A	192.168.1.1

Rebinding Methods: MultiRecordRebind

A multiple record rebind is one of the most complex DNS rebinding attacks and is only selected when all other methods have failed. It can be expensive as each simultaneous request requires a unique public IP address on the Jaqen host and can be noisy as requests are not guaranteed to succeed relying on undefined behavior. When a request is recieved a response is sent with containing both the Jaqen host (ex. 203.0.113.1) and target of the rebind (192.168.1.1):

;; QUESTION SECTION:
;00000000-0000-0000-0000-000000000000.jaqen.local.			IN	A

;; ANSWER SECTION:
00000000-0000-0000-0000-000000000000.jaqen.local.		2	IN	A	203.0.113.1
00000000-0000-0000-0000-000000000000.jaqen.local.		2	IN	A	192.168.1.1

The rebind relies on the DNS answers remaining in the same order, when the browser makes the initial HTTP request a response is generated by Jaqen, then the client IP address is blacklisted at the TCP layer. All future requests fail falling through to the second DNS answer, the target of the rebind. This block remains in-place until the attack completes then the block is removed. In order to target users behind a NAT each multiple record rebind is allocated a unique public IP address.

jaqen's People

Contributors

Stargazers

Watchers

Forkers

decentriccorp breakthenet brannondorsey avineshwar digideskio theseyi azurecloudmonk arunnagath gbrls

jaqen's Issues

what about adding a tunneling feature for more control and monitoring if everything is going as it should ?

Not replying to DNS queries

I'm running jaqen on VPS of mine like so:

# using fake IPs for GitHub
EXTERNAL_IP=54.173.189.125
INTERNAL_IP=172.30.0.10

# start jaqen
sudo ./jaqen \
    --base-uri mydomainna.me \
    --dns-bind "0.0.0.0:53" \
    --http-bind "$EXTERNAL_IP" \
    --http-pool "$INTERNAL_IP" \
    --http-bind-map "$INTERNAL_IP/$EXTERNAL_IP" -vvv

I've configured mydomainna.me to use a $EXTERNAL_IP as a custom nameserver and have disabled the firewall to allow traffic on port 53. When I run jaqen and request http://mydomainna.me in the browser I get the following output in the console.

INFO[0000] Found 1 eligible addresses meeting criteria: [54.173.189.125\172.30.0.10:80] 
INFO[0000] Leasing 54.173.189.125\172.30.0.10:80       
INFO[0000] Created HTTPServer bound to "54.173.189.125\172.30.0.10:80" as a result of request "00000000-0000-0000-0000-000000000000" on socket "00000000-0000-0000-0000-000000000000" 
INFO[0000] Created new DNSServer bound to "0.0.0.0:53" (tcp) 
INFO[0000] Created new DNSServer bound to "0.0.0.0:53" (udp) 
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA

However, it jaqen doesn't actually return DNS responses. A simple nslookup shows:

> mydomainna.me
Server:		127.0.1.1
Address:	127.0.1.1#53

** server can't find mydomainna.me: SERVFAIL

And monitoring DNS queries via tcpdump also shows the DNS server is failing:

$ sudo tcpdump udp port 53
23:11:28.099524 IP brannon.47992 > router.asus.com.domain: 45422+ A? mydomainna.me. (32)
23:11:28.099538 IP brannon.47992 > router.asus.com.domain: 11880+ AAAA? mydomainna.me. (32)
23:11:28.177006 IP router.asus.com.domain > brannon.47992: 45422 ServFail 0/0/0 (32)
23:11:28.281190 IP router.asus.com.domain > brannon.47992: 11880 ServFail 0/0/0 (32)
23:11:28.281539 IP brannon.47992 > router.asus.com.domain: 23679+ A? mydomainna.me. (32)
23:11:28.281583 IP brannon.47992 > router.asus.com.domain: 63510+ AAAA? mydomainna.me. (32)
23:11:28.358193 IP router.asus.com.domain > brannon.47992: 23679 ServFail 0/0/0 (32)
23:11:28.860719 IP router.asus.com.domain > brannon.47992: 63510 ServFail 0/0/0 (32)
23:11:28.861286 IP brannon.47992 > router.asus.com.domain: 29708+ A? mydomainna.me. (32)
23:11:28.861339 IP brannon.47992 > router.asus.com.domain: 42729+ AAAA? mydomainna.me. (32)
23:11:28.939490 IP router.asus.com.domain > brannon.47992: 29708 ServFail 0/0/0 (32)
23:11:28.944913 IP router.asus.com.domain > brannon.47992: 42729 ServFail 0/0/0 (32)
# ...etc

@li-lyoung, any ideas what this might be? I have a hung that I'm using the CLI args wrong but I figured you might have a better idea. Great research and DEFCON 25 talk btw 👍.

Build error due to dependency API change: multiple-value uuid.NewV4() in single-value context

While building Jaqen, I got the errors:

offers.go:92: multiple-value uuid.NewV4() in single-value context
socket.go:93: multiple-value uuid.NewV4() in single-value context

This appears to be due to an API change in the dependency: https://github.com/satori/go.uuid
NewV4() now returns an additional error value, changed in commit satori/go.uuid@0ef6afb

Build works when you change those two lines to accept a second value, for example: id, _ := uuid.NewV4()

Build instructions

What are the instructions for building this tool?

I've downloaded Go 1.9 and tried:

git clone https://github.com/linkedin/jaqen
cd jaqen
go get

But I get this go path error:

o get: no install location for directory /home/brannon/Documents/code/jaqen outside GOPATH
	For more details see: 'go help gopath'

My $GOPATH is ~/go. Are there additional instructions for installing?

add requirements to readme

As it's currently written, jaqen requires at least go 1.7 because of this issue
https://stackoverflow.com/questions/42802278/install-context-package-in-golang#42802790

It might be a good to add this to a brief requirements section in the readme.

usage examples

Hey again! I just spent a couple of hours trying to set up jaqen to simulate an attack on servers and domains that I own, and I'm sad to report that I couldn't get it working. Steps to reproduce:

Point attacker.domain namesever to the host running jaqen
Build and run jaqen
$ sudo ./jaqen --base-uri=http://attacker.domain --dns-bind=XXX.XX.XX.XX:53 --http-bind=XXX.XX.XX.XX --http-pool=XXX.XX.XX.XX -v
Set up a virtual machine with host-only networking. Run a webserver on this virtual machine.
From the VM host machine, make a request to http://attacker.domain and cross my fingers?

Every request simply returns an html page with the word "Index", except for requests for pages in manager.go, which return either 404 or something like:

ERRO[0009] websocket: not a websocket handshake: 'upgrade' token not found in 'Connection' header
2017/08/24 16:27:41 http: multiple response.WriteHeader calls

Did I make an error with my setup?