Using DNS Rebinding To Hack Routers

What you need

    • Webserver
    • Register a nameserver on a domain
    • Rebind (apt-get install rebind or click here)

So what is DNS Rebinding?

DNS rebinding occurs when a web server provides an IP that is different than its own, mainly for malicious reasons.The attack vector is providing the IP of the client in order to perform Cross Site Request Forgery (CSRF) attack . We will be using this to ‘hack’ routers. This works because somewhere between some and many consumer-grade routers are configured in such a way that, when you type the external IP address of the router from within the local LAN, it will take you to the router configuration page. The reason this works is because the router checks only where the packet is going, and not the interface through which it came in. This means that an internal host can access the router by the router’s INTERNAL or EXTERNAL IP. However, an external device can not access the router at all (without DNS rebinding or some sort of attack).

So how does it work?

Home User: 6.6.6.6
Web Server: 5.5.5.5 (example.com)
RealNameServer: 9.9.9.9
FakeNameServer: 5.5.5.5 (same as web server)
When a browser sends a request to a DNS server requesting the IP address of that server, the DNS server sends back all DNS records it has.

6.6.6.6 Me -> RealNameServer ::: A Record for example.com
6.6.6.6 Me <- RealNameServer ::: IPs For example.com: 5.5.5.5

Then the well-known TCP handshake:

6.6.6.6 Me -SYN-> WebServer 5.5.5.5
6.6.6.6 Me <–SYN/ACK– WebServer 5.5.5.5
6.6.6.6 Me -ACK–> WebServer 5.5.5.5
6.6.6.6 Me <–HTML/JS– WebServer 5.5.5.5
6.6.6.6 Me -FIN–> WebServer 5.5.5.5
6.6.6.6 Me <–FIN/ACK– WebServer 5.5.5.5
6.6.6.6 Me -ACK–> WebServer 5.5.5.5

so DNS rebinding simply works like this:
Registered Nameserver: ns1.example.com [NS]

When we request an A record for the website, it provides two IP addresses.
example.com[A] -~-~-~-> 5.5.5.5(home), 6.6.6.6(webserv)

Set your nameserver to ns1.example.com in your registrar.
Now that you have that set up, we’re ready to begin. When the client requests your website, it will be provided with two different IP addresses: that of your web server, and that of their router. When they connect to you, you provide them with malicious HTML/JavaScript to automatically create requests to log into their router and perform your desired configuration changes.

6.6.6.6 Me —> FakeNameServer ::: A Record for example.com
6.6.6.6 Me <— FakeNameServer ::: IPs for example.com : 5.5.5.5 and  6.6.6.6

As you can see, it adds whatever source address the request is coming from and says “use this as an IP”

6.6.6.6 Me –SYN–> WebServer 5.5.5.5
6.6.6.6 Me <–SYN/ACK– WebServer 5.5.5.5
6.6.6.6 Me –ACK–> WebServer 5.5.5.5
6.6.6.6 Me <–HTML/JS– WebServer 5.5.5.5 ** This is MALICIOUS JAVASCRIPT
6.6.6.6 Me –FIN–> WebServer 5.5.5.5
6.6.6.6 Me <–RST– WebServer 5.5.5.5
6.6.6.6 Me NEW IP ADDRESS FOR example.com: 6.6.6.6
6.6.6.6 Me –SYN–> Router
6.6.6.6 Me <–SYN/ACK– Router 6.6.6.6
6.6.6.6 Me –ACK–> Router 6.6.6.6
6.6.6.6 Me <–HTML/JS– Router 6.6.6.6 *** This is the Router Login Page
6.6.6.6 Me –FIN–> Router 6.6.6.6
6.6.6.6 Me <–FIN/ACK– Router 6.6.6.6
6.6.6.6 Me –ACK–> Router 6.6.6.6
5.5.5.5 Malicious Webserver >>> Proxy via the Malicious Javascript >>> Router 6.6.6.6

Now the owner of the malicious web server has access to the router log in page for as long as the browser is open. The key behind the effectiveness of DNS rebinding is that many routers have default passwords that users do not change (ie: admin/admin, admin/password, root/, admin/, etc.). Once you’re in the router, enable remote administration (if accessible) and set a password (that you know) and you will be able to remote into the router. From there, you can run the same attack over and over, sniffing the network, DNS cache poisoning, or other network attacks.

Actually Running the Attack

Alright, as I said earlier, you must have the nameserver configured in your DNS manager and set your website’s nameserver to itself.

Note: If you are behind a NAT or Firewall, you must have ports 53, 80 and 81 “forwarded” and allowed.

The command:
./rebind -i eth0 -d example.com

-i = the interface through which incoming connections travel
-d example.com = the domain you have registered

[+] Starting DNS server on port 53
[+] Starting attack Web server on port 80
[+] Starting callback Web server on port 81
[+] Starting proxy server on 5.5.5.5:664

Now what you have to do is open your web browser and set the PROXY SETTINGS to your web server to whatever rebind tells you..

Proxy Settings:
Type: HTTP Proxy
IP: 5.5.5.5 (example.com server)
Port: 664

Now go into your browser and type:

http://rebind/

You will be redirected to the Rebind web interface. Once you’ve done that, just wait for someone to browse to example.com and hope their router is vulnerable. Click the box that pops up and you’re in! I recommend that once you get into the router, you enable some form of remote access.

Blocking the attack

Router Config:
This attack has been mainly stopped or prevented by more secure router configurations. What allows this to work is the fact that services (like the HTTP server on your router) are bound to all interfaces and therefore are accessible by all IP’s that it has. It will drop anything coming in the external port, but that doesn’t matter because it is accessing the external IP from the internal LAN.
DNS Pinning:
DNS Pinning basically takes the first DNS response of a site and keeps it. It doesn’t allow for updates… This is depreciated because DNS load balancing is vitally important to major sites, and it interferes with that. However, some sort of verification may be implemented to ensure that each site within a multi-answer DNS response is apart of that domain.

Simple Security Measures:
Change your password
Prioritize HTTPS. Using certificates will allow you to find out whether a secure connection is actually in existence.

Leave a Reply

Your email address will not be published. Required fields are marked *