Bindingly simple

A new tool allows pen testers to explore targeted internal networks using DNS rebinding vulnerabilities to create tunnels.

DNS rebinding is a class of exploit in which the attacker initiates repeated DNS queries to a domain under their control.

The first query would return a valid response that passes security checks, while subsequent queries return a malicious response that targets the internal network.

Attackers can exploit this by using JavaScript in a malicious web page to gain control over a user’s internal network’s HTTP resources. The attack can bypass security controls such as cross-origin resource sharing (CORS).

The DNS rebinding attack technique normally requires detailed knowledge of a target network, but a new tool by security researchers Tomer Zait and Nimrod Levy – dubbed ReDTunnel – means a hacker would need “zero knowledge about the target” in order to run an attack.

Zait told The Daily Swig: “The IP Address will be automatically revealed; the ports will be scanned and even the DNS rebinding will be automatic for every host and port.”

“But it’s not all… the really nice part is the tunnel itself! The tunnel lets you surf the victim’s internal network like a regular website, and lets you manage the victims,” he added.

Zait and Levy unveiled ReDTunnel during a presentation in the Arsenal stream at the Black Hat Asia security conference in Singapore earlier today.

The Domain Name System (DNS) is the distributed naming service for the internet. Web surfing and email delivery, among many other web services, rely on the internet’s ‘phone book’ to translate domain names – such as Google.com – to IP addresses.