dynamic.your.domain issue
Closed this issue · 11 comments
I registered a domain with gandi and configured DNS as follows:
dynamic 1800 IN NS rebinder.MY_DOMAIN.COM
rebinder 1800 IN A MY_VPS_IP
And setup a VM instance with GCP with UDP and TCP appropiate firewall rules.
Problem is, if i use my own address (aka. dynamic.MY_DOMAIN.COM) as Attack Host Domain the attack fails because dynamic.MY_DOMAIN.COM cant be resolved. If i look at the traffic in wireshark i see server failure responses to dns queries to dynamic.MY_DOMAIN.COM.
If i set d.rebind.it as the Attack Host Domain everything works fine. Http Port scanner works flawlessly too.
I have tried with both Debian 9 and Ubuntu 18.04LTS instances.
I am running singularity-server with default DNS bind settings (0.0.0.0)
How can i solve this?
When you launch an attack, do you see a Singularity server log entry such as:
2019/09/06 16:44:54 DNS: Received A query: s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.MY_DOMAIN.COM. from: MY_VICTIM_IP.
Thanks for the quick reply. No, I do not see that in the server log, I do see it in wireshark. This is a log from a fresh successful simple request to 192.168.0.1:80 attack using d.rebind.it as attack host domain:
XXXX@XXXXX:~/singularity$ sudo ./singularity-server --HTTPServerPort 80
Temporary secret: 8426123c10ed7XXXXXXXXXXX00fd2c5bd7c5ff00
2019/09/06 15:53:11 Main: Starting DNS Server at 53
2019/09/06 15:53:11 HTTP: starting HTTP Server on :80
2019/09/06 15:53:11 HTTP: starting HTTP Websockets/Proxy Server on :3129
2019/09/06 15:53:15 HTTP: GET /manager.html from VICTIM_IP:50818
2019/09/06 15:53:15 HTTP: GET /manager.js from VICTIM_IP:50820
2019/09/06 15:53:15 HTTP: GET /servers from VICTIM_IP:50824
{"ServerInformation":[{"Port":"80"}],"AllowDynamicHTTPServers":false}
2019/09/06 15:53:15 HTTP: GET /manager-config.json from VICTIM_IP:50826
2019/09/06 15:53:19 HTTP: GET /soopayload.html?rnd=0.1640308773659963 from VICTIM_IP:50828
2019/09/06 15:53:19 HTTP: concatenating html/payloads/aws-metadata-exfil.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/docker-api.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/duplicati-rce.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/etcd.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/exposed-chrome-devtools.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/hook-and-control.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/jenkins-script-console.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/pyethapp.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/rails-console-rce.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/simple-fetch-get.js ...
2019/09/06 15:53:19 HTTP: concatenating html/payloads/webpdb.js ...
2019/09/06 15:53:19 HTTP: GET /payload.js from VICTIM_IP:50830
2019/09/06 15:53:19 HTTP: matching DNS session exists: false
2019/09/06 15:53:39 HTTP: GET / from VICTIM_IP:50832
2019/09/06 15:53:39 HTTP: matching DNS session exists: false
2019/09/06 15:53:59 HTTP: GET / from VICTIM_IP:50868
This is the kind of request i see in wireshark:
DNS 130 Standard query response 0x90f1 A s-VPS_IP-192.168.0.1-4190562356-fs-e.d.rebind.it A 192.168.0.1
The request format is the same when using my domain as attack host domain but the response is a server failure as described before. The server log looks like:
Temporary secret: 641e6c075da650XXXXXXec2f2d8a361960e
2019/09/06 16:05:01 Main: Starting DNS Server at 53
2019/09/06 16:05:01 HTTP: starting HTTP Server on :80
2019/09/06 16:05:01 HTTP: starting HTTP Websockets/Proxy Server on :3129
2019/09/06 16:05:05 HTTP: GET /manager.html from VICTIM_IP:50954
2019/09/06 16:05:06 HTTP: GET /manager.js from VICTIM_IP:50956
2019/09/06 16:05:06 HTTP: GET /manager-config.json from VICTIM_IP:50960
2019/09/06 16:05:06 HTTP: GET /servers from VICTIM_IP:50962
{"ServerInformation":[{"Port":"80"}],"AllowDynamicHTTPServers":false}
**ATTACK HAS FAILED AT THIS POINT BECAUSE BROWSER CANT REACH dynamic.DOMAIN.COM**
So it seems that the DNS queries are not reaching Singularity.
Are you observing the failed DNS requests in Wireshark on the server or the client? In the former case, do you have another process listening on port UDP/53 (although I would hope that Singularity would warn you if it was the case).
Running the following command on the Singularity server, with Singularity running, may assist in diagnosing the problem:
dig @localhost s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.MY_DOMAIN.COM
The DNS records are maybe not adequately setup:
Try dig +trace s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.MY_DOMAIN.COM
Compare with dig +trace s-35.185.206.165-127.0.0.1-123456789-fs-e.d.rebind.it
The latter outputs something like:
(snip)
d.rebind.it. 1800 IN NS rebind.it.
;; Received 109 bytes from 213.167.230.187#53(ns-186-b.gandi.net) in 144 ms
s-35.185.206.165-127.0.0.1-123456-fs-e.d.rebind.it. 0 IN A 127.0.0.1
;; Received 134 bytes from 35.185.206.165#53(rebind.it) in 26 ms
A firewall may be interfering. Running the following command from your client machine may help:
dig @MY_VPS_IP s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.MY_DOMAIN.COM.
CLIENT request gives the server failure.
dig @MY_VPS_IP s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.MY_DOMAIN.COM
; <<>> DiG 9.11.2-5-Debian <<>> @MY_VPS_IP s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.DOMAIN.COM
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30804
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.DOMAIN.COM. IN A
;; Query time: 119 msec
;; SERVER: MY_VPS_IP#53(MY_VPS_IP)
;; WHEN: Fri Sep 06 18:47:24 CEST 2019
;; MSG SIZE rcvd: 88
I am pretty confident that a firewall on the client side is not the issue.
SERVER
dig +trace s-MY_VPS_IP-127.0.0.1-123456789-fs-e.dynamic.MY_DOMAIN.COM
(snip)
;; Received 656 bytes from 195.66.241.178#53(uk.dns.eu) in 3 ms
dynamic.DOMAIN.COM. 1800 IN NS rebinder.DOMAIN.COM.DOMAIN.COM.
couldn't get address for 'rebinder.DOMAIN.COM.DOMANI.COM': not found
dig: couldn't get address for 'rebinder.DOMAIN.COM.DOMAIN.COM: no more
Note that the domain name is repeated twice.
Do you have a dot appended to "rebinder.domain.com." for your dynamic NS record, e.g.:
dynamic | NS | 1800 | rebinder.domain.com.
I do not, the DNS table is exactly as follows:
@ 86400 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1567779583 10800 3600 604800 10800
dynamic 1800 IN NS rebinder.DOMAIN.COM
rebinder 1800 IN A VPS_IP
The first line is automatically added by gandi.
I noted rebind.it is reserved by gandi and DNS configuration seems a little more advanced than the proposed in the wiki. Could you please post your dns configuration for the poc site?
I think this is the cause of the issue you are experiencing; you need the add the dot. It will take a bit of time to replicate before you can test again.
Below is an extract of our config in Gandi.
@ 10800 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1554761168 10800 3600 604800 10800
@ 3600 IN A 35.185.206.165
d 1800 IN NS rebind.it.
* 1800 IN A 35.185.206.165
Problem solved, that was the problem. Thanks.
i have smae the problem ...and i added the dot but its not secces..
root@kali:~/singularity# ./singularity-server --HTTPServerPort 80 --ResponseIPAddr 192.168.1.5 --ResponseReboundIPAddr 192.168.1.6
Temporary secret: d4c7b6ea906748c73d054dab7de931b304250dda
2020/01/05 23:50:12 Main: Starting DNS Server at 53
2020/01/05 23:50:12 HTTP: starting HTTP Server on :80
2020/01/05 23:50:12 HTTP: starting HTTP Websockets/Proxy Server on :3129
2020/01/05 23:50:39 HTTP: GET / from [::1]:52888
2020/01/05 23:50:41 HTTP: GET /manager.html from [::1]:52890
2020/01/05 23:50:41 HTTP: GET /manager.js from [::1]:52892
2020/01/05 23:50:41 HTTP: GET /servers from [::1]:52894
{"ServerInformation":[{"Port":"80"}],"AllowDynamicHTTPServers":false}
2020/01/05 23:50:41 HTTP: GET /manager-config.json from [::1]:52896
Hello again
I have the following problem when compiling.
Thanks very much!
@blogNetting As described on our wiki (https://github.com/nccgroup/singularity/wiki/Setup-and-Installation) you need Golang version 1.11 or newer. According to your screenshot you have Golang version 1.10.4 installed.