-
Notifications
You must be signed in to change notification settings - Fork 143
Using Singularity
When Singularity is run without arguments, the manager web interface listens on TCP port 8080. Browse to that port to configure and launch the DNS rebinding attack.
Singularity comes with a default configuration file in html/manager-config.json
.
You can modify this file to change the default parameters, such as attackHostDomain
, attackHostIPAddress
attackPayloads
, rebindingStrategy
and interval
.
Valid DNS rebinding strategy ("rebindingStrategy"
setting) configuration file values and their corresponding Singularity manager web interface values are as follows:
-
"fs"
: "First then second (default, conservative)" -
"ma"
: "Multiple answers (fast)" -
"rr"
: "Round robin (IPS/filters evasion)" -
"rd"
: "Random (IPS/filters evasion)".
These DNS rebinding strategies are explained in the Manager UI section below.
You need to edit this file if you add your own payloads. You do not need to edit the configuration file if you want to use existing payloads as you can change the parameters in the web interface.
Launch the Singularity binary, (singularity-server
), with the -h
parameter to see its parameters.
-
-HTTPServerPort value
: Specify the attacker HTTP Server port that will serve HTML/JavaScript files. Repeat this flag to listen on more than one HTTP port. -
-ResponseIPAddr string
: Specify the attacker host IP address that will be rebound to the victim host address (default value is 192.168.0.1). -
-ResponseReboundIPAddr string
: Specify the victim host IP address that is rebound from the attacker host address (default value is 127.0.0.1). -
-dangerousAllowDynamicHTTPServers
Specify if any target can dynamically request Singularity to allocate an HTTP Server on a new port. This convenience feature may be dangerous as it allows opening new ports via the unauthenticated web interface. See-enableLinuxTProxySupport
for an alternative. -
-responseReboundIPAddrtimeOut int
: Specify a delay in seconds for which we will keep responding with Rebound IP Address after the last query. After the delay, we will respond withResponseReboundIPAddr
. The default is 300 seconds. -
-httpProxyServerPort int
: Specify the attacker HTTP Proxy Server port that permits to browse hijacked client services. The default is 3129. -
-enableLinuxTProxySupport
: Specify whether to enable Linux TProxy support or not. Useful to listen on many ports with an appropriateiptables
configuration. The default is None.
The manager web interface is where you configure and launch the DNS rebinding attack. It listens on port 8080 by default. The following table describes all form fields and buttons in the manager interface:
Field Name | Description |
---|---|
Attack Host Domain | This is the (sub-)domain where the Singularity web server is running. Default value: dynamic.rebind.it
|
Attack Host | This is the IP address where the manager and the attack payloads are hosted. Default value: xxx.xxx.xxx.xxx |
Target Host | This is the IP address or FQDN (e.g. jenkins.internal.target.com) of the target system where the victim (target) application is running. Default value: 127.0.0.1 |
Target Port | This is the port where the victim (target) application is listening on. Default value: 8080 |
Request New Port | This will request Singularity to listen on a new port. This feature is only available when Singularity has been started with the -dangerouslyAllowDynamicHTTPServers command line option. |
Attack Payload | This is where you select the payload, i.e. which application you are trying to exploit. |
Start Attack | Start the DNS rebinding attack. Be patient and wait for at least one minute. Open the browser web console to see debugging logs. |
Toggle Advanced Options | This button will enable the advanced fields described below. |
Rebinding Strategy | Specify how to respond to DNS queries from a victim client. The following options are available: * First then second (default, conservative) : This is the default value. It should work on most if not all platforms in 40 to 60 seconds. * Multiple answers : Near instant DNS rebinding attack! Make sure to set the interval option described below to 1 second and the target address if attacking the local host to "0.0.0.0" for Unix-like platforms (e.g. Linux, macOS) and to "127.0.0.1" (or any other valid local host addresses) for Microsoft Windows.* Round robin (IPS/filters evasion) : Alternate DNS responses between the attack and target host IP addresses.* Random (IPS/filters evasion) : Randomly alternate DNS responses between the attack and target host IP addresses. |
Attack Method |
Fetch API works with most browsers, but is blocked by Chrome by most (but not all) target configurations. Inline Frame should work with most browsers, unless the target application does not allow rendering in an iframe. Default value: Fetch API
|
Interval | How long to wait between connection attempts to the target application in seconds. Use 1 for the Multiple answers DNS rebinding strategy. Default value: 20 |
Flood DNS Cache | Perform ~1000 DNS queries to evict cached DNS entries in Google Chrome and to improve DNS rebind attack speed from ~60s down to ~20s. Useful with the following DNS rebinding strategies: First then second , Round robin , Random . Default value: unset |
Index Token | The index token is used by Singularity to detect if the rebinding has happened yet. Default value: thisismytesttoken . |