dfyz
Setting up the enviorment for security scanner
Can you please add to the README an example on how to use -
- fake_dns.py
- fake_git.py
How did you created the certificates?
Sure! I used the following setup when I was testing this:
- A server with a public IPv4 address (e.g.,
1.2.3.4) to hostfake_{dns,git}.pyon. - A domain whose DNS entries I control (e.g.,
evil.host). - A subdomain of
evil.hostwith a NS record pointing to1.2.3.4(e.g.,fakegit.evil.host). - A wildcard TLS certificate for
*.evil.host, which can be obtained from Let's Encrypt or a similar provider.
(note that that having a subdomain is not mandatory, it's just the way I set things up)
Once you have this, fake_dns.py should be run like this (the trailing dot is important):
python3 fake_dns.py --mode static_zero fakegit.evil.host.
This will always return two A entries for fakegit.evil.host, as described in the writeup. The "real" IP in one of the records is obtained by resolving evil.host because I didn't want to hardcode 1.2.3.4. As I also mentioned in the writeup, if you only use --mode static_zero, you're probably better off adding the A records at your DNS provider directly instead of using fake_dns.py.
However, there's also --mode rebinding if you want a traditional DNS rebinding setup. It's essentially equivalent to what rbndr does, except the probabilities are tweaked slightly (it returns 127.0.0.1 with p = 0.25, not p = 0.5).
fake_git.py is supposed to be run like this:
python3 fake_git.py /etc/ssl/evil.host.{key,crt}
/etc/ssl/evil.host.key is your private key (a base64-encoded file starting with -----BEGIN RSA PRIVATE KEY-----), /etc/ssl/evil.host.crt is the certificate using this key (a base64-encoded file starting with -----BEGIN CERTIFICATE-----). I used getssl to obtain these from Let's Encrypt. Your mileage may vary.
fake_git.py will listen on TCP port 11211 by default (because we're exploiting memcached), but this can be overriden with --port PORT.
