-
Notifications
You must be signed in to change notification settings - Fork 143
How to Create Manual DNS Requests to Singularity?
Singularity of Origin comes with a custom DNS server to enable easy DNS rebinding. This is useful for manual testing or attack scenarios where the Manager UI does not provide enough flexibility.
A DNS request has the following properties:
s-<IPaddressAttacker>-<IPaddressTarget>-<SessionID>-<RebindingStrategy>-e.d.rebind.it
-
s
: Start -
<IPaddressAttacker>
: Attacker host IP address (e.g. 35.185.206.165) -
<IPaddressTarget>
: Target service IP address or name (e.g. 127.0.0.1) -
<SessionID>
: Session identifier (e.g. 1234567890) -
<RebindingStrategy>
: DNS Rebinding Strategy- 'fs': First then always second
- 'ma': Multiple answers
- 'rr': Round robin
- 'rd': Random
-
e
: End -
d.rebind.it
: Attacker subdomain
Resolve to 35.185.206.165 in the first request and then always 127.0.0.1 starting with the second request (first then second rebinding strategy):
s-35.185.206.165-127.0.0.1-1234567890-fs-e.d.rebind.it
Always return both IP addresses, 35.185.206.165 and 127.0.0.1 (multiple answers rebinding strategy) unless you use the Singularity web interface (manager UI), in which case things are slightly more complicated:
s-35.185.206.165-127.0.0.1-1234567890-ma-e.d.rebind.it
Alternate between 35.185.206.165 and 127.0.0.1 (round robin rebinding strategy):
s-35.185.206.165-127.0.0.1-1234567890-rr-e.d.rebind.it
Randomly alternate DNS responses between 35.185.206.165 and 127.0.0.1 (random rebinding strategy):
s-35.185.206.165-127.0.0.1-1234567890-rd-e.d.rebind.it
Resolve to 35.185.206.165 in the first request and then always return a CNAME pointing to localhost starting with the second request (first then second rebinding strategy):
s-35.185.206.165-localhost-1234567890-fs-e.d.rebind.it
To resolve to a CNAME that contains a dash (-
) you have to double-encode the dash using --
as Singularity uses the dash as a field delimiter.
Resolve to 35.185.206.165 in the first request and then always return a CNAME pointing to test-host.example.com starting with the second request (first then second rebinding strategy):
dig s-35.185.206.165-test--host.example.com-1234567890-fs-e.d.rebind.it
The idea behind the session ID is to make each request unique so that they don't interfere with each other and to support concurrent users in Singularity of Origin.
For this to work, you have to choose a unique session ID for each attack.
When you reuse the same session ID or use a simple one such as 123
another user is also using at the same time, you may get undesired results as these requests interfere with each other.