dref

DNS Rebinding Exploitation Framework

Modern browsers usually prevent pages from reading responses across different origins, a concept called the Same-Origin Policy. DNS rebinding is a technique that uses a malicious website and a complicit DNS server to bypass this policy, allowing an attacker to read and exfiltrate responses from origins accessible to a victim's browsers.

Applications for DNS rebinding range from internal network enumeration to launching attacks on internal network services. These attacks are usually conducted by coercing victims to browse a website under an attacker's control, for example through phishing or waterholes.

While DNS rebinding was first described nearly two decades ago, it has only recently caught traction as a legitimate attack vector. This is partly driven by the proliferation of relatively insecure IoT devices combined with increasing user awareness to more traditional phishing vectors, making these less likely to succeed.

As DNS rebinding is a relatively complex attack, MWR has released its dref tool which does the heavy-lifting. dref is designed to be used for both research and offensive simulation purposes.

dref is open source software maintained by MWR InfoSecurity, and is available on Github.

For instructions please refer to the Project Wiki