mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 09:27:32 +00:00
GitBook: [master] one page modified
This commit is contained in:
parent
fd99e2065f
commit
458d0ed3ed
1 changed files with 21 additions and 0 deletions
|
@ -203,6 +203,27 @@ If the web page is automatically creating a PDF with some information you have p
|
|||
|
||||
Create several sessions and try to download heavy files exploiting the SSRF from the sessions.
|
||||
|
||||
### Abusing DNS Rebidding + TLS Session ID/Session ticket
|
||||
|
||||
Requirements:
|
||||
|
||||
* **SSRF**
|
||||
* **Outbound TLS sessions**
|
||||
* **Stuff on local ports**
|
||||
|
||||
Attack:
|
||||
|
||||
1. Ask the user/bot **access** a **domain** controlled by the **attacker**
|
||||
2. The **TTL** of the **DNS** is **0** sec \(so the victim will check the IP of the domain again soon\)
|
||||
3. A **TLS connection** is created between the victim and the domain of the attacker. The attacker introduces the **payload inside** the **Session ID or Session Ticket**.
|
||||
4. The **domain** will start an **infinite loop** of redirects against **himself**. The goal of this is to make the user/bot access the domain until it perform **again** a **DNS request** of the domain.
|
||||
5. In the DNS request a **private IP** address is given **now** \(127.0.0.1 for example\)
|
||||
6. The user/bot will try to **reestablish the TLS connection** and in order to do so it will **send** the **Session** ID/Ticket ID \(where the **payload** of the attacker was contained\). So congratulations you managed to ask the **user/bot attack himself**.
|
||||
|
||||
Note that during this attack, if you want to attack localhost:11211 \(_memcache_\) you need to make the victim establish the initial connection with www.attacker.com:11211 \(the **port must always be the same**\).
|
||||
To **perform this attack you can use the tool**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)
|
||||
For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference)
|
||||
|
||||
## Exploitation in Cloud
|
||||
|
||||
### Abusing SSRF in AWS EC2 environment
|
||||
|
|
Loading…
Reference in a new issue