This experiment is destinated to demonstrate how the DNS rebinding attack works on an emulated IoT. In the setup, we have a simulated IoT device, which can be controlled through a web interface (this is typical for many IoT devices).# CVE 2022 -4096
> Amine TITROFINE | January 21, 2023
--------------
This experiment is destinated to demonstrate how the DNS rebinding attack works on an emulated IoT.
In the setup, we have a simulated IoT device, which can be controlled through a web interface (this is typical
for many IoT devices). Many IoT devices do not have a strong protection mechanism, if attackers can
directly interact with them, they can easily compromise these devices.
# Environnement
Host Machine :
- This exploit has been experimented on (**Linux kali 6.0.0-kali5-amd64**), it can also be tested on (**Ubuntu**) distributions
# Exploit
## Containers commands and setup
First, clone this project in your local machine
```
$ git clone https://gitlab.com/grenoble-inp-ensimag/Secu3A/Devoir2/CVE_2022_4096_amine_titrofine_farah_ben_youssef_walid_lanjri.git
```
we access to the directory that contains the files of our repositroy
```
$ cd CVE_2022_4096_amine_titrofine_farah_ben_youssef_walid_lanjri
```
we start by building all the defined services in the (**docker-compose.yaml**) file
```
$ docker-compose build
```
And then, we ran the following command to start the different services
```
$ docker-compose up
```
## Configure the User VM
(**Step 1. Reduce Firefox’s DNS caching time:**)
```
network.dnsCacheExpiration: change its value to 0 (default is 60)
```
(**Step 2. Change /etc/hosts:**)
```
192.168.60.80 www.seedIoT32.com
```
(**Step 3. Local DNS Server:**)
we add the nameserver entry in the resolver configuration file
(/etc/resolv.conf).
```
nameserver 10.9.0.53
```
## Testing the Lab Setup.
After configuring the User VM, use the dig command to get the IP address of www.attacker32.com. You should get 10.9.0.180 . If you do not get this, your lab environment is not set up correctly.
```
$ dig http://www.attacker32.com
```
## Launch the Attack on the IoT Device
This part is well documented in the report, please refer to it starting from page (**17**).
[4.0K] /data/pocs/534c76f442e43d6a7d9e25e480a59a9a4aeb48ac
├── [2.3K] docker-compose.yml
├── [4.0K] image_attacker_ns
│ ├── [ 192] Dockerfile
│ ├── [ 648] named.conf
│ ├── [ 352] zone_attacker32.com
│ └── [ 337] zone_example.com
├── [4.0K] image_local_dns_server
│ ├── [ 215] Dockerfile
│ ├── [ 556] named.conf
│ └── [1.2K] named.conf.options
├── [5.4M] Rapport_devoir_SSI_II.pdf
├── [1.9K] README.md
└── [4.0K] volumes
├── [4.0K] rebind_iot
│ ├── [ 114] config.py
│ ├── [ 782] __init__.py
│ ├── [1.8K] iot.py
│ └── [4.0K] templates
│ ├── [ 692] change.html
│ ├── [4.0K] css
│ │ ├── [5.8K] style.css
│ │ └── [8.1K] style.scss
│ ├── [ 764] index.html
│ └── [4.0K] js
│ ├── [ 446] change.js
│ ├── [ 84K] jquery-2.2.4.min.js
│ └── [1.8K] main.js
└── [4.0K] rebind_server
├── [ 0] config.py
├── [ 861] __init__.py
├── [4.0K] __pycache__
│ └── [1.3K] __init__.cpython-38.pyc
└── [4.0K] templates
├── [ 692] change.html
├── [4.0K] css
│ ├── [152K] bootstrap.min.css
│ └── [5.8K] style.css
├── [1.2K] index.html
└── [4.0K] js
├── [ 446] change.js
├── [ 84K] jquery-2.2.4.min.js
└── [1.0K] main.js
12 directories, 30 files