A Noob Guide to setup your Own OOB DNS Server
After a few research about on how to set up my own Out-Of-Band DNS Server, I found out that it is too much complicated to set it up. But since I am Creating Automated Scanner for the recon process, I realized that it is worth a try.
What is Out-of-Band (OOB) Vulnerability?
idk, better to google it, because I don’t know either (mind the title). :)
- https://portswigger.net/blog/oast-out-of-band-application-security-testing
- https://www.acunetix.com/blog/articles/band-xml-external-entity-oob-xxe/
What you need
- Domain Name
- VPS
- This tool
Virtual Private Server (VPS)
Since Digitalocean is very popular when it comes to VPS or them so-called Droplet because it’s cheaper and User-friendly UI.
Once you buy a droplet from Digitalocean, They should give you SSH Access Credential via email, and they provide a Public IP address (ipv4 and ipv6), which you can use in the next steps. BTW, my VPS is Debian, but you can choose Ubuntu as well if you want.
DOMAIN NAME
For this purpose, I bought my domain in Njalla. Because they care about privacy. We always want privacy. So if you want privacy for your domain, I highly recommend Njalla for better privacy and cheaper domain names.
Once you buy domain names in Njalla, here’s what you need to do:
- Log in
- Go to your domains
- Click Manage
- Go to “Glue records”
- Name: ns1
- IPV4: VPS Public IP Address
- IPV6: VPS IPV6 Address
- Click the “+” Icon
- Setup another, the Name is different, and it should be ns2. IPV4 and IPV6 are just the same from ns1.
- Now Go to “DNS Settings”
- In Custom Nameservers, just put ns1.YOUR_DOMAIN and ns2.YOUR_DOMAIN
- Done!
The TOOL
After obtaining your credentials for your SSH Server in your Digitalocean server, You should be able to access it and clone this repository.
$ git clone https://github.com/JuxhinDB/OOB-Server.git$ cd OOB-Server
Take note: that this tool needs root access. You can adjust the permission if you want or if it’s necessary.
Run it but make sure you are root!
$ ./setup <YOUR_DOMAIN> <VPS_PUBLIC_IP>
example:
$ ./setup domain.com 123.123.123.123
Upon running this command the bind9 package will install in your VPS machine.
At the end of the installation script, It should be like this:
[+] setup: [12–31–2019 10:34:18] INFO Setting up paths and permissions for Bind9 logs[+] setup: [12–31–2019 10:34:18] INFO Updating all Bind9 configurations[?] setup: [12–31–2019 10:34:18] DEBUG Adding db.local to /etc/bind/db.local[?] setup: [12–31–2019 10:34:18] DEBUG Adding named.conf.options to /etc/bind/named.conf.options[?] setup: [12–31–2019 10:34:18] DEBUG Creating named.conf.log and including it in named.conf[?] setup: [12–31–2019 10:34:18] DEBUG Setting up lograte for bind[+] setup: [12–31–2019 10:34:18] INFO Reloading logrotate to take effect on new Bind9 logs
Once done, test it by running a dig command in your DNS Server
$ dig A +short google.com @ns1.YOUR_DOMAIN
check logs
$ tail -f /var/log/named/named.log
You should see some results in your logs in real-time if you do it again.
HOW TO USE IT
Now, like a burp collaborator, you can use this as a payload for your SSRF and XXE.
$ dig +short A ssrf-xxe.testpayload.YOUR_DOMAIN123.123.123.123$ tail -f /var/log/named/named.log31-Dec-2019 11:31:36.929 queries: info: client @0x7f5ba0016280 156.154.180.143#39840 (ssrf-xxe.testpayload.YOUR_DOMAIN): query: ssrf-xxe.testpayload.YOUR_DOMAIN IN A -E(0)DC (<VPS_PUBLIC_IP>)
If you want to track your XXE payload. You can list it on your excel sheet on when, where, and what payload you use and grep it in.
If you see this STÖK’s video, he mentioned that not all SSRF or XXE payloads are triggering in real-time. Sometimes it takes some time or an hour, days, weeks, or a month.
Or if you want, you can make your notification via Slack or Telegram and run it via cronjob. The choice is yours :)
*flies away*