Merge pull request #57 from nccgroup/feature/IPv6

IPv6 support and additional PNA bypasses

Author: gdncc

cmd/singularity-server/main.go

@@ -4,6 +4,7 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"net"
 	"net/http"
 	"strconv"
 	"time"
@@ -28,10 +29,26 @@ func (a *arrayPortFlags) Set(value string) error {
 	return nil
 }
 
+type ArrIpAddressFlags []net.IP
+
+func (a *ArrIpAddressFlags) String() string {
+	return fmt.Sprintf("%T", a)
+}
+
+func (a *ArrIpAddressFlags) Set(value string) error {
+	addr := net.ParseIP(value)
+	if addr == nil {
+		log.Fatal("Could not parse IP address")
+	}
+	*a = append(*a, addr)
+	return nil
+}
+
 // Parse command line arguments and capture these into a runtime structure
 func initFromCmdLine() *singularity.AppConfig {
 	var appConfig = singularity.AppConfig{}
 	var myArrayPortFlags arrayPortFlags
+	var myArrIpAddressesFlags ArrIpAddressFlags
 
 	var responseIPAddr = flag.String("ResponseIPAddr", "unconfigured",
 		"Specify the attacker host external IP address that will be used for default DNS responses. Useful for handling QNAME Minimization.")
@@ -44,6 +61,7 @@ func initFromCmdLine() *singularity.AppConfig {
 		"Specify the attacker HTTP Proxy Server and Websockets port that permits to browse hijacked client services.")
 	var enableLinuxTProxySupport = flag.Bool("enableLinuxTProxySupport", false, "Specify whether to enable Linux TProxy support or not. Useful to listen on many ports with an appropriate iptables configuration.")
 	flag.Var(&myArrayPortFlags, "HTTPServerPort", "Specify the attacker HTTP Server port that will serve HTML/JavaScript files. Repeat this flag to listen on more than one HTTP port.")
+	flag.Var(&myArrIpAddressesFlags, "ignoreDNSRequestFrom", "Specify a source IP address to ignore DNS requests from. Repeat this flag to ignore more than one IP address. Useful for reliable DNS rebinding sessions, where third-parties may repeat DNS requests from targets.")
 	var dnsServerBindAddr = flag.String("DNSServerBindAddr", "0.0.0.0", "Specify the IP address the DNS server will bind to, defaults to 0.0.0.0")
 
 	flag.Parse()
@@ -65,6 +83,7 @@ func initFromCmdLine() *singularity.AppConfig {
 	appConfig.DNSServerBindAddr = *dnsServerBindAddr
 	appConfig.WsHTTPProxyServerPort = *WsHttpProxyServerPort
 	appConfig.EnableLinuxTProxySupport = *enableLinuxTProxySupport
+	appConfig.IgnoreDNSRequestFrom = myArrIpAddressesFlags
 
 	return &appConfig
 }

commandcontrol.go

@@ -396,7 +396,7 @@ func (c *WSClient) keepAlive(wscss *WebsocketClientStateStore, sessionID string)
 	}
 }
 
-//RoundTrip is a custom RoundTrip implementation for reverse proxy to websocket
+// RoundTrip is a custom RoundTrip implementation for reverse proxy to websocket
 func (t *ProxytoWebsocketTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	headers := make(map[string]string)
 
@@ -608,7 +608,7 @@ func (ws *WebsocketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	defer c.Close()
 
-	name, err := NewDNSQuery(r.Header.Get("origin"))
+	name, err := NewDNSQueryFromOrigin(r.Header.Get("origin"))
 
 	if err != nil {
 		log.Printf("websockets: could not parse origin hostname: %v\n", err)

firewall.go

@@ -7,20 +7,21 @@ import (
 	"strconv"
 )
 
-//IPTablesRule is a struct representing a linux iptable firewall rule
+// IPTablesRule is a struct representing a linux iptable firewall rule
 type IPTablesRule struct {
 	srcAddr      string
 	srcPort      string
 	dstAddr      string
 	dstPort      string
 	srcPortRange string
+	v6           bool
 }
 
-//NewIPTableRule populate an iptables rule
+// NewIPTableRule populate an iptables rule
 func NewIPTableRule(srcAddr string, srcPort string,
-	dstAddr string, dstPort string) *IPTablesRule {
+	dstAddr string, dstPort string, v6 bool) *IPTablesRule {
 	p := IPTablesRule{srcAddr: srcAddr, srcPort: srcPort,
-		dstAddr: dstAddr, dstPort: dstPort}
+		dstAddr: dstAddr, dstPort: dstPort, v6: v6}
 	p.generateSourcePortRange(10)
 	return &p
 }
@@ -48,20 +49,24 @@ func (ipt *IPTablesRule) generateSourcePortRange(max int) {
 }
 
 func (ipt *IPTablesRule) makeAndRunRule(command string) {
-	rule := exec.Command("/sbin/iptables",
+	iptables := "/sbin/iptables"
+	if ipt.v6 {
+		iptables = "/usr/sbin/ip6tables"
+	}
+	rule := exec.Command(iptables,
 		command, "INPUT", "-p", "tcp", "-j", "REJECT", "--reject-with", "tcp-reset",
 		"--source", ipt.srcAddr, //"--sport" srcPortRange,
 		"--destination", ipt.dstAddr, "--destination-port", ipt.dstPort)
 	err := rule.Run()
 	log.Printf("Firewall: `iptables` finished with return code: %v", err)
 }
 
-//AddRule adds an iptables rule in Linux iptable
+// AddRule adds an iptables rule in Linux iptable
 func (ipt *IPTablesRule) AddRule() {
 	ipt.makeAndRunRule("-A")
 }
 
-//RemoveRule removes an iptables rule in Linux iptable
+// RemoveRule removes an iptables rule in Linux iptable
 func (ipt *IPTablesRule) RemoveRule() {
 	ipt.makeAndRunRule("-D")
 }

html/manager.js

@@ -340,7 +340,7 @@ function putData(url, data) {
 const App = () => {
     let configuration = null;
     let fm = null;
-    let hosturl = "http://s-%1-%2-%3-%4-e.%5:%6/%7";
+    let hosturl = "http://s-%1.%2-%3-%4-e.%5:%6/%7";
 
     // Push settings from configuration object (obtained from manager-config.json) to UI.
     function populateManagerConfig() {
@@ -367,10 +367,140 @@ const App = () => {
         document.getElementById('flushdns').checked = configuration.getFlushDns();
     };
 
+
+// Helper functions to allow users inputting common IP addresses instead of hexstrings, and CNAMEs
+
+function ipToHexOrOriginal(input) {
+    let ipv4Bytes = parseIPv4(input);
+    if (ipv4Bytes !== null) {
+      return bytesToHex(ipv4Bytes);
+    }
+    
+    let ipv6Bytes = parseIPv6(input);
+    if (ipv6Bytes !== null) {
+      return bytesToHex(ipv6Bytes);
+    }
+    
+    // Not an IPv4 or IPv6, return original string, typically a CNAME record
+    return input;
+  }
+
+  function parseIPv4(str) {
+    const parts = str.split('.');
+    if (parts.length !== 4) {
+      return null;
+    }
+    
+    let bytes = new Uint8Array(4);
+    for (let i = 0; i < 4; i++) {
+      const num = Number(parts[i]);
+      // Each part must be an integer within [0..255]
+      if (
+        !Number.isInteger(num) ||
+        num < 0 ||
+        num > 255 
+      ) {
+        return null;
+      }
+      bytes[i] = num;
+    }
+    return bytes;
+  }
+
+  function parseIPv6(str) {
+    // Split on '::' first - only one such sequence is allowed
+    let parts = str.split('::');
+    
+    if (parts.length > 2) {
+      return null; // invalid: more than one '::'
+    }
+    
+    let head = [];
+    let tail = [];
+    
+    // Split the head by ':'
+    if (parts[0] !== '') {
+      head = parts[0].split(':');
+    } else {
+      // If parts[0] is empty, it means the address starts with '::'
+      head = [];
+    }
+    
+    // Split the tail by ':'
+    if (parts.length === 2 && parts[1] !== '') {
+      tail = parts[1].split(':');
+    } else if (parts.length === 2 && parts[1] === '') {
+      // If parts[1] is empty, it means the address ends with '::'
+      tail = [];
+    }
+    
+    // Now we know the total number of blocks we have
+    // The full IPv6 must have 8 groups (16 bytes total)
+    let missingGroups = 8 - (head.length + tail.length);
+    if (missingGroups < 0) {
+      // Means we have more than 8 groups in total
+      return null;
+    }
+    
+    // Build the full array of groups in hex
+    let groups = [];
+    
+    // Validate and push the head
+    for (let h of head) {
+      if (!isValidHextet(h)) {
+        return null;
+      }
+      groups.push(h);
+    }
+    
+    // Insert the zero-groups for '::'
+    for (let i = 0; i < missingGroups; i++) {
+      groups.push('0');
+    }
+    
+    // Validate and push the tail
+    for (let t of tail) {
+      if (!isValidHextet(t)) {
+        return null;
+      }
+      groups.push(t);
+    }
+    
+    if (groups.length !== 8) {
+      return null; // sanity check
+    }
+    
+    // Convert each group from hex into two bytes
+    let bytes = new Uint8Array(16);
+    for (let i = 0; i < 8; i++) {
+      let val = parseInt(groups[i], 16);
+      // High byte
+      bytes[i * 2] = (val >> 8) & 0xff;
+      // Low byte
+      bytes[i * 2 + 1] = val & 0xff;
+    }
+    
+    return bytes;
+  }
+
+  function isValidHextet(str) {
+    if (str.length === 0 || str.length > 4) {
+      return false;
+    }
+    // Check valid hex
+    return /^[0-9A-Fa-f]+$/.test(str);
+  }
+
+  function bytesToHex(bytes) {
+    return Array.from(bytes)
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
+  }
+
     function generateAttackUrl(targetHostIPAddress, targetPort, forceDnsRebindingStrategyName) {
         return hosturl
-            .replace("%1", configuration.getAttackHostIPAddress())
-            .replace("%2", targetHostIPAddress) // replace(/-/g, '--'))
+            .replace("%1", ipToHexOrOriginal(configuration.getAttackHostIPAddress()))
+            .replace("%2", ipToHexOrOriginal(targetHostIPAddress)) // replace(/-/g, '--'))
             .replace("%3", Math.floor(Math.random() * 2 ** 32))
             .replace("%4", forceDnsRebindingStrategyName === null ?
                 configuration.getRebindingStrategy() : forceDnsRebindingStrategyName)
@@ -568,8 +698,8 @@ const App = () => {
 
 
             let fid = fm.addFrame(hosturl
-                .replace("%1", document.getElementById('attackhostipaddress').value)
-                .replace("%2", document.getElementById('targethostipaddress').value.replace(/-/g, '--'))
+                .replace("%1", ipToHexOrOriginal(document.getElementById('attackhostipaddress').value))
+                .replace("%2", ipToHexOrOriginal(document.getElementById('targethostipaddress').value.replace(/-/g, '--')))
                 .replace("%3", Math.floor(Math.random() * 2 ** 32))
                 .replace("%4", document.getElementById('rebindingStrategy').value)
                 .replace("%5", document.getElementById('attackhostdomain').value)