## https://sploitus.com/exploit?id=PACKETSTORM:217657
==================================================================================================================================
| # Title : Starlink DNS Rebinding Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : indoushka |
==================================================================================================================================
[+] Summary : This Python script implements a lightweight DNS rebinding detection system designed to monitor suspicious domain-to-IP resolution changes in real time.
It behaves like a mini EDR sensor focused specifically on identifying DNS rebinding and IP-flapping patterns.
The tool continuously resolves a list of domains and tracks their historical IP resolutions. It analyzes changes over time to detect potentially malicious behavior, especially transitions from public to private IP ranges.
[+] Key detection capabilities:
Public โ Private IP transition detection: Flags when a domain resolves from a public IP to a private/internal IP space, a common DNS rebinding indicator
Rapid IP flapping detection: Identifies domains that resolve to multiple different IPs within a short window
Time-windowed history tracking: Uses bounded deques to store recent DNS resolution history efficiently
Thread-safe alert logging (lightweight): Stores and prints security events with severity and metadata
Private IP classification: Uses ipaddress module to correctly identify RFC1918 internal ranges
[+] Operational behavior:
Continuously monitors configured target domains in a loop
Performs periodic DNS resolution every few seconds
Maintains historical resolution state per domain
Triggers high-severity alerts when suspicious patterns are detected
Overall, this script provides a simple but effective DNS rebinding monitoring mechanism suitable for lab environments, security research, or integration into larger threat detection pipelines.
[+] POC :
#!/usr/bin/env python3
import socket
import time
import threading
import ipaddress
from collections import defaultdict, deque
class DNSRebindingDetector:
def __init__(self, window=60):
self.domain_history = defaultdict(lambda: deque(maxlen=20))
self.alerts = deque(maxlen=100)
self.window = window
def is_private_ip(self, ip):
try:
return ipaddress.ip_address(ip).is_private
except:
return False
def resolve_domain(self, domain):
try:
return socket.gethostbyname(domain)
except:
return None
def analyze(self, domain):
ip = self.resolve_domain(domain)
if not ip:
return
now = time.time()
self.domain_history[domain].append((ip, now))
history = list(self.domain_history[domain])
if len(history) < 2:
return
old_ip = history[-2][0]
new_ip = history[-1][0]
if (not self.is_private_ip(old_ip)) and self.is_private_ip(new_ip):
self.alert(domain, old_ip, new_ip, "PUBLIC_TO_PRIVATE_REBINDING")
unique_ips = set([h[0] for h in history])
if len(unique_ips) >= 3:
self.alert(domain, old_ip, new_ip, "RAPID_IP_FLAPPING")
def alert(self, domain, old_ip, new_ip, reason):
event = {
"domain": domain,
"old_ip": old_ip,
"new_ip": new_ip,
"reason": reason,
"severity": "HIGH",
"timestamp": time.time()
}
self.alerts.append(event)
print("\n[ DNS REBINDING ALERT]")
print(event)
def monitor(self, domains):
while True:
for d in domains:
self.analyze(d)
time.sleep(2)
if __name__ == "__main__":
targets = [
"example.com",
"test.local"
]
detector = DNSRebindingDetector()
detector.monitor(targets)
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================