Share
## https://sploitus.com/exploit?id=PACKETSTORM:217657
==================================================================================================================================
    | # Title     : Starlink DNS Rebinding Exploit                                                                                   |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : indoushka                                                                                                        |
    ==================================================================================================================================
    
    [+] Summary    : This Python script implements a lightweight DNS rebinding detection system designed to monitor suspicious domain-to-IP resolution changes in real time. 
                     It behaves like a mini EDR sensor focused specifically on identifying DNS rebinding and IP-flapping patterns.
                     The tool continuously resolves a list of domains and tracks their historical IP resolutions. It analyzes changes over time to detect potentially malicious behavior, especially transitions from public to private IP ranges.
    
    [+] Key detection capabilities:
    
    Public โ†’ Private IP transition detection: Flags when a domain resolves from a public IP to a private/internal IP space, a common DNS rebinding indicator
    Rapid IP flapping detection: Identifies domains that resolve to multiple different IPs within a short window
    Time-windowed history tracking: Uses bounded deques to store recent DNS resolution history efficiently
    Thread-safe alert logging (lightweight): Stores and prints security events with severity and metadata
    Private IP classification: Uses ipaddress module to correctly identify RFC1918 internal ranges
    
    [+] Operational behavior:
    
    Continuously monitors configured target domains in a loop
    Performs periodic DNS resolution every few seconds
    Maintains historical resolution state per domain
    Triggers high-severity alerts when suspicious patterns are detected
    
    Overall, this script provides a simple but effective DNS rebinding monitoring mechanism suitable for lab environments, security research, or integration into larger threat detection pipelines.
    
    [+] POC   :  
    
    #!/usr/bin/env python3
    
    import socket
    import time
    import threading
    import ipaddress
    from collections import defaultdict, deque
    
    class DNSRebindingDetector:
        def __init__(self, window=60):
            self.domain_history = defaultdict(lambda: deque(maxlen=20))
            self.alerts = deque(maxlen=100)
            self.window = window
    
        def is_private_ip(self, ip):
            try:
                return ipaddress.ip_address(ip).is_private
            except:
                return False
    
        def resolve_domain(self, domain):
            try:
                return socket.gethostbyname(domain)
            except:
                return None
    
        def analyze(self, domain):
            ip = self.resolve_domain(domain)
            if not ip:
                return
    
            now = time.time()
            self.domain_history[domain].append((ip, now))
    
            history = list(self.domain_history[domain])
    
            if len(history) < 2:
                return
    
            old_ip = history[-2][0]
            new_ip = history[-1][0]
    
            if (not self.is_private_ip(old_ip)) and self.is_private_ip(new_ip):
                self.alert(domain, old_ip, new_ip, "PUBLIC_TO_PRIVATE_REBINDING")
    
            unique_ips = set([h[0] for h in history])
            if len(unique_ips) >= 3:
                self.alert(domain, old_ip, new_ip, "RAPID_IP_FLAPPING")
    
        def alert(self, domain, old_ip, new_ip, reason):
            event = {
                "domain": domain,
                "old_ip": old_ip,
                "new_ip": new_ip,
                "reason": reason,
                "severity": "HIGH",
                "timestamp": time.time()
            }
            self.alerts.append(event)
    
            print("\n[ DNS REBINDING ALERT]")
            print(event)
    
        def monitor(self, domains):
            while True:
                for d in domains:
                    self.analyze(d)
                time.sleep(2)
    
    
    if __name__ == "__main__":
        targets = [
            "example.com",
            "test.local"
        ]
    
        detector = DNSRebindingDetector()
        detector.monitor(targets)
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================