$ cat /opt/ReDTunnel/TomerZait
• Principal Security Researcher at F5 Networks
• Practical Software Engineer, OSCP, OSCE
• 8 Times Winner Of Israeli CTFs
• Open Source Developer: x64dbgpy, PyMultitor, ReDTunnel and more
• Twitter: @realgam3
• Linkedin: https://linkedin.com/in/realgam3
• Github: https://github.com/realgam3
$ cat /opt/ReDTunnel/NimrodLevy
• CTO and Co-founder at Scorpiones
• Practical Software Engineer, OSCP, OSCE
• 5 Times Winner Of Israeli CTFs
• Open Source Developer: AutoBrowser, Subdomain-Analyzer, ReDTunnel and more
• Twitter: @El3ct71k
• Linkedin: https://www.linkedin.com/in/nimrodlevy
• Github: https://github.com/El3ct71k
Architecture
Source
Functionality
• Get Internal IP
• Scan For Hosts
• Scan For Open HTTP Ports
• Bypass Browser Limitations
• Automate the DNS Rebinding Process
• Manage All Victims In Single Page
• Tunnel Through Victims To Their Internal Network
ReDTunnel Setup
$ docker-compose up --build -d
Creating redtunnel_dns_1 ... done
Creating redtunnel_core_1 ... done
Creating redtunnel_database_1 ... done
ReDTunnel Setup (Register Domain)
ReDTunnel Setup (Set Name Server)
ReDTunnel Setup (Set Glue Record)
ReDTunnel Setup (Set Admin Credentials)
Demo
Future Work
• Test Other Browsers (Tested On Chrome Only)
• Bypass More Browser Limitations (Like Basic Authentication PopUps)
• Faster Scan
• Eliminate Scan False Positives
• Improve Stability
• IPV6 supports
• TTL manipulation
• Threshold rebind(2 IPs from DNS response)
Thanks
• Dima Belski (For The Awesome UI)
• Max Rynke aka muhaack (For The Perfect Logo)
Questions?