$ cat /opt/ReDTunnel/TomerZait

• Principal Security Researcher at F5 Networks

• Practical Software Engineer, OSCP, OSCE

• 8 Times Winner Of Israeli CTFs

• Open Source Developer: x64dbgpy, PyMultitor, ReDTunnel and more

• Twitter: @realgam3

• Linkedin: https://linkedin.com/in/realgam3

• Github: https://github.com/realgam3

$ cat /opt/ReDTunnel/NimrodLevy

• CTO and Co-founder at Scorpiones

• Practical Software Engineer, OSCP, OSCE

• 5 Times Winner Of Israeli CTFs

• Open Source Developer: AutoBrowser, Subdomain-Analyzer, ReDTunnel and more

• Twitter: @El3ct71k

• Linkedin: https://www.linkedin.com/in/nimrodlevy

• Github: https://github.com/El3ct71k

Architecture

Source

Functionality

• Get Internal IP

• Scan For Hosts

• Scan For Open HTTP Ports

• Bypass Browser Limitations

• Automate the DNS Rebinding Process

• Manage All Victims In Single Page

• Tunnel Through Victims To Their Internal Network

ReDTunnel Setup

$ docker-compose up --build -d

Creating redtunnel_dns_1 ... done

Creating redtunnel_core_1 ... done

Creating redtunnel_database_1 ... done

ReDTunnel Setup (Register Domain)

ReDTunnel Setup (Set Name Server)

ReDTunnel Setup (Set Glue Record)

ReDTunnel Setup (Set Admin Credentials)

Demo

Future Work

• Test Other Browsers (Tested On Chrome Only)

• Bypass More Browser Limitations (Like Basic Authentication PopUps)

• Faster Scan

• Eliminate Scan False Positives

• Improve Stability

• IPV6 supports

• TTL manipulation

• Threshold rebind(2 IPs from DNS response)

Thanks

• Dima Belski (For The Awesome UI)

• Max Rynke aka muhaack (For The Perfect Logo)

Questions?