PingBack

Overview

DNS pingback is a method that can be used to reveal IP address of different services. For example, some websites will process and resolve hostnames in certain HTTP headers. This allows the attacker to receive queries on their authoritative DNS server. Also, some web sites will issue HTTP requests back to Referer URLs logged from incoming traffic. Reasons for doing so could vary from marketing to threat analytics.

Some email gateways also process links or domain names inside emails for security purposes. By doing so, an attacker could be receiving DNS queries from that organization, revealing parts of their infrastructure.

Real case abuse

This method has been used to decloak backend systems behind the Tor hidden service.

Using Burp Suiteā€™s Collaborator to Find the True IP Address for a .Onion Hidden Service

Tools

In many cases, submitting a hostname that you own to the target system will be enough to trigger the PingBack if the service is configured to resolve it.

  • PortSwigger is a Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator

References

BlackHat USA 2017 - Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface

Cracking the lens: targeting HTTP’s hidden attack-surface