What starting position does this attack require?

The first step is Phish / drive-by visit (T1566) — a initial access primitive. Assumed environment: victim runs an unpatched home / SMB router with default credentials reachable on its internal IP.

What is the final impact of this kill-chain?

The final step lands on DNS A flips to internal IP (DNS-REBINDING), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

DNS rebinding → access internal router admin from a browser

Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Phish / drive-by visit

T1566 · Phishing

Credential Access

Hit router with default creds

W-AUTH-DEFAULT · Default Credentials

Resource Development

Host JS page on attacker.com

T1583 · Acquire Infrastructure

Resource Development

Stand up rebinding DNS server (whonow)

T1583 · Acquire Infrastructure

Initial Access

Reconfigure DNS / port forward / firmware

IOT-OTA-MITM · OTA Update MITM

Lateral Movement

DNS A flips to internal IP

DNS-REBINDING · DNS Rebinding

§ Context

Assumed environment: victim runs an unpatched home / SMB router with default credentials reachable on its internal IP. Modern browsers honour short TTLs the attacker controls.

§ Steps

01
Phish / drive-by visitInitial Access
T1566— Phishing
02
Hit router with default credsCredential Access
W-AUTH-DEFAULT— Default Credentials
03
Host JS page on attacker.comResource Development
T1583— Acquire Infrastructure
04
Stand up rebinding DNS server (whonow)Resource Development
T1583— Acquire Infrastructure
05
Reconfigure DNS / port forward / firmwareInitial Access
IOT-OTA-MITM— OTA Update MITM
06
DNS A flips to internal IPLateral Movement
DNS-REBINDING— DNS Rebinding

§ References

T1566Phishing
T1583Acquire Infrastructure

§ Frequently asked

What is the "DNS rebinding → access internal router admin from a browser" attack path?: Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Phish / drive-by visit (T1566) — a initial access primitive. Assumed environment: victim runs an unpatched home / SMB router with default credentials reachable on its internal IP.
What is the final impact of this kill-chain?: The final step lands on DNS A flips to internal IP (DNS-REBINDING), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

DNS rebinding → access internal router admin from a browser

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Malicious MCP server → silent supply chain for agent tools

Squiblydoo: regsvr32 → remote SCT execution

Permissive SPF / DMARC p=none → CEO impersonation BEC

Reconfigure MFP LDAP → harvest service-account credentials