DNS-REBINDINGLateral Movement

DNS Rebinding

Attacker-controlled DNS responds with short-TTL A records that flip from attacker IP to internal RFC1918 IPs — victim browser then talks to internal services via the attacker page.

§ Where this technique fits

DNS-REBINDING is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

DNS rebinding → access internal router admin from a browser
Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin.
step 4 / 6

§ What commonly comes next

01
Default Credentials
W-AUTH-DEFAULT · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

DNS rebinding → access internal router admin from a browser

§ What commonly comes next