Host your own Interactsh-server and integrate with discord to get notification While Testing for Out-of-Band Interaction

welcome to my 2nd blog about hosting your own private Interactsh-server developed by Project Discovery and integrate it with your discord server so you can get all the interaction output straight to your discord server using discord web-hooks, and don’t need to continuously watch intractsh-client , so lets start.

I have tried my best to give tutorial on how to host Private Interactsh-server in VPS

Pre-Requisist

• A Domain name like example.com from any provider like freenome, namecheap, godaddy, name.com etc
• A VPS(virtual private server),i prefere Digitalocean it’s cheap and you got 100$ free credit if you use my refferel : go here
• A Discord server, you can create your own at Discord.com and that’s it all

What is OAST

OAST is is Out of Band testing is used when we have to SSRF, Blind SQL Injection to exfiltrate data, http,Smtp,LDAP & dns interaction from the vulnerable server, to verify that it works or not, our payload got executed by the server or not, Burp Collaborator is same thing & used by Pentester, Bug Hunters & security Researchers to test Out of Band Interaction. You can learn about it more by Googling.

Now we can start configuring and hosting Interactsh-server

STEP 1 Buy A Domain

you can use any domain name provider/seller like Name.com, namecheap.com, godaddy.com etc but configure your in your Dns record to use Custom Nameserver of Digital Occean i.e ns1.digitaloccean.com, ns2.digitaloccean.com, ns3.digitaloccean.com

here i have configured custom Nameserver which is pointing to Digitaloccean’s name server.

Nameserver for my domain so all dns related configuration can be done in digitaloccean’s control pannel

STEP 2 create Droplets and configure it

• go to https://cloud.digitalocean.com/ in that first create a drop let, with basic plan 5$/month is more than enough.
• create droplets with ubuntu or debian os, i have created with ubuntu 20.0 lts , with 1 core shared cpu, 1GB memory, 25GB storage and 1000GB network transfer.
• configure it with ssh key or password what ever you want it depends, but for better security use ssh keys for login.
• it take some time to create vm and give an IP to it, then login to your vps using ssh and create a user with sudo privilege and disable root login to server for security best practice, you can google it how to create a user, assign a sudo role, and disable root login via ssh.

STEP 3 install GO 1.17+

• update the system and install go language , i have make script to install and configure GO Lang in Debian based system.

wget https://dl.google.com/go/go1.17.8.linux-amd64.tar.gz 
sudo tar -xvf go1.17.8.linux-amd64.tar.gz 
sudo mv -f go /usr/local/
export GOROOT=/usr/local/go
export GOPATH=$HOME/go 
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH

open .bashrc and create environment variable like this.

Now install Interactsh-server from projet-discovery’s gitub

go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

Now we need to get SSL Certificate so we can interact with HTTPS port also , we can use Self Signed certificate if you did not want to spend money on it, i had also used self signed certificate, for this we are using CertBot it will automatically but need to provide digitaloccean’s API key with read and wright permission so it can make txt record for your domain and verify it.

Install Cert Bot using Snapcraft

• install snap

sudo apt install snapd 
# now install certbot
sudo snap instal snapd --classic 
sudo snap install certbot-dns-digitalocean
# trust the dnd-digitaloccen plugin for certbot using cmd
sudo snap set certbot trust-plugin-with-root=ok

Now get digital occean API key from cloud.digitaloccen.com/project

put api key in file called digi.ini like this

# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

set permission to 600 to digi.ini by running chmod 600 digi.ini

now run certbot with sudo and put yourdomain name in example.com and make sure digi.ini file in the same directory

sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials ./digi.ini --dns-digitalocean-propagation-seconds 60 -d oast.example.com -d "*.oast.example.com

if all good it will create certificate in /etc/letsencrypt/live/oast.example.com/ directory

now lets change the dns for our domain.

1. add domain in your digitalocean’s project by going to Networking tab
2. add A record for ns1.oast.example.com to point towards droplets as in picture

3. Add NS record for oast.example.com which point to ns1.oast.example.com as in above picture.

now dns records are configured properly now lets start interactsh-server, but before starting server stop the dns resolution in the vps so it realse the port 53 and we bind it with the interactsh server

sudo systemctl stop systemd-resolved.service
sudo systemctl disable systemd-resolved.service

Step 4 configuration file for interactsh server

# interactsh-server config file 
# generated by https://github.com/projectdiscovery/goflags 
 
# flag configuration file 
#config: /home/user/.config/interactsh-server/config.yaml 
 
# configured domain to use with interactsh server 
domain: oast.example.com 
 
# public ip address to use for interactsh server 
ip: your-servers public ip 
 
# public ip address to listen on 
listen-ip: 0.0.0.0 
 
# number of days to persist interaction data in memory 
eviction: 50 
 
# enable authentication to server using random generated token 
#auth: false 
 
# enable authentication to server using given token 
token: some-random-most-secure-string-for-authentication-with-interactsh-server-by-interactsh-client 
 
# origin url to send in acao header (required to use web-client) 
#acao-url: https://app.interactsh.com 
 
# skip acme registration (certificate checks/handshake + tls protocols will be disabled) 
#skip-acme: false 
 
# scan canary token everywhere 
#scan-everywhere: false 
 
# length of the correlation id preamble 
#correlation-id-length: 20 
 
# length of the correlation id nonce 
#correlation-id-nonce-length: 13 
 
# custom certificate path 
cert: /etc/letsencrypt/live/oast.example.com/cert.pem  
 
# custom private key path 
privkey: /etc/letsencrypt/live/oast.example.com/priv.key (private key in /etc/letsencrypt/live/domain/)  
 
# port to use for dns service 
dns-port: 53 
 
# port to use for http service 
http-port: 80 
 
# port to use for https service 
https-port: 443 
 
# port to use for smtp service 
smtp-port: 25 
 
# port to use for smtps service 
smtps-port: 587 
 
# port to use for smtps autotls service 
smtp-autotls-port: 465 
 
# port to use for ldap service 
ldap-port: 389 
 
# enable ldap server with full logging (authenticated) 
ldap: true 
 
# enable wildcard interaction for interactsh domain (authenticated) 
wildcard: true 
 
# start smb agent - impacket and python 3 must be installed (authenticated) 
#smb: false 
 
# start responder agent - docker must be installed (authenticated) 
#responder: false 
 
# start ftp agent (authenticated) 
#ftp: false 
 
# port to use for smb service 
#smb-port: 445 
 
# port to use for ftp service 
#ftp-port: 21 
 
# ftp directory - temporary if not specified 
#ftp-dir: 
 
# show version of the project 
#version: false 
 
# start interactsh server in debug mode 
#debug: false

you can tweak the config file acc to your values and need. and save it as config.yaml

Step 5 Now run the interactsh-server in tmux

since we close the ssh window but over server must be running so for that reason we are running in tmux, run set of commands in the directory where the config.yaml is stored

tmux
sudo /home/youruser/go/bin/interactsh-server -config ./config.yaml 
# if all things are properly done then you can see output like this

Step 6 Creat config file for Interactsh-client

Install interactsh client in your laptop/pc using go,make sure you have installed go and go version is greater than go1.17+

go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
# config file will be stored in .config/interactsh-client/config.yaml edit this file 

config.yaml file

# interactsh-client config file 
# generated by https://github.com/projectdiscovery/goflags 
 
# interactsh server(s) to use 
server: oast.example.com 
#number: 1 
 
# authentication token to connect protected interactsh server 
token: your-secret-token-for-authentication-with-server-so-other-can-not-use-your-private-server-and-connect-w
ith-your-server 
 
# poll interval in seconds to pull interaction data 
poll-interval: 10 
 
# disable http fallback registration 
#no-http-fallback: false 
 
# enables persistent interactsh sessions 
#persist: true 
 
 
# display only dns interaction in cli output 
#dns-only: false 
 
# display only http interaction in cli output 
#http-only: false 
 
# display only smtp interactions in cli output 
#smtp-only: false 
 
# output file to write interaction data 
#o: 
 
# write output in jsonl(ines) format 
#json: false 
 
## display verbose interaction 
v: false
# uncomment for apply that configuration

just run interactsh-client

interactsh-client 

you will see output like this . [INF] Listing payload ………

Now run normal nslookup payload.oast.yourdomain.com and see if you got interaction or not like see in previous image output like received DNS interaction from IP at time. then you have successfully hosted your server in cloud.

Now some advance stuff for get notification in Discord channel

For this you need a another vps or spinup another droplets with same configure, we have created for previous once.

once droplets is ready lets install necessary tools in droplets

sudo apt-get update
# install GO language, same as we have installed in previous droplet
# install interactsh-client and notify
go install -v github.com/projectdiscovery/notify/cmd/notify@latest
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

Create Discord web hook, you can Chek here how to create discord web hook

you can use slack and Telegram also

lets create configuration file for notify , create file called notify.yaml

discord: 
- id: "dns" 
discord_channel: "dns-interaction" 
discord_username: "Interact-Bot" 
discord_format: "{{data}}" 
discord_webhook_url: "your discord web hook url" 
 
- id: "http" 
discord_channel: "http-https-interaction" 
discord_username: "interact-Bot" 
discord_format: "{{data}}" 
discord_webhook_url: "your discord web hook url" 
 
- id: "smtp" 
discord_channel: "smtp-smtps-interaction" 
discord_username: "Interact-Bot" 
discord_format: "{{data}}" 
discord_webhook_url: "your discord web hook url "

create separate discord channel for different different interaction like i did in below image and use corresponding channels webhook for diff purpose like DNS interaction, http interaction and smtp interaction etc

Now check if it works or not by following command, save your config file, my file name was notify.yaml

echo "testing DNS " | notify -pc ~/notify.yaml -id dns 

cmd

OUTPUT

test for others as well

echo testing http | notify -pc ~/notify.yaml -id http
echo testing smtp | notify -pc ~/notify.yaml -id smtp

HTTP channel

SMTP channel

we need config file for interactsh-client same as above but just change 2 line from them which is , so the intractsh-client only poll for dns interaction from the server and persist: true means once you have generated payload it will last longer and interaction to that paylod will be displayed in client

persist: true
dns-only : true 
# save this file as dns.yaml in home directory

Now Open tmux in Shell and start interactsh-client with i guess 25 payload is enough you can tweak the config own your self as need.

interactsh-client -config ~/dns.yaml | notify -pc ~/notify.yaml -id dns

This will send dns interaction to your discord channel that we have configured and make sure you copy payload list that interactsh-client generated and store it in any file or make discord channel like i did and store the payload in this chanel.

Now re login to ssh the same vps we are doing and create new config file for http interaction , i saved it as http.yaml

# for this just change one line others are make same as dns.yaml
http-only: true
v: true
o: output-filename
dns-only:false
persist: true
number: 10
# generate 10 payloads

Now open tmux and run the following

interactsh-client -config http.yaml | tee http-file

this will save output to http-file as well as output-filename but we need http-file for our discord notification.

re open new ssh session and make config file for SMTP interaction and save, i have saved as smtp.yaml

# for this also change following line and others put same as dns.yaml
http-only: false
dns-only: false
smtp-only: true
persist: true
number: 5 
o: smtp-output-file
v:true

Now open tmux and run the following in tmux

interactsh-client -config smtp.yaml |tee smtp-file

since this files changes, we only want the interaction that changed by previous one that is sent to,our discord so not want to get large output, since this interaction output file will be becomes large, cause it storing all interaction , so i created a bash script this will run in tmux in directory where the output file is stored, this will check if any changes in file is done or not, is done it send the output to discord and remove all data from the file , another interaction is stored. i saved it as monitor.sh

#!/bin/bash 
cp /dev/null file-http;
cp /dev/null file-smpt;
 
temp1=`md5sum file-http`; 
temp3=`md5sum file-smtp`; 
while true; 
do 
sleep 10; 
temp2=`md5sum file-http`; 
temp4=`md5sum file-smtp`; 
if [[ "$temp1" != "$temp2" ]] 
then 
cat file-http |notify -pc notify-http.yaml -rl 2 -char-limit 10000 -bulk; 
cp /dev/null file-http; 
fi; 
if [[ "$temp3" != "$temp4" ]] 
then 
cat file-smtp |notify -pc notify-smtp.yaml -rl 2 -id "smtp" -char-limit 10000 -bulk ; 
cp /dev/null file-smtp; 
fi; 
 
 
done

Now run this script in tmux

./monitor.sh

Thats it close all ssh session by clicking closing button, since we have run all in tmux , it will run in server if we close ssh session, other wise when ssh session is closed, our shell also closed, and any running process is also closed. But make sure you have copied payload for HTTP and SMTP from previous tmuxs session and stored it other wise you need to re run that interactsh-client with specific configuration in tmux.

NOTE: the paylod generated By HTTP interactsh-client session will only give HTTP intercation if you use it for smtp it will not work , and vice versa for SMTP also.

if all set correctly you got notification when send http request to generated paylod as eg in below image

That’s it, Thank you for reading and feel free to contact me at Twitter: DK_9510 , apologize for any mistake, and welcomes you to correct my mistake by contacting me.

THANK YOU.