Introduction
Out-of-band interaction testing is useful technique for identifying potential security flaws. Interactsh, developed by ProjectDiscovery, is a powerful open-source tool designed to detect vulnerabilities causing external interactions. While the public Interactsh servers provide a robust platform for this purpose, there are scenarios where privacy and control over the data are important. Another case is that public Interactsh domains can be blacklisted. This article provides a short guide on configuring your own private Interactsh server, giving you the autonomy to tailor the environment to your specific needs. It will focus on configuring the Interactsh server on a subdomain instead to give you an ability to run it aside of other services such as website.
TL;DR
You can find a shorter cheat sheet version of this article here.
Table of contents
Open Table of contents
Prerequisites
- Domain name or subdomain for your Interactsh server.
- VPS or dedicated server with Nginx installed.
DNS configuration
First we will need to configure a DNS zone for our domain. In this example we will use a ping.example.com
subdomain to host our Interactsh server.
Below is an example of the DNS records you need to configure:
NS ping.example.com. ns1.ping.example.com
A ns2.ping.example.com. 10.1.2.3
A ns1.ping.example.com. 10.1.2.3
A ping.example.com. 10.1.2.3
A example.com. 10.1.2.3
Generating SSL certificates
Interactsh requires SSL certificates. You can use Let’s Encrypt to generate them. Install Certbot, the Let’s Encrypt client:
sudo apt-get install -y certbot
Then, generate the SSL certificates:
sudo certbot certonly --standalone -d ping.example.com -d *.ping.example.com
Replace example.com
with your actual domain name. The certificates will be located at /etc/letsencrypt/live/example.com/
.
Nginx configuration
Since we plan to run other services (such as a web page) on the same server, we do not want Interactsh to bind to the default TCP/UDP ports used by DNS, SMTP, LDAP, etc. Instead, we will configure Nginx to act as a proxy for our Interactsh server. To achieve this, add a stream
section to the Nginx configuration file located at /etc/nginx/nginx.conf
. Below is an example configuration:
stream {
# smtp
server {
listen 25;
proxy_pass localhost:10025;
}
# dns
server {
listen 53;
proxy_pass localhost:10053;
}
server {
listen 53 udp;
proxy_pass localhost:10053;
}
#ldap
server {
listen 389;
proxy_pass localhost:10389;
}
#smtps
server {
listen 587;
proxy_pass localhost:10587;
}
}
In this example, Nginx will forward all traffic from the DNS, SMTP, LDAP, and SMTPS ports to higher port numbers such as 10025
, 10053
, etc.
Next, we need to configure an HTTP(S) site in Nginx to redirect traffic to our Interactsh server.
Create an Nginx site configuration file, for example, /etc/nginx/sites-available/interactsh
, and paste the content below, making sure to update it with your own domain name and the path to your SSL certificates.
# http
server {
listen 80;
server_name interact.example.com ~^(.*)\.interact.example\.com$;
location / {
proxy_pass http://localhost:10080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl;
server_name interact.example.com ~^(.*)\.interact.example\.com$;
ssl_certificate /path/to/certfile.crt;
ssl_certificate_key /path/to/keyfile.key;
location / {
proxy_pass https://localhost:10443/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
This configuration file will tell Nginx to redirect all HTTP and HTTPS traffic to 10080
and 10443
ports. It will also add HTTP proxy headers, so the Interactsh server will be able to display origin IP address of the request instead of the localhost.
Interactsh server setup
The final configuration file needed is for the Interactsh server. This file will include settings for server listening addresses (in our case, 10xxx
), domain name configuration, authentication tokens, and other operational parameters. Below is a breakdown of our configuration file in YAML format, with comments explaining each parameter:
# single/multiple configured domain to use for server
domain: [<YOUR-DOMAIN>]
# public ip address to use for interactsh server
ip: <YOUR-VPS-PUBLIC-IP-ADDRESS>
# public ip address to listen on
listen-ip: 127.0.0.1
# enable authentication to server using given token
token: <YOUR-AUTH-TOKEN>
# http header containing origin ip (interactsh behind a reverse proxy)
origin-ip-header: X-Real-Ip
# custom index file for http server
http-index: /var/www/interactsh/index.html
# directory with files to serve with http server
http-directory: /var/www/interactsh/
# disable automatic interactsh-server update check
disable-update-check: true
# port to use for dns service
dns-port: 10053
# port to use for http service
http-port: 10080
# port to use for https service
https-port: 10443
# port to use for smtp service
smtp-port: 10025
# port to use for smtps service
smtps-port: 10587
# port to use for smtps autotls service
smtp-autotls-port: 10465
# port to use for ldap service
ldap-port: 10389
# enable ldap server with full logging (authenticated)
ldap: false
# enable wildcard interaction for interactsh domain (authenticated)
wildcard: false
# start smb agent - impacket and python 3 must be installed (authenticated)
smb: false
# start responder agent - docker must be installed (authenticated)
responder: false
# start ftp agent (authenticated)
ftp: false
# show version of the project
version: false
# display verbose interaction
verbose: true
Starting private Interactsh server
Start the Interactsh server using the configuration file:
./interactsh-server -config config.yaml
As we are not using the default low port numbers, you can run this command as a regular user. It’s also a good idea to execute it in a screen or tmux session to keep it running in the background.
Connecting Interactsh client to private server
To connect to your own Interactsh server, you need to specify its address and the authentication token from the configuration file:
interactsh-client -t <TOKEN> -s <SERVER-ADDRESS>
Conclusion
Configuring a private Interactsh server is a strategic move for bug bounty hunters who care about privacy and control in their vulnerability discovery processes. You can also avoid being blocked while using public Interactsh domains. By following the steps outlined in this guide, you can set up an environment tailored to your specific needs.