Interactsh is an open-source tool developed by ProjectDiscovery for detecting out-of-band (OOB) vulnerabilities. These are vulnerabilities that may not be identified using conventional tools or methods. Interactsh operates by generating dynamic URLs. When these URLs are requested by a target, they trigger a callback. This callback can then be monitored and analyzed to identify potential vulnerabilities in the target. Check out our blog introducing Interactsh and view the repo here.

Features

  • DNS/HTTP(S)/SMTP(S)/LDAP Interaction
  • CLI / Web / Burp / ZAP / Docker client
  • AES encryption with zero logging
  • Automatic ACME based Wildcard TLS w/ Auto Renewal
  • DNS Entries for Cloud Metadata service
  • Dynamic HTTP Response control
  • Self-Hosted Interactsh Server
  • Multiple domain support (self-hosted)
  • NTLM/SMB/FTP/RESPONDER Listener (self-hosted)
  • Wildcard / Protected Interactions (self-hosted)
  • Customizable Index / File hosting (self-hosted)
  • Customizable Payload Length (self-hosted)
  • Custom SSL Certificate (self-hosted)

Client & Server

The Interactsh tool comprises two main components: interachsh-client and interachsh-server. Each plays a critical role in the process of detecting out-of-band vulnerabilities, but they operate in distinct manners and serve different purposes.

Interactsh Server

  • Function: Captures and records callbacks from interaction URLs.
  • Deployment: Hosted publicly to receive requests from tested systems.
  • Use Case: Ideal for those hosting their instance for privacy or control.
ProjectDiscovery maintains a number of publically accessable interactsh servers that you can use in order to only run the client for your specific use case. Alternatively, you can self host your own interactsh server if you want it to run on your custom domain or you need more control over the server side interactions.

Interactsh Client

  • Function: Generates URLs for testing, retrieves interaction logs from the server.
  • Deployment: Runs locally for managing URLs and analyzing captured data.
  • Use Case: Used by testers to create and analyze tests for out-of-band vulnerabilities.

Support

Questions about using Interactsh? Issues working through installation? Cool story or use case you want to share? Get in touch! Check out the Help section of the docs or reach out to us on Discord.