It is a known fact, that scammers and hackers are hiding their true identity and wrongdoing via available online services, which were once created to protect against cybercrime, like Cloudflare.
During the research of organizations operating in the fraud industry correlating websites that they spawn under various domains and company information can crucially help in mapping out their infrastructure and help in understanding the scale of the operation they’re involved in.
Most of these websites try to conceal their IPs by using Cloudflare`s reverse proxy service, in an attempt to hide the location, hosting provider, and other relevant information that would help in tracking them down.
Due to the way Cloudflare operates, when you make an account you’re assigned two random name servers from their pool example: jake.ns.cloudflare.com and buck.ns.cloudflare.com these name servers will stay the same for each website you add to your Cloudflare account, this provides help in correlating websites back to the same account and can provide aid when researching organizations that have multiple websites under their ownership.
One way to do so is using Rapid7’s Project Sonar dataset “This dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar. Until early November 2017, all of these were for the ‘ANY’ record with a fallback A and AAAA request if necessary.
After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME, and TXT record lookups with appropriately named files. The file is a GZIP compressed file containing the name, type, value, and timestamp of any returned records for a given name in JSON format.”
Daniel S., Head RedTeam at Artefaktum introduces a way smarter way to solve this issue by following bash script, which is simple yet effective at finding Cloudflare protected websites sharing the same name servers:
#! /bin/bash
echo
echo "This script attempts to map out websites used under the same
cloudflare account"
echo "By searching the DNS dataset provided by Project
Sonar/opendata.rapid7"
echo "and then comparing the results of 2 searches for websites in
common"
echo
echo
echo "Fetching newest fdns dataset version:"
echo
FILE=$(curl https://opendata.rapid7.com/sonar.fdns_v2/ | grep href |
grep fdns_ns | grep -Po 'v2/\K.*?(?=")')
if ! command -v pigz &> /dev/null
then
echo "pigz not found, please install it before running the
script"
exit
elif ! [ -f $FILE ]
then
echo "You're missing Open Sonar fdns_ns database > $FILE"
echo "Please download it here:
https://opendata.rapid7.com/sonar.fdns_v2/"
exit
else
echo
fi
read -p "Enter the cloudflare nameserver 1 (example josh, anna, rodney):
" NS1
read -p "Enter the cloudflare nameserver 2 (example steve, irvin, dave):
" NS2
cat $FILE | pigz -dc | grep "$NS1.ns.cloudflare.com" | cut -d\" -f8 |
tee NS1
cat $FILE | pigz -dc | grep "$NS2.ns.cloudflare.com" | cut -d\" -f8 |
tee NS2
comm -12 <(sort NS1) <(sort NS2) | tee cloudflare-result
rm NS1
rm NS2
From there on results can be further investigated and relevant websites
added to the infrastucture map of the organization