Correlating websites hosted on the same Cloudflare account

Cloudflare has been an asset to cyber crime organizations due to their ability to hide IP addresses using their reverse proxy service, however it can also be an asset for researchers trying to investigate these organizations by correlating different websites hosted under their ownership

It is a known fact, that scammers and hackers are hiding their true identity and wrongdoing via available online services, which were once created to protect against cybercrime, like Cloudflare.

During the research of organizations operating in the fraud industry correlating websites that they spawn under various domains and company information can crucially help in mapping out their infrastructure and help in understanding the scale of the operation they’re involved in.

Most of these websites try to conceal their IPs by using Cloudflare`s reverse proxy service, in an attempt to hide the location, hosting provider, and other relevant information that would help in tracking them down.

Due to the way Cloudflare operates, when you make an account you’re assigned two random name servers from their pool example: jake.ns.cloudflare.com and buck.ns.cloudflare.com these name servers will stay the same for each website you add to your Cloudflare account, this provides help in correlating websites back to the same account and can provide aid when researching organizations that have multiple websites under their ownership.

One way to do so is using Rapid7’s Project Sonar dataset “This dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar. Until early November 2017, all of these were for the ‘ANY’ record with a fallback A and AAAA request if necessary. 

After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME, and TXT record lookups with appropriately named files. The file is a  GZIP compressed file containing the name, type, value, and timestamp of any returned records for a given name in JSON format.”

Daniel S., Head RedTeam at Artefaktum introduces a way smarter way to solve this issue by following bash script, which is simple yet effective at finding Cloudflare protected websites sharing the same name servers:

				
					#! /bin/bash
echo
echo "This script attempts to map out websites used under the same 
cloudflare account"
echo "By searching the DNS dataset provided by Project 
Sonar/opendata.rapid7"
echo "and then comparing the results of 2 searches for websites in 
common"
echo
echo
echo "Fetching newest fdns dataset version:"
echo
FILE=$(curl https://opendata.rapid7.com/sonar.fdns_v2/ | grep href | 
grep fdns_ns | grep -Po 'v2/\K.*?(?=")')
if ! command -v  pigz  &> /dev/null
then
         echo "pigz not found, please install it before running the 
script"
         exit
elif !  [ -f $FILE ]
then
         echo "You're missing Open Sonar fdns_ns database > $FILE"
         echo "Please download it here: 
https://opendata.rapid7.com/sonar.fdns_v2/"
         exit
else
         echo
fi
read -p "Enter the cloudflare nameserver 1 (example josh, anna, rodney): 
" NS1
read -p "Enter the cloudflare nameserver 2 (example steve, irvin, dave): 
" NS2
cat $FILE | pigz -dc | grep "$NS1.ns.cloudflare.com"  | cut -d\" -f8 | 
tee NS1
cat $FILE | pigz -dc | grep "$NS2.ns.cloudflare.com"  | cut -d\" -f8 | 
tee NS2
comm -12 <(sort NS1) <(sort NS2) | tee cloudflare-result
rm NS1
rm NS2

				
			

From there on results can be further investigated and relevant websites
added to the infrastucture map of the organization

SHARE

These articles are for informational purposes only, their content may be based on employees’ independent research, and do not represent the position or opinion of Artefaktum. Furthermore, Artefaktum disclaims all warranties in the articles’ content, does not recommend/endorse any third-party products referenced therein, and any reliance and use of the articles is at the reader’s sole discretion and risk.