Correlating websites hosted on the same Cloudflare account

It is a known fact, that scammers and hackers are hiding their true identity and wrongdoing via available online services, which were once created to protect against cybercrime, like Cloudflare.

During the research of organizations operating in the fraud industry correlating websites that they spawn under various domains and company information can crucially help in mapping out their infrastructure and help in understanding the scale of the operation they’re involved in.

Most of these websites try to conceal their IPs by using Cloudflare`s reverse proxy service, in an attempt to hide the location, hosting provider, and other relevant information that would help in tracking them down.

Due to the way Cloudflare operates, when you make an account you’re assigned two random name servers from their pool example: jake.ns.cloudflare.com and buck.ns.cloudflare.com these name servers will stay the same for each website you add to your Cloudflare account, this provides help in correlating websites back to the same account and can provide aid when researching organizations that have multiple websites under their ownership.

One way to do so is using Rapid7’s Project Sonar dataset “This dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar. Until early November 2017, all of these were for the ‘ANY’ record with a fallback A and AAAA request if necessary. 

After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME, and TXT record lookups with appropriately named files. The file is a  GZIP compressed file containing the name, type, value, and timestamp of any returned records for a given name in JSON format.”

Daniel S., Head RedTeam at Artefaktum introduces a way smarter way to solve this issue by following bash script, which is simple yet effective at finding Cloudflare protected websites sharing the same name servers:

				
					#! /bin/bash
echo
echo "This script attempts to map out websites used under the same 
cloudflare account"
echo "By searching the DNS dataset provided by Project 
Sonar/opendata.rapid7"
echo "and then comparing the results of 2 searches for websites in 
common"
echo
echo
echo "Fetching newest fdns dataset version:"
echo
FILE=$(curl https://opendata.rapid7.com/sonar.fdns_v2/ | grep href | 
grep fdns_ns | grep -Po 'v2/\K.*?(?=")')
if ! command -v  pigz  &> /dev/null
then
         echo "pigz not found, please install it before running the 
script"
         exit
elif !  [ -f $FILE ]
then
         echo "You're missing Open Sonar fdns_ns database > $FILE"
         echo "Please download it here: 
https://opendata.rapid7.com/sonar.fdns_v2/"
         exit
else
         echo
fi
read -p "Enter the cloudflare nameserver 1 (example josh, anna, rodney): 
" NS1
read -p "Enter the cloudflare nameserver 2 (example steve, irvin, dave): 
" NS2
cat $FILE | pigz -dc | grep "$NS1.ns.cloudflare.com"  | cut -d\" -f8 | 
tee NS1
cat $FILE | pigz -dc | grep "$NS2.ns.cloudflare.com"  | cut -d\" -f8 | 
tee NS2
comm -12 <(sort NS1) <(sort NS2) | tee cloudflare-result
rm NS1
rm NS2

				
			

From there on results can be further investigated and relevant websites
added to the infrastucture map of the organization

Other News & Reports

Forward-Looking Statements
This press release includes “forward-looking statements” within the meaning of the “safe harbor” provisions of the United States Private Securities Litigation Reform Act of 1995, including, without limitation, statements regarding Artefaktum’s ability to strengthen the security profiles of its customers and partners. When used in this press release, the words “estimates,” “projected,” “expects,” “anticipates,” “forecasts,” “plans,” “intends,” “believes,” “seeks,” “may,” “will,” “should,” “future,” “propose” and variations of these words or similar expressions (or the negative versions of such words or expressions) are intended to identify forward-looking statements. These forward-looking statements are not guarantees of future performance, conditions, or results, and involve several known and unknown risks, uncertainties, assumptions, and other important factors, many of which are outside Artefaktum’s management’s control, that could cause actual results or outcomes to differ materially from those discussed in the forward-looking statements. Important factors, among others, that may affect actual results or outcomes include Artefaktum’s inability to recognize the anticipated benefits of collaborations with Artefaktum’s partners and customers; Artefaktum’s ability to execute its plans to develop and market new products and the timing of these development programs; the rate and degree of market acceptance of Artefaktum’s products; the success of other competing technologies that may become available; Artefaktum’s ability to identify and integrate acquisitions; the performance of Artefaktum’s products; potential litigation involving Artefaktum; and general economic and market conditions impacting demand for Artefaktum’s products. The foregoing list of factors is not exhaustive. You should carefully consider the foregoing factors and the other risks and uncertainties described under the heading “Risk Factors” in Artefaktum’s registration statement declared effective by its inception date and other documents that Artefaktum has filed or will file. These filings identify and address other important risks and uncertainties that could cause actual events and results to differ materially from those contained in the forward-looking statements. Forward-looking statements speak only as of the date they are made. Readers are cautioned not to put undue reliance on forward-looking statements, and Artefaktum does not undertake any obligation to update or revise any forward-looking statements, whether as a result of new information, future events, or otherwise, except as required by law.