Correlating websites hosted on the same Cloudflare account

Cloudflare has been an asset to cyber crime organizations due to their ability to hide IP addresses using their reverse proxy service, however it can also be an asset for researchers trying to investigate these organizations by correlating different websites hosted under their ownership

It is a known fact, that scammers and hackers are hiding their true identity and wrongdoing via available online services, which were once created to protect against cybercrime, like Cloudflare.

During the research of organizations operating in the fraud industry correlating websites that they spawn under various domains and company information can crucially help in mapping out their infrastructure and help in understanding the scale of the operation they’re involved in.

Most of these websites try to conceal their IPs by using Cloudflare`s reverse proxy service, in an attempt to hide the location, hosting provider, and other relevant information that would help in tracking them down.

Due to the way Cloudflare operates, when you make an account you’re assigned two random name servers from their pool example: jake.ns.cloudflare.com and buck.ns.cloudflare.com these name servers will stay the same for each website you add to your Cloudflare account, this provides help in correlating websites back to the same account and can provide aid when researching organizations that have multiple websites under their ownership.

One way to do so is using Rapid7’s Project Sonar dataset “This dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar. Until early November 2017, all of these were for the ‘ANY’ record with a fallback A and AAAA request if necessary. 

After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME, and TXT record lookups with appropriately named files. The file is a  GZIP compressed file containing the name, type, value, and timestamp of any returned records for a given name in JSON format.”

Daniel S., Head RedTeam at Artefaktum introduces a way smarter way to solve this issue by following bash script, which is simple yet effective at finding Cloudflare protected websites sharing the same name servers:

				
					#! /bin/bash
echo
echo "This script attempts to map out websites used under the same 
cloudflare account"
echo "By searching the DNS dataset provided by Project 
Sonar/opendata.rapid7"
echo "and then comparing the results of 2 searches for websites in 
common"
echo
echo
echo "Fetching newest fdns dataset version:"
echo
FILE=$(curl https://opendata.rapid7.com/sonar.fdns_v2/ | grep href | 
grep fdns_ns | grep -Po 'v2/\K.*?(?=")')
if ! command -v  pigz  &> /dev/null
then
         echo "pigz not found, please install it before running the 
script"
         exit
elif !  [ -f $FILE ]
then
         echo "You're missing Open Sonar fdns_ns database > $FILE"
         echo "Please download it here: 
https://opendata.rapid7.com/sonar.fdns_v2/"
         exit
else
         echo
fi
read -p "Enter the cloudflare nameserver 1 (example josh, anna, rodney): 
" NS1
read -p "Enter the cloudflare nameserver 2 (example steve, irvin, dave): 
" NS2
cat $FILE | pigz -dc | grep "$NS1.ns.cloudflare.com"  | cut -d\" -f8 | 
tee NS1
cat $FILE | pigz -dc | grep "$NS2.ns.cloudflare.com"  | cut -d\" -f8 | 
tee NS2
comm -12 <(sort NS1) <(sort NS2) | tee cloudflare-result
rm NS1
rm NS2

				
			

From there on results can be further investigated and relevant websites
added to the infrastucture map of the organization

This material is for informational purposes only and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Artefaktum  has no responsibility or liability for any decision made or any other acts or omissions in connection with Reader’s use of this material.

Artefaktum does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.

TRENDING

Need additional assistance?

call us and we will provide the support that you need

ABOUT ARTEFAKTUM

At Artefaktum, we are engaged in civil and military missions that matter all over the world. As recognised solution and services provider of mission and investigation capabilities and innovative  IT solutions, we provide reliable national security solutions, services and technologies that ensure people’s safety and security. As a leading partner, we are not only a reliable security and investigation service provider for our customers, but rather the holistic business partner for companies, organisations and the public sector in various fields, including intelligence, space, cyber, defense, citizen security, health, and state and local markets. Our employees work daily to overcome the impossible, finding solutions to the most challenging problems faced by our clients.

MEDIA CONTACT

Ian Watt 
i65d6ci65d6ci65d6c
+1 617 861 9250