It is a known fact, that scammers and hackers are hiding their true identity and wrongdoing via available online services, which were once created to protect against cybercrime, like Cloudflare.
During the research of organizations operating in the fraud industry correlating websites that they spawn under various domains and company information can crucially help in mapping out their infrastructure and help in understanding the scale of the operation they’re involved in.
Most of these websites try to conceal their IPs by using Cloudflare`s reverse proxy service, in an attempt to hide the location, hosting provider, and other relevant information that would help in tracking them down.
Due to the way Cloudflare operates, when you make an account you’re assigned two random name servers from their pool example: jake.ns.cloudflare.com and buck.ns.cloudflare.com these name servers will stay the same for each website you add to your Cloudflare account, this provides help in correlating websites back to the same account and can provide aid when researching organizations that have multiple websites under their ownership.
One way to do so is using Rapid7’s Project Sonar dataset “This dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar. Until early November 2017, all of these were for the ‘ANY’ record with a fallback A and AAAA request if necessary.
After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME, and TXT record lookups with appropriately named files. The file is a GZIP compressed file containing the name, type, value, and timestamp of any returned records for a given name in JSON format.”
Daniel S., Head RedTeam at Artefaktum introduces a way smarter way to solve this issue by following bash script, which is simple yet effective at finding Cloudflare protected websites sharing the same name servers:
#! /bin/bash echo echo "This script attempts to map out websites used under the same cloudflare account" echo "By searching the DNS dataset provided by Project Sonar/opendata.rapid7" echo "and then comparing the results of 2 searches for websites in common" echo echo echo "Fetching newest fdns dataset version:" echo FILE=$(curl https://opendata.rapid7.com/sonar.fdns_v2/ | grep href | grep fdns_ns | grep -Po 'v2/\K.*?(?=")') if ! command -v pigz &> /dev/null then echo "pigz not found, please install it before running the script" exit elif ! [ -f $FILE ] then echo "You're missing Open Sonar fdns_ns database > $FILE" echo "Please download it here: https://opendata.rapid7.com/sonar.fdns_v2/" exit else echo fi read -p "Enter the cloudflare nameserver 1 (example josh, anna, rodney): " NS1 read -p "Enter the cloudflare nameserver 2 (example steve, irvin, dave): " NS2 cat $FILE | pigz -dc | grep "$NS1.ns.cloudflare.com" | cut -d\" -f8 | tee NS1 cat $FILE | pigz -dc | grep "$NS2.ns.cloudflare.com" | cut -d\" -f8 | tee NS2 comm -12 <(sort NS1) <(sort NS2) | tee cloudflare-result rm NS1 rm NS2
From there on results can be further investigated and relevant websites
added to the infrastucture map of the organization