First of all, I wanted to apologize for my lack of activities the last month. Indeed, I was overwhelmed by my work and my training for my OSCP certification which was quite time consuming
By the same token, would you be interested in my feedback about OSCP?
Votes are public.
Well, today article is going to be focused on my last project, whichCDN.
As you already know, the recon phase is primordial and determine if your attempts to access the targeted system will be successful.
A multitude of tools allows performing ports scan, DNS enumeration, CMS detection and various other types of assessments. However, none of those allow you to easily and efficiently detect if a given website is protected by a CDN (Content Delivery Network).
CDNs become more and more popular those days and provide features to shield websites against numerous types of attacks such as:
- Denial of Service
- Distributed Denial of Service
- Distributed Reflection Denial of Service
- XSS, SQLI through WAF (Web Application Firewall)
CDNs are a real challenge for pentesters / hackers which often hide the target's real address, preventing any further system based attacks. Its detection will result in a gain of time, avoiding unnecessary assessments.
WhichCDN implements five methods detection:
CDNs could impact the whois command results by changing several fields e.g. Name Server, nserver, etc.
Error Server Detection
A few CDNs disclose information when we try to directly access the IP address resolved by the host command, exposing themselves.
HTTP header Detection
Some CDNs could be quite intrusive and modify the HTTP header by adding or replacing existing fields which allow detecting their presence.
When resolving the DNS of a given domain name, it is common to find the name server associated to the CDN in place.
Big companies often use a subdomain to configure their CDN, by trying to access such subdomain, it is possible to determine which technology is used.
Let’s try it on 0x00sec
whichCDN http://example.com | example.com
As you can see on the picture above, 0x00sec.org is protected by Cloudflare. It is just as simple as that.
- Microsft Azure
Axes of improvement
I don’t know yet if it is possible to bypass such security measures but once done, it would be awesome to add attack vectors to work around those filtration systems.
Moreover, I would like to populate the list of supported CDN with other service providers such as:
- Verizon Digital Media services
Don’t hesitate to contribute to this project if you are aware of other ways to detect CDNs. Lastly, feel free to contact me if you know websites using a specific type of CDN that is not supported yet!
I hope that you enjoyed this article.