How to automate CDN detection?
Note: The french version is available here: http://bssiblog.supertag.fr/automatiser-detection-cdns/
As any pentesting, the recon phase is primordial and determine if an attempt to access the targeted system will be successful.
A multitude of tools allows performing ports scan, DNS enumeration, CMS detection and various other types of assessments. However, none of those allow to easily and efficiently detect if a given website is protected by a CDN (Content Delivery Network).
CDNs become more and more popular those days and provide features to shield websites against numerous types of attacks such as:
- Denial of Service
- Distributed Denial of Service
- Distributed Reflection Denial of Service
- XSS, SQLI through WAF (Web Application Firewall)
CDNs are a real challenge for penetration tester which often hide the target's real address, preventing any further system based attacks. Its detection will result in a gain of time, avoiding unnecessary assessments.
WhichCDN has 5 different detection methods:
- Whois Detection
CDNs could impact the whois command results by changing several fields e.g. Name Server, nserver, etc.
- Error Server Detection
A few CDNs disclose information when trying to directly access the IP addresses resolved by the host command, exposing themselves to the world.
- HTTP Header detection
Some CDNs could be quite intrusive and, modify the HTTP header by adding or replacing existing fields which allow detecting their presence.
- DNS detection
When resolving the DNS of a given domain name, it is common to find the name server associated to the CDN in place.
- Subdomain detection
Big companies often use a subdomain to configure their CDN, by trying to access such subdomain, it is possible to determine which technology is used.
Usage of WhichCDN to detect CDNs
WhichCDN is an extremely simple python script to use. This one is available at the following address:
Once downloaded, (with the « git clone » command), WhichCDN can be used as followed:
As it can be seen on the picture above, 0x00sec.org is protected by Cloudflare. It is just as simple as that.
A l’heure de la rédaction de cet article, WhichCDN est en mesure de supporter les CDNs suivants :
- Microsft Azure
Axes of improvements
The state of the art of this domain didn’t prove that it is possible to bypass such security measures but if, one day, a method is leaked, it would be awesome to add attack vectors to work around those filtration systems.
Moreover, it would be relevant to populate the list of supported CDNs with other service providers such as:
- Verizon Digital Media services
WhichCDN claims to be the inescapable tool in therms of CDNs detection, allowing pentesters and security experts to speed up the reconnaissance phase by highlighting if a given website is protected by a CDN. This valuable information will inexorably avoid time wasting, where every second is precious.
Upstream, it is important to note that whichCDN has been added to blackArch Linux and, soon, Kali Linux. Happy pentesting.