• Uncategorized
Published on 12 December 2017

How to automate CDN detection?

Introduction

Note: The french version is available here: http://bssiblog.supertag.fr/automatiser-detection-cdns/

As any pentesting, the recon phase is primordial and determine if an attempt to access the targeted system will be successful.

A multitude of tools allows performing ports scan, DNS enumeration, CMS detection and various other types of assessments. However, none of those allow to easily and efficiently detect if a given website is protected by a CDN (Content Delivery Network).

CDNs become more and more popular those days and provide features to shield websites against numerous types of attacks such as:

  • Denial of Service
  • Distributed Denial of Service
  • Distributed Reflection Denial of Service
  • XSS, SQLI through WAF (Web Application Firewall)

Among those security measures, they allow to speed up the websites loading, by improving the cache system, load balancing, browser optimization, JavaScript minimization, etc.

CDNs are a real challenge for penetration tester which often hide the target's real address, preventing any further system based attacks. Its detection will result in a gain of time, avoiding unnecessary assessments.

WhichCDN

WhichCDN has 5 different detection methods:

  • Whois Detection

CDNs could impact the whois command results by changing several fields e.g. Name Server, nserver, etc.

WhichCDN-Methode_Whois

  • Error Server Detection

A few CDNs disclose information when trying to directly access the IP addresses resolved by the host command, exposing themselves to the world.

WhichCDN-Fuite_info

  • HTTP Header detection

Some CDNs could be quite intrusive and, modify the HTTP header by adding or replacing existing fields which allow detecting their presence.

  • DNS detection

When resolving the DNS of a given domain name, it is common to find the name server associated to the CDN in place.

  • Subdomain detection

Big companies often use a subdomain to configure their CDN, by trying to access such subdomain, it is possible to determine which technology is used.

WhichCDN-Methode_sous-domaines

Usage of WhichCDN to detect CDNs

WhichCDN is an extremely simple python script to use. This one is available at the following address:
https://github.com/Nitr4x/whichCDN

Once downloaded, (with the « git clone » command), WhichCDN can be used as followed:
whichCDN exemple.com

WhichCDN-Interface

As it can be seen on the picture above, 0x00sec.org is protected by Cloudflare. It is just as simple as that.

Supported CDNs

A l’heure de la rédaction de cet article, WhichCDN est en mesure de supporter les CDNs suivants :

  • Cloudflare
  • Incapsula
  • Cloudfront
  • Akamai
  • Airee
  • CacheFly
  • EdgeCast
  • MaxCDN
  • Beluga
  • Limelight
  • Fastly
  • Myracloud
  • Microsft Azure

Axes of improvements

The state of the art of this domain didn’t prove that it is possible to bypass such security measures but if, one day, a method is leaked, it would be awesome to add attack vectors to work around those filtration systems.

Moreover, it would be relevant to populate the list of supported CDNs with other service providers such as:

  • Azion
  • ArvanCloud
  • Beluga
  • DN77
  • CDNetwork
  • CDNsun
  • CDNvideo
  • ChinaCache
  • ChinaNetCenter
  • Highwinds
  • KeyCDN
  • Level3
  • NGENIX
  • Quantil
  • SkyparkCDN
  • Verizon Digital Media services
  • Turbobyte

Conclusion

WhichCDN claims to be the inescapable tool in therms of CDNs detection, allowing pentesters and security experts to speed up the reconnaissance phase by highlighting if a given website is protected by a CDN. This valuable information will inexorably avoid time wasting, where every second is precious.

Upstream, it is important to note that whichCDN has been added to blackArch Linux and, soon, Kali Linux. Happy pentesting.

Article written by
EvaBssi Team