Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page

Was this helpful?

  1. Red Team
  2. Command and Control

Finding Target-relevant Domain Fronts

PreviousHost Header ManipulationNextAlibaba CDN Domain Fronting

Last updated 6 years ago

Was this helpful?

My last blog post on finding high-value target domains that could be used for domain fronting was quite popular — found here.

Although there are a few popular domains that everyone uses, I’ve also published quite a large list on GitHub for public consumption and defenders to watch for. This can be found .

As time went on, I found that there was a need for target relevant domains, which may not be necessarily readily available in my previously discovered list. I came up with a quick way to find such domains with example traffic which could then be used to camouflage our traffic. Additionally, I’ve had a lot of people in the community contact me asking how I find the domain names. And yes, previously it was by scanning for CNAME records to Cloudfront.

Configure a web browser as you normally would and begin browsing the internet. The first idea would be to browse your target organisation or affiliate’s websites— this generates a lot of traffic. Next I would go onto Google and begin searching for terms that may be related to the industry that particular target is in. In order to filter the large number of domains accessed quickly to possible domains, set a filter in the Target tab for “(CloudFront)”.

For example, if it was a company in the automotive manufacturing industry I could search for terms like “sports car”, I find links to websites such as Masersati.com which uses scripts.sophus3.com which is a CloudFront domain to serve scripts. See following.

Changing up the Host to another known CloudFront domain such as beacon.uber.com, we retrieve a different set of content and know that the domain front was successful. Following screenshot shows the content retrieval through the scripts.sophus3.com domain.

At this point, we have found a domain, related to cars, used by Maserati in it’s content delivery. The domain is on CloudFront, and we can use this to craft traffic for command and control channels based around this data.

Reviewing the original data, we can see that it fetches a script, c2 content can be sent through as a GET parameter or Referer and responses can easily be modified within the script body as a comment.

More examples such as domains that would blend in a lot better in a large organisation are displayed below:

PortSwigger’s Burp Suite is a popular, widely known and used . In this post I will make use of this tool to easily extract a list of CloudFront domains.

tool
here
Alexa Top 1 million