Validated CloudFront SSL Domains
You may have heard of Domain Fronting, and some of the work that I’ve previously done. https://vincentyiu.co.uk/domain-fronting-via-cloudfront-alternate-domains/
Then https://www.peew.pw/blog/2018/2/22/how-i-identified-93k-domain-frontable-cloudfront-domains came along and showed us how to find 93k frontable CloudFront domains. I mentioned to him that not all are validated as they can have invalid certificates.
The benefit of using Domain Fronting is that as far as the victim’s side proxy is concerned, you are making the SSL exchange with the legitimate server you are using as a front. Fantastic.
I’ve kept this private for a long time now, and since someone else has already shown us how to find these domains, I’ve decided to release my list that has been false positive checked with all of the invalid SSL certificate domains removed.
The following script was used to check for SSL issues and that the domain front was infact working:
1
import ssl, socket, requests, urllib2, sys
2
hostname = sys.argv[1]
3
4
bValid = False
5
bFrontSSL = False
6
7
try:
8
ctx = ssl.create_default_context()
9
s = ctx.wrap_socket(socket.socket(), server_hostname=hostname)
10
s.connect((hostname, 443))
11
cert = s.getpeercert()
12
13
subject = dict(x[0] for x in cert['subject'])
14
issued_to = subject['commonName']
15
issuer = dict(x[0] for x in cert['issuer'])
16
issued_by = issuer['commonName']
17
18
bValid = True
19
except:
20
bValid = False
21
22
#print bValid
23
24
try:
25
txheaders = {"User-Agent":"Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0", "Host": "yourinstance.cloudfront.net"}
26
27
url = "https://%s/rare.txt" % sys.argv[1]
28
request = urllib2.Request(url, headers=txheaders)
29
response = urllib2.urlopen(request).read()
30
if "ABC123" in response:
31
bFrontSSL = True
32
else:
33
bFrontSSL = False
34
except:
35
bFrontSSL = False
36
37
if bFrontSSL:
38
print "[!] SSL Front: %s" % sys.argv[1]
Copied!
After hosting rare.txt on my CloudFront instance, using the above script, all I had to do was perform the following parallel command to ensure swift checking:
1
cat fronts.txt | parallel -j 32 "python sslfront.py {} | tee -a output.txt"
Copied!
Soon, output.txt would be filled with legitimate fronts that would have valid certificates that would be used to encrypt our traffic.
vysecurity/DomainFrontingLists - A list of Domain Frontable Domains by CDN
There wasn’t much point in keeping this private any longer as the same domains were already out there.
Last modified 2yr ago
Copy link