Mining DNS Data Using The Cloud™ (via Cloudflare)
Probably the cloud everyone is talking about
Enumeration of DNS data is nothing new. Usually this can be accomplished through a combination of Google Dorking, DNS querying, using a tool like SubBrute to bruteforce subdomains, or perhaps DNS globe transfers are enabled. However, Cloudflare, a popular CDN and DDoS mitigation service also has a very large internal database of DNS data waiting to be mined. The best part is, anyone can query this data by just attempting to setup the target domain using Cloudflare.
As an example, we’ll use “disney.com” to demonstrate how we can enumerate the DNS data of a target domain.
Just create a Cloudflare account and add “disney.com” as your site that you wish to set up:
Wait until they’re done “setting up” the domain…
and click continue.
Now Cloudflare will return a list of DNS data it’s found to be associated with your site:
Super easy!
If only there was some sort of tool for collecting this information…
mandatory@mandatorys-box /t/cloudflare_enum> ./cloudflare_enum.py [email protected] Testing1 disney.com `..--------..` .-:///::------::///:.` `-//:-.`````````````.-://:.` ` ` .://-.```````````````````.-://-` : `- . `-//:.........................-://. /. -: `:` `` `://--------:::://////:::--------://-::.::`:- .:. ``.---..` `///::::::///////////////////:::::::///::::::--:.`.-. .://::::///::///::///////////////////////////:::///:-----::--:-` ` `:/:-...--:://////////////////////////////////////////----------.--.` `:/:..-:://////////////////////////////////////////////-----------.```` .//-::////////////////////////////////////:::::////////-...--------...` -/////////////////////////////////////////////::::----:. `.-::::::-..`` ``.--:////////////////////////////////////////////////::-..```-///::::///:-` `.:///::::://////////////////////////////////////:::::::::::::::-----......-:/:. `-//:-----::::://///////////////////////////////:///////////////////:-::::---..-//:` `:/:---://+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//+++//::--//: `//:-/+oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo+++oooo+//://. :///ossssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssosssssso+//: `//+sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss+/- `//+ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo+++++/. `````````````````````````````````````````````````````````````````````````````````````` Cloudflare DNS Enumeration Tool V1.0 By mandatory [ STATUS ] Logging in to Cloudflare... [ SUCCESS ] Login was successful! [ STATUS ] Adding domain to Cloudflare... [ SUCCESS ] Querying Cloudflare DNS archives... A: disney.com -> 199.181.132.249 A: api.disney.com -> 96.45.49.200 A: app.disney.com -> 208.218.3.17 A: apps.disney.com -> 199.181.132.250 A: archive.disney.com -> 198.105.199.57 A: archives.disney.com -> 199.181.132.250 A: data.disney.com -> 10.190.71.248 A: feeds.disney.com -> 198.105.197.192 A: home.disney.com -> 199.181.132.250 A: huey11.disney.com -> 192.195.66.12 A: huey.disney.com -> 204.128.192.10 A: localhost.disney.com -> 127.0.0.1 A: louie.disney.com -> 204.128.192.30 A: mail2.disney.com -> 204.128.192.16 A: mail.disney.com -> 204.128.192.15 A: m.disney.com -> 199.181.132.250 A: mx1.disney.com -> 192.195.66.26 A: mx1.disney.com -> 204.128.192.17 A: mx2.disney.com -> 192.195.66.28 A: mx2.disney.com -> 204.128.192.36 A: services.disney.com -> 204.202.143.170 A: services.disney.com -> 204.202.143.171 A: webcache.disney.com -> 204.128.192.55 A: webcast.disney.com -> 207.177.177.41 A: www1.disney.com -> 199.181.132.250 A: www2.disney.com -> 199.181.132.250 CNAME: code.disney.com -> matterhorn.disney.com CNAME: help.disney.com -> help.disney.com.00di0000000dwy9eai.live.siteforce.com CNAME: matterhorn.disney.com -> matterhorn.edgesuite.net CNAME: news.disney.com -> louie.disney.com CNAME: ns1.disney.com -> huey.disney.com CNAME: ns2.disney.com -> huey11.disney.com CNAME: ns.disney.com -> huey.disney.com CNAME: support.disney.com -> matterhorn.disney.com CNAME: video.disney.com -> matterhorn.disney.com CNAME: www.disney.com -> disney.com MX: disney.com -> cluster6a.us.messagelabs.com MX: disney.com -> cluster6.us.messagelabs.com SRV: _xmpp-server._tcp.disney.com -> 0 5269 xmpp.disney.com TXT: disney.com -> MS=ms33999579 TXT: disney.com -> NPDN6e50Sn3r5H6cs+y5zUw+bFbBu9BMeBRo8whYYHJXvU43YAz+BLxj0yVT1KJQhnbrG6ix57LzdcQry6eYyQ== TXT: disney.com -> v=spf1 mx ip4:204.128.192.17 ip4:204.128.192.36 ip4:204.128.192.43 ip4:192.195.66.26 ip4:192.195.66.28 ip4:192.195.66.36 -all [ STATUS ] Deleting domain from account for cleanup... [ STATUS ] Deleted the domain from Cloudflare account [ STATUS ] Spreadsheet created at /tmp/cloudflare_enum/disney_com.csv mandatory@mandatorys-box /t/cloudflare_enum>
cloudflare_enum allows quick querying of Cloudflare DNS information (for any sites that are not blacklisted or otherwise). The syntax is simple, you specify your Cloudflare username/password and the domain you wish to get DNS information on. On top of printing out the DNS information it will automatically create a spreadsheet of the data for later use. Easy to use and easy to add to your enumeration tool belt!
Click here for the Github
As a side note, thanks to my coworker for showing me this Cloudflare trick.
