Hi fellas,

First of all, I wanted to apologize for my lack of activities the last month. Indeed, I was overwhelmed by my work and my training for my OSCP certification which was quite time consuming

By the same token, would you be interested in my feedback about OSCP?

Yes

No 0 voters

Well, today article is going to be focused on my last project, whichCDN.

As you already know, the recon phase is primordial and determine if your attempts to access the targeted system will be successful.

A multitude of tools allows performing ports scan, DNS enumeration, CMS detection and various other types of assessments. However, none of those allow you to easily and efficiently detect if a given website is protected by a CDN (Content Delivery Network).

CDNs become more and more popular those days and provide features to shield websites against numerous types of attacks such as:

Denial of Service

Distributed Denial of Service

Distributed Reflection Denial of Service

XSS, SQLI through WAF (Web Application Firewall)

Among those security measures, they allow to speed up the loading of your website by improving the cache system, load balancing, browser optimization, JavaScript minimization, etc.

CDNs are a real challenge for pentesters / hackers which often hide the target’s real address, preventing any further system based attacks. Its detection will result in a gain of time, avoiding unnecessary assessments.

WhichCDN implements five methods detection:

Whois Detection

CDNs could impact the whois command results by changing several fields e.g. Name Server, nserver, etc.

Error Server Detection

A few CDNs disclose information when we try to directly access the IP address resolved by the host command, exposing themselves.

HTTP header Detection

Some CDNs could be quite intrusive and modify the HTTP header by adding or replacing existing fields which allow detecting their presence.

DNS Detection

When resolving the DNS of a given domain name, it is common to find the name server associated to the CDN in place.

Subdomain Detection

Big companies often use a subdomain to configure their CDN, by trying to access such subdomain, it is possible to determine which technology is used.

Let’s try it on 0x00sec

Usage

whichCDN http://example.com | example.com

As you can see on the picture above, 0x00sec.org is protected by Cloudflare. It is just as simple as that.

Supported CDNs

Cloudflare

Incapsula

Cloudfront

Akamai

Airee

CacheFly

EdgeCast

MaxCDN

Beluga

Limelight

Fastly

Myracloud

Microsft Azure

Axes of improvement

I don’t know yet if it is possible to bypass such security measures but once done, it would be awesome to add attack vectors to work around those filtration systems.

Moreover, I would like to populate the list of supported CDN with other service providers such as:

Azion

ArvanCloud

Beluga

DN77

CDNetwork

CDNsun

CDNvideo

ChinaCache

ChinaNetCenter

Highwinds

KeyCDN

Level3

NGENIX

Quantil

SkyparkCDN

Verizon Digital Media services

Turbobyte

Contribution

Don’t hesitate to contribute to this project if you are aware of other ways to detect CDNs. Lastly, feel free to contact me if you know websites using a specific type of CDN that is not supported yet!

I hope that you enjoyed this article.

Best,

Nitrax