CloudFrunt is a tool for identifying misconfigured CloudFront domains. CloudFront is a Content Delivery Network (CDN) gave by Amazon Web Services (AWS). CloudFront clients make “distributions” that serve content from particular sources (a S3 container, for instance).
Each CloudFront distribution has a remarkable endpoint for clients to point their DNS records to (ex. d111111abcdef8.cloudfront.net). The greater part of the areas utilizing a particular distribution should be recorded in the “Alternate Domain Names (CNAMEs)” field in the choices for that distribution.
At the point when a CloudFront endpoint gets a demand, it doesn’t consequently serve content from the relating distribution. Rather, CloudFront utilizes the HOST header of the demand to figure out which distribution to utilize. This implies two things:
- In the event that the HOST header does not coordinate a entry in the “Alternate Domain Names (CNAMEs)” field of the proposed circulation, the demand will come up short.
- Whatever other distribution that contains the particular area in the HOST header will get the demand and react to it regularly.
Also Read Best SQL Injection Tools
This is the thing that enables the spaces to be hijacked. There are numerous situations where a CloudFront client neglects to list all the essential areas that may be gotten in the HOST header. For instance:
- The domain “test.disloops.com” is a CNAME record that focuses to “disloops.com”.
- The “disloops.com” area is set up to utilize a CloudFront distribution.
- Since “test.disloops.com” was not added to the “Alternate Domain Names (CNAMEs)” field for the distribution, solicitations to “test.disloops.com” will fall fail.
- Another client can make a CloudFront distribution and include “test.disloops.com” to the “Alternate Domain Names (CNAMEs)” field to hijack the domain.
This implies the remarkable endpoint that CloudFront binds to a solitary circulation is viably good for nothing. An ask for to one particular CloudFront subdomain isn’t restricted to the distribution it is related with.
$ git clone --recursive https://github.com/MindPointGroup/cloudfrunt $ pip install -r requirements.txt
CloudFrunt expects the dnsrecon script to be cloned into a subdirectory called dnsrecon.
cloudfrunt.py [-h] [-l TARGET_FILE] [-d DOMAINS] [-o ORIGIN] [-i ORIGIN_ID] [-s] [-N] -h, --help Show this message and exit -s, --save Save the results to results.txt -N, --no-dns Do not use dnsrecon to expand scope -l, --target-file TARGET_FILE File containing a list of domains (one per line) -d, --domains DOMAINS Comma-separated list of domains to scan -o, --origin ORIGIN Add vulnerable domains to new distributions with this origin -i, --origin-id ORIGIN_ID The origin ID to use with new distributions
$ python cloudfrunt.py -o cloudfrunt.com.s3-website-us-east-1.amazonaws.com -i S3-cloudfrunt -l list.txt CloudFrunt v1.0.4 [+] Enumerating DNS entries for google.com [-] No issues found for google.com [+] Enumerating DNS entries for disloops.com [+] Found CloudFront domain --> cdn.disloops.com [+] Found CloudFront domain --> test.disloops.com [-] Potentially misconfigured CloudFront domains: [#] --> test.disloops.com [+] Created new CloudFront distribution EXBC12DE3F45G [+] Added test.disloops.com to CloudFront distribution EXBC12DE3F45G