CloudFrunt Tool For Identifying Misconfigured CloudFront Domains

CloudFrunt is a tool for identifying misconfigured CloudFront domains. CloudFront is a Content Delivery Network (CDN) gave by Amazon Web Services (AWS). CloudFront clients make “distributions” that serve content from particular sources (an S3 container, for instance).

Each CloudFront distribution has a remarkable endpoint for clients to point their DNS records to (ex. d111111abcdef8.cloudfront.net). The greater part of the areas utilizing a particular distribution should be recorded in the “Alternate Domain Names (CNAMEs)” field in the choices for that distribution.

At the point when a CloudFront endpoint gets a demand, it doesn’t consequently serve content from the relating distribution. Rather, CloudFront utilizes the HOST header of the demand to figure out which distribution to utilize. This implies two things:

• In the event that the HOST header does not coordinate a entry in the “Alternate Domain Names (CNAMEs)” field of the proposed circulation, the demand will come up short.
• Whatever other distribution that contains the particular area in the HOST header will get the demand and react to it regularly.

Also Read Best SQL Injection Tools

This is the thing that enables the spaces to be hijacked. There are numerous situations where a CloudFront client neglects to list all the essential areas that may be gotten in the HOST header. For instance:

• The domain “test.disloops.com” is a CNAME record that focuses to “disloops.com”.
• The “disloops.com” area is set up to utilize a CloudFront distribution.
• Since “test.disloops.com” was not added to the “Alternate Domain Names (CNAMEs)” field for the distribution, solicitations to “test.disloops.com” will fall fail.
• Another client can make a CloudFront distribution and include “test.disloops.com” to the “Alternate Domain Names (CNAMEs)” field to hijack the domain.

This implies the remarkable endpoint that CloudFront binds to a solitary circulation is viably good for nothing. An ask for to one particular CloudFront subdomain isn’t restricted to the distribution it is related with.

Installation CloudFrunt

$ git clone --recursive https://github.com/MindPointGroup/cloudfrunt
$ pip install -r requirements.txt

CloudFrunt expects the dnsrecon script to be cloned into a subdirectory called dnsrecon.

Usage

cloudfrunt.py [-h] [-l TARGET_FILE] [-d DOMAINS] [-o ORIGIN] [-i ORIGIN_ID] [-s] [-N]

-h, --help                      Show this message and exit
-s, --save                      Save the results to results.txt
-N, --no-dns                    Do not use dnsrecon to expand scope
-l, --target-file TARGET_FILE   File containing a list of domains (one per line)
-d, --domains DOMAINS           Comma-separated list of domains to scan
-o, --origin ORIGIN             Add vulnerable domains to new distributions with this origin
-i, --origin-id ORIGIN_ID       The origin ID to use with new distributions

Example

$ python cloudfrunt.py -o cloudfrunt.com.s3-website-us-east-1.amazonaws.com -i S3-cloudfrunt -l list.txt

 CloudFrunt v1.0.4

 [+] Enumerating DNS entries for google.com
 [-] No issues found for google.com

 [+] Enumerating DNS entries for disloops.com
 [+] Found CloudFront domain --> cdn.disloops.com
 [+] Found CloudFront domain --> test.disloops.com
 [-] Potentially misconfigured CloudFront domains:
 [#] --> test.disloops.com
 [+] Created new CloudFront distribution EXBC12DE3F45G
 [+] Added test.disloops.com to CloudFront distribution EXBC12DE3F45G