celes.in

[quick tip] dumping all domains from a CloudFlare account

Cloudflare is a widely-utilized Content Delivery Network (CDN) provider, offering an array of services like DDoS mitigation and DNS management. Its clientele spans numerous industries, including several Fortune 500 companies.

sometimes, you may want to enumerate all the domains that are associated with a CloudFlare account. This can be useful for bug bounty hunters who want to find other domains that are owned by the same company.

there are existing methods to do this, but they have some limitations. for example, you can use the crt.sh website to search for certificates that are associated with a domain. However, this method is not very reliable because it you rely on the domain being present in the certificate's Subject Alternative Name (SAN) field. This is not always the case, so you may miss some domains.

another method is to use an Reverse WHOIS lookup service like WhoisXML API to search a company's registered email address, name or address. This method is more reliable, but sometimes the registrar of the company's domain might have whois privacy protection features which make this attack unfeasible, since neither you or the API will be able to see the registrant's information.

Enumerating all domains from a CloudFlare account by nameserver correlation

according to CloudFlare's blog, each cloudflare account has a pair of nameservers assigned to it. since this nameserver combination contains a fair amount of entropy, it is unlikely that too much accounts will have the same pair of nameservers. therefore, we can use this information to enumerate all the domains that are associated with a CloudFlare account.

we are lucky, because nameservers are listed on the WHOIS records of a domain. this means that we can use a reverse WHOIS service to search for domains that have the same pair of nameservers.

in this blog post, we will be using WhoisXMLAPI to perform the reverse WHOIS lookup. you can use other services if you want, but the steps may be different.

first, we need to find the nameservers of the target domain. we can do this by doing a simple dig query on the target domain. extracting the nameservers of Discord as an example would look like this:

$ dig NS discord.com +short gabe.ns.cloudflare.com. sima.ns.cloudflare.com.

now that we have the nameservers, we can use the WhoisXMLAPI to search for domains that have the same pair of nameservers. the API has a free tier that allows you to perform 500 queries per month, which should be enough for most use cases.

we can do that by issuing the following request:

curl https://reverse-whois.whoisxmlapi.com/api/v2 --data '{"apiKey":"<APIKEY>","searchType":"current","mode":"purchase","advancedSearchTerms":[{"field":"NameServers","term":"gabe.ns.cloudflare.com"},{"field":"NameServers","term":"sima.ns.cloudflare.com."}]}' -o whois.json

Executing this query yielded a large list of 742 potential domains. To narrow down this list to domains affirmatively associated with Discord, one might perform a manual review. However, for brevity's sake, we'll apply a quick filter using grep for the term "Discord" within the results:

user ) cat whois.json | jq .domainsList[] -r | grep -i discord discordapp.com discord.media discord.gifts discord-activities.com discord.co discord.tools discord.new discord.gg discordrtc.com discordapp.io discord.store discord.gift discord.com discordapp.net discord.ws discord.dev discord.design discord.help discordmerch.com discordsound.com discordcdn.com discordgames.com discordsays.com

The outcome is astonishing; a simple search reveals numerous domains, and further investigation will likely confirm that the majority are indeed managed by Discord.

finishing it off

This technique highlights how a little of investigation can go a long way. It's important to note that this method is not foolproof, and it may not work in all cases. However, it's one of many great ways to find domains associated with a company.

Give this method a try, and you might just be surprised at what you find. It's all about being curious. Now go see what you can uncover. Good luck out there!