add. new auxiliary module: behind_cloudfront #11204
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module can be useful if you need to test the security of your server and your
website behind Amazon CloudFront by discovering the real IP address.
More precisely, I use multiple data sources (DNS enumeration, ViewDNS.info) to collect
assigned (or have been) IP addresses from the targeted site or domain that uses the
Amazon CloudFront CDN.
After a cleaning step, ie. if the IP addresses come from the servers of Amazon
CloudFront. The module runs tests to discover the true address behind the CDN.
Verification Steps
use auxiliary/gather/behind_cloudfront
set hostname www.xxxxxxxx.com
run
Options
CENSYS_SECRET
Your Censys API SECRET.
CENSYS_UID
Your Censys API UID.
COMPSTR
You can use a custom string to perform the comparison. Default: TITLE if it's empty.
The best way is always to use COMPSTR for a better result.
HOSTNAME
This is the hostname [fqdn] on which the website responds. But this can also be a domain.
Poxies
A proxy chain of format type:host:port[,type:host:port][...]. It's optional.
RPORT
The target TCP port on which the protected website responds. Default: 443
SSL
Negotiate SSL/TLS for outgoing connections. Default: true
THREADS
Number of concurent threads needed for DNS enumeration. Default: 8
URIPATH
The URI path on which to perform the page comparison. Default: '/'
WORDLIST
Name list required for DNS enumeration. Default: ~/metasploit-framework/data/wordlists/namelist.txt
Advanced options
DNSENUM
Set DNS enumeration as optional. Default: true
NS
Specify the nameserver to use for queries. Default: is system DNS
TIMEOUT
HTTP(s) request timeout. Default: 15
VERBOSE
You can also enable the verbose mode to have more information displayed in the console.
Scenarios
For auditing purpose
If successful, you must be able to obtain the IP address of the website as follows:
For example:
For some reason you may need to change the URI path to interoperate with other than the index page.
To do this specific thing:
References