Validated CloudFront SSL Domains

Last updated 2 months ago

You may have heard of Domain Fronting, and some of the work that I’ve previously done. https://vincentyiu.co.uk/domain-fronting-via-cloudfront-alternate-domains/

Then https://www.peew.pw/blog/2018/2/22/how-i-identified-93k-domain-frontable-cloudfront-domains came along and showed us how to find 93k frontable CloudFront domains. I mentioned to him that not all are validated as they can have invalid certificates.

The benefit of using Domain Fronting is that as far as the victim’s side proxy is concerned, you are making the SSL exchange with the legitimate server you are using as a front. Fantastic.

I’ve kept this private for a long time now, and since someone else has already shown us how to find these domains, I’ve decided to release my list that has been false positive checked with all of the invalid SSL certificate domains removed.

The following script was used to check for SSL issues and that the domain front was infact working:

import ssl, socket, requests, urllib2, sys
hostname = sys.argv[1]
bValid = False
bFrontSSL = False
try:
ctx = ssl.create_default_context()
s = ctx.wrap_socket(socket.socket(), server_hostname=hostname)
s.connect((hostname, 443))
cert = s.getpeercert()
subject = dict(x[0] for x in cert['subject'])
issued_to = subject['commonName']
issuer = dict(x[0] for x in cert['issuer'])
issued_by = issuer['commonName']
bValid = True
except:
bValid = False
#print bValid
try:
txheaders = {"User-Agent":"Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0", "Host": "yourinstance.cloudfront.net"}
url = "https://%s/rare.txt" % sys.argv[1]
request = urllib2.Request(url, headers=txheaders)
response = urllib2.urlopen(request).read()
if "ABC123" in response:
bFrontSSL = True
else:
bFrontSSL = False
except:
bFrontSSL = False
if bFrontSSL:
print "[!] SSL Front: %s" % sys.argv[1]

After hosting rare.txt on my CloudFront instance, using the above script, all I had to do was perform the following parallel command to ensure swift checking:

cat fronts.txt | parallel -j 32 "python sslfront.py {} | tee -a output.txt"

Soon, output.txt would be filled with legitimate fronts that would have valid certificates that would be used to encrypt our traffic.

vysec/DomainFrontingLists - A list of Domain Frontable Domains by CDN

There wasn’t much point in keeping this private any longer as the same domains were already out there.