Horizontal Domain Reconnaissance — A Bug Bounty Journal

In terms of being late or not starting at all, then it’s never too late. — Alison Headley

I tend to keep fairly thorough (albeit informal) notes while doing recon, however it’s never occurred to me to share anything. I’m not sure why exactly. Especially since a friend once gave me the idea to keep a public journal of all my experiences and endeavors while bug bounty hunting. Years later is better then never I guess.

Sharpening the axe

So the first step is just to figure out what root domains belong to Apple. This bounty program isn’t hosted on Hackerone or Bugcrowd and doesn’t display any scope. So my guess is that anything owned by Apple is fair game. This includes physical devices too (which could be fun later)

My very first move is to visit bgp.he.net and get all the ASNs for Apple

AS714 
AS6185
AS2709

So far that’s what I’ve got. Apple seems to have a huge IP space, but we will ignore it for now and just focus on ASN enumeration.

# screen -S amass-apple-session amass intel -config ~/.config/amass/config.ini -active -asn 714,6185,2709 -o Targets/Apple/horizontal-domains.txt

Once this is completed, I’ll grep through the output file for icloud, apple, itunes, and anything else that pertains directly to apple. From there I’ll do further checks to make 100% sure that the domains are owned by Apple, Inc and the I’ll have a complete list of all root domains worth looking at by Apple. Then, I can pick a domain and begin subdomain reconnaissance on one or all root domains.

# cat horizontal-domains.txt |sort -u |xargs -n1 -I{} host {} > resolved-hosts.txt

So I just picked a random domain that doesn’t seem to be related to apple and grabbed it’s IP address from the file. In this case I visited https://swell.am which happens to redirect to apple.com itself. Now I know that the IP address 17.253.142.4 points to apple.com. So what I’ll do is grep for all the lines with that IP and I’ll have a list of all of apple.com’s alias

# grep 17.253.142.4 resolved-hosts.txt > apple-aliases.txt

So now what? Well, I have three files. One containing all the domains discovered with amass intel, one with all the domains ran through the host command, and one with all the aliases for apple.com. So I guess what I need to do is remove all of apple.com’s hosts from the first file I mentioned somehow, leaving me with only hosts that don’t point at apple.com. I decided to take the file containing all the results of running host against all the horizontal domains and parsed out duplicates.

# cat horizontal-hosts.txt |cut -d' ' -f1|sort -u > all-domains.txt

Turns out a large portion of these seem to point directly back to https://www.apple.com including weird ones like alchemysynth.com and burstly.net. So, I’ll want to loop through all these and check to see which ones point back to apple.com and which ones don’t.

# curl -I http://burstly.net

That returns

HTTP/1.1 301 Moved Permanently
Server: red 3.8
Date: Mon, 9.Nov 2020 23:21:15 GMT
Referer: http://burstly.net/
Location: https://www.apple.com/
Connection: close
Content-Type: text/html
Content-Length: 0

So unless if I’m thinking about this the long way around I can just run a loop through all of those domains, curl for the headers, and grep the Location header. If it shows https://www.apple.com then move on, if not, then echo it to a new file. First though, I might as well check to see which ones are even live HTTP servers in the first place, and then the resulting list will be easier to pass to curl

# cat all-domains.txt |httprobe > live-urls.txt

So I ended up writing this script real quick to get a list of where all domains are pointing.

#!/bin/bash    for url in $(cat $1); do
echo "$url ->" $(curl -I -k --silent $url |grep "Location"| cut -d' ' -f2) &
done

And then ran it and piped it elsewhere

# ./test.sh all-domains > location-headers.txt

Ok. Now I have a big list of URLs that all the aliases redirect to. Now I want to parse through it to find domains that aren’t apple.com. May not be pretty but here’s what I came up with ...

# cat location-headers.txt |grep -F '> http'|cut -d'>' -f2|grep -v .apple.com|sort -u > alternate-urls.txt

So then I did some manual editing to remove all http:// and https:// from the file so I could do this….

# cat alternate-urls.txt |cut -d'/' -f1|sort -u|grep 'apple\|icloud\|aaplimg\|itunes' >appleurls.txt

# cat alternate-urls.txt |cut -d'/' -f1|sort -u|grep -v 'apple\|icloud\|aaplimg\|itunes' >non-appleurls.txt

Now I’ll manually walk through and whois the non-appleurls.txt to see if they are indeed owned by Apple…. just kidding. More ugly one-liners!

# for n in $(cat non-appleurls.txt |rev|cut -d. -f1,2|rev); do echo $n $(whois $n|grep 'Tech Organization'); done

# for n in $(cat non-appleurls.txt |rev|cut -d. -f1,2|rev); do echo $n $(whois $n|grep 'Admin Email'); done

And with that mess, I think I’ve found a decent list of accessible horizontal hosts that don’t just point back to apple.com. Here it is:

apple.channel.support
cdn.apple-cloudkit.com
cvws-proxy.icloud-content.com
essentials.applesurveys.com
icloud.com.cn
secure2.store.v.aaplimg.com
storefront-support.v.aaplimg.com
ww1.itunesmusicstore.com
ww17.itunesmusicstore.com
www.icloud.com
apple.com
beatsbydre.com
mzstatic.com

And now one very last thing before I move on from horizontal reconnaissance.

# cat appleurls.txt |rev|cut -d. -f1,2|rev|sort -u |tee apple-domains.txt    aaplimg.com
apple-cloudkit.com
apple.com
applesurveys.com
beatsbydre.com
channel.support <- this was apple.channel.support
com.cn <- this was icloud.com.cn. I'll fix it in the file and keep it so I can enumerate the china one too
icloud-content.com
icloud.com
itunesmusicstore.com
mzstatic.com

These are all the domains I could do subdomain enumeration on. I feel confident that I vetted this list thoroughly enough as to know that they are all owned by Apple, Inc. Everything else I discovered points to a subdomain or endpoint of apple.com. To add one further note, I visited these manually and found a number of them point to this URL: https://idmsa.apple.com/IDMSWebAuth/SAMLSignin. So I should jot this down. I’m sure it’s hardened by professionals, but I’ll keep it around anyway. It would be good to spend a serious bit of time looking at it in Burpsuite and the Developer Console just to get an idea of the technology being used and try to really understand how it works. Ok, I think that’s it for horizontal recon. Next I’ll tackle subdomain enumeration.

Oh and for the record, I’m truly sorry about all the bash…

--

--

--

Sharing my passion for the world of hacking and bug bounty hunting, and their relation to my unique adventures and experiences.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CryptoRacing completed its first dividend at 2:00 UTC on June 9, 2021

HOW DO YOU RETRIEVE USERNAMES AND PASSWORDS FROM MICROSOFT EDGE?

3 Apps Every Internet User Must Have in 2020

The Successful Conclusion of the Crust Tests

Wisdom From The Women Leading The Cybersecurity Industry, With Jennifer Tisdale of GRIMM

Investor warning against Swiss Union broker scam!

{UPDATE} Wings Through Time Hack Free Resources Generator

What is EternalBlue?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DJ Nelson

DJ Nelson

Sharing my passion for the world of hacking and bug bounty hunting, and their relation to my unique adventures and experiences.

More from Medium

Bug Bounty Methodology - Web Vulnerabilities Checklist

How We “Forced” Our Client To Fix A Low Severity Security Bug And Still Got Appreciated!

Reducing your brute-force attack time with Turbo intruder

Attacking IBM MQ — SWIFT to Steal Money$$$