In my first journal entry I walked through performing horizontal domain reconnaissance on Apple’s network in order to find a complete list of domains which are owned by the monolithic organization we all know. This entry picks up where we left off. Let’s continue.
Finding the right tree
So after vetting Apple’s ASN space I ended up with these domains to pick from:
aaplimg.com -> Apple’s CDN
apple-cloudkit.com
apple.com -> Main site
apple.com.cn
applesurveys.com -> Redirects to https://idmsac.apple.com/IDMSWebAuth/SAMLLogin
beatsbydre.com
apple.channel.support
icloud.com
icloud-content.com -> redirects to https://developer.apple.com/icloud
icloud.com.cn
itunesmusicstore.com
mzstatic.comA few of these do redirect to apple.com, however they have their own subdomains, so I’m going to keep all of these to attempt to discover subdomains on anyway. Obviously the two big ones are apple.com and icloud.com, although I’m interested in aaplimg.com as well, even though the root domain redirects to apple.com. For now though, I’ll start with apple.com.
# screen -S apple.com.subs amass enum -config ~/.config/amass/config.ini -active -ip -d apple.com -o subs.txtI do all my bug bounty relating activities on a Digital Ocean box, so I like using the screen command line utility to background commands that I expect will take some time to run. While I’m waiting for that to finish I’ll move on to enumerate Apple’s IP space.
Ok, let’s check the main domain’s ASN
# dig +short apple.com|xargs -n1 -I{} whois -h whois.cymru.com {}AS | IP | AS Name
714 | 17.253.144.10 | APPLE-ENGINEERING, US
With that little number we can find all their IP blocks.
# whois -h whois.radb.net — ‘-i origin AS714’ |grep route: |awk ‘{print $2}’ |tee ip-blocks.txtUm, woah. There is a MASSIVE amount of IP blocks. Not that I’m surprised. Also, just out of curiosity I want to see what the other autonomous systems belonging to Apple, Inc look like.
# for ip in $(cat apple-domains.txt |xargs -n1 -I{} dig +short {}); do whois -h whois.cymru.com $ip|grep -v ‘AS Name’; done714 | 17.178.96.39 | APPLE-ENGINEERING, US
714 | 17.142.160.39 | APPLE-ENGINEERING, US
714 | 17.172.224.28 | APPLE-ENGINEERING, US
714 | 17.254.0.91 | APPLE-ENGINEERING, US
714 | 17.253.144.10 | APPLE-ENGINEERING, US
714 | 17.253.142.4 | APPLE-ENGINEERING, US
714 | 17.137.160.86 | APPLE-ENGINEERING, US
714 | 17.179.240.124 | APPLE-ENGINEERING, US
14618 | 34.224.107.175 | AMAZON-AES, US
14618 | 52.202.224.80 | AMAZON-AES, US
714 | 17.179.240.152 | APPLE-ENGINEERING, US
714 | 17.253.144.10 | APPLE-ENGINEERING, US
714 | 17.253.142.4 | APPLE-ENGINEERING, US
714 | 17.253.144.10 | APPLE-ENGINEERING, US
133618 | 103.224.182.245 | TRELLIAN-AS-AP Trellian Pty. Limited, AU
714 | 17.253.142.4 | APPLE-ENGINEERING, US
Looks like 14618 belongs to Amazon. Of course Apple is going to use AWS resources as well. The other one, 133618, isn’t directly owned by Apple but it’s always good to check anyway
https://www.crunchbase.com/organization/trellian
Nothing terribly interesting. Looks like AS714 is the forest we should be spending our day in. But first, I want to get an idea of what these smaller organizations found on bgp.he.net are.
# masscan-top-ports — rate 10000 -iL ip-blocks-as6185.txtI pick an IP that has a web server and visit the URL in firefox. It leads me to a page that says Not Found on Accelerator. It’s an Apache Traffic Server.
# host 17.253.13.5
85.36.253.17.in-addr.arpa domain name pointer uklon6-doh-003.aaplimg.com.So that’s what aaplimg.com is for. Got it. This is essentially Apple’s very own CDN. I’ve noticed some AWS hosts and some Akamai Edge stuff, but it seems like they also have their own. Some googling tells me that these are specifically for facilitating Apple downloads. Probably for updates for operating systems and the like. That’s good to know. I’ll move on for now.
# masscan-top-ports — rate 10000 -iL ip-blocks-as2709.txtThis turned up a bunch of IP addresses that don’t resolve to any hostname, and have mainly ports 8081 and 443. Any attempts to visit them in a browser or via socket fail.
However, when I attempt to visit one that is running on port 80 in the browser it takes me to http://gsp11-rd12-edge.ls.apple.com/ after a few seconds and gives me an error stating that it failed to redirect. Others on port 8081 redirect to https://courier.push.apple.com/ and give a Secure Connection Failed error. So I either need the proper SSL certificate for, or the server is using an outdated version.
# openssl s_client -connect 17.252.226.27:443It connects, but gives me no interesting information. After googling I find that these are all Apple’s APNs. APN stands for Apple Push Notification. What these do is basically send those notifications you see pop up on your mobile device screen. These enable third party apps to establish a secure connection with a device and send notifications from a remote server to the user within that secure connection. So, basically to use these I need an APN certificate. Interesting. I can’t wait to run some iPhone traffic through Burpsuite so I can analyze which resources the phone and it’s services and third party apps utilize. But for now I’ll just take note of this. Let’s move on.
I’m guessing this next command will take a century or two.
# screen -S as714.port.scan masscan -p$(cat ./wordlists/interesting-ports.txt) --rate 100000 -iL ip-blocks-as714.txt -oG ports-as714.txtGreat. So it should only take about three hours. I guess that’s not terrible, all things considered. I’m running at a fairly high rate so I’m sure it won’t catch every port, but this should do well enough. Now I’ve got this scan, plus an active amass scan of apple.com running in different screens. I think my VPS has enough to deal with right now. I’ll let it run over night and see what we get in the morning. In the mean time, I may do some deep diving into a certain login portal, just to learn more about Apple’s technologies.
After the masscan completed I find 35,865 ports of the 50-something that I scanned, and it seems they’ve done a fairly decent job of minimizing attack surface. Aside from the massive amount of web servers I see a bunch of DNS, a chunk of SMTP, a few SSH and the odd obscure alternate HTTPS here and there. I couldn’t imagine I’d find much but I’ll check to see the naming conventions of the different kinds of servers.
# cat ports-as714.txt |grep ‘Ports: 53’|cut -d’ ‘ -f2|xargs -n1 -I{} host {}The DNS servers for example are all hosted on aaplimg.com. A number of the SSH servers have names that suggest they are FTP servers, so perhaps once you log in via SSH you get access to internal FTP servers.
# cat ports-as714.txt |grep ‘Ports: 4443’ |cut -d’ ‘ -f2 |xargs -n1 -I{} host {} <redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.
<redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.
13.48.56.17.in-addr.arpa domain name pointer foundationdb.org.
13.48.56.17.in-addr.arpa domain name pointer prconfig.apple.com.
<redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.
13.48.56.17.in-addr.arpa domain name pointer foundationdb.com.
13.48.56.17.in-addr.arpa domain name pointer foundationdb.net.
Well that’s sort of interesting. I’ve found two hosts that have rather obscure names I more then likely wouldn’t have found using Amass. So thinking about it, I could grep for all ports that aren’t web servers and see which ones I could httprobe or take screenshots of to see which ones also have web servers. May be a decent way to find obscure web servers that I may have missed but are interesting.
Also, it seems we’ve found Apple’s VPN servers.
# cat ports-as714.txt |grep ‘Ports: 10000’ |cut -d’ ‘ -f2 |xargs -n1 -I{} host {}<redacted>.in-addr.arpa domain name pointer <redacted>-vpn6.apple.com.
<redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.
This has already been a productive ten minutes. I’m going to go back and check out the results of the subdomain enumeration of apple.com. But for now let’s call it a day.
