Subdomain and IP Reconnaissance — A Bug Bounty Journal

In my first journal entry I walked through performing horizontal domain reconnaissance on Apple’s network in order to find a complete list of domains which are owned by the monolithic organization we all know. This entry picks up where we left off. Let’s continue.

Finding the right tree

So after vetting Apple’s ASN space I ended up with these domains to pick from:

aaplimg.com -> Apple’s CDN
apple-cloudkit.com
apple.com -> Main site
apple.com.cn
applesurveys.com -> Redirects to https://idmsac.apple.com/IDMSWebAuth/SAMLLogin
beatsbydre.com
apple.channel.support
icloud.com
icloud-content.com -> redirects to https://developer.apple.com/icloud
icloud.com.cn
itunesmusicstore.com
mzstatic.com

A few of these do redirect to apple.com, however they have their own subdomains, so I’m going to keep all of these to attempt to discover subdomains on anyway. Obviously the two big ones are apple.com and icloud.com, although I’m interested in aaplimg.com as well, even though the root domain redirects to apple.com. For now though, I’ll start with apple.com.

# screen -S apple.com.subs amass enum -config ~/.config/amass/config.ini -active -ip -d apple.com -o subs.txt

I do all my bug bounty relating activities on a Digital Ocean box, so I like using the screen command line utility to background commands that I expect will take some time to run. While I’m waiting for that to finish I’ll move on to enumerate Apple’s IP space.

Ok, let’s check the main domain’s ASN

# dig +short apple.com|xargs -n1 -I{} whois -h whois.cymru.com {}AS | IP | AS Name
714 | 17.253.144.10 | APPLE-ENGINEERING, US

With that little number we can find all their IP blocks.

# whois -h whois.radb.net — ‘-i origin AS714’ |grep route: |awk ‘{print $2}’ |tee ip-blocks.txt

Um, woah. There is a MASSIVE amount of IP blocks. Not that I’m surprised. Also, just out of curiosity I want to see what the other autonomous systems belonging to Apple, Inc look like.

# for ip in $(cat apple-domains.txt |xargs -n1 -I{} dig +short {}); do whois -h whois.cymru.com $ip|grep -v ‘AS Name’; done714 | 17.178.96.39 | APPLE-ENGINEERING, US
714 | 17.142.160.39 | APPLE-ENGINEERING, US
714 | 17.172.224.28 | APPLE-ENGINEERING, US
714 | 17.254.0.91 | APPLE-ENGINEERING, US
714 | 17.253.144.10 | APPLE-ENGINEERING, US
714 | 17.253.142.4 | APPLE-ENGINEERING, US
714 | 17.137.160.86 | APPLE-ENGINEERING, US
714 | 17.179.240.124 | APPLE-ENGINEERING, US
14618 | 34.224.107.175 | AMAZON-AES, US
14618 | 52.202.224.80 | AMAZON-AES, US
714 | 17.179.240.152 | APPLE-ENGINEERING, US
714 | 17.253.144.10 | APPLE-ENGINEERING, US
714 | 17.253.142.4 | APPLE-ENGINEERING, US
714 | 17.253.144.10 | APPLE-ENGINEERING, US
133618 | 103.224.182.245 | TRELLIAN-AS-AP Trellian Pty. Limited, AU
714 | 17.253.142.4 | APPLE-ENGINEERING, US

Looks like 14618 belongs to Amazon. Of course Apple is going to use AWS resources as well. The other one, 133618, isn’t directly owned by Apple but it’s always good to check anyway

https://www.crunchbase.com/organization/trellian

Nothing terribly interesting. Looks like AS714 is the forest we should be spending our day in. But first, I want to get an idea of what these smaller organizations found on bgp.he.net are.

# masscan-top-ports — rate 10000 -iL ip-blocks-as6185.txt

I pick an IP that has a web server and visit the URL in firefox. It leads me to a page that says Not Found on Accelerator. It’s an Apache Traffic Server.

# host 17.253.13.5

85.36.253.17.in-addr.arpa domain name pointer uklon6-doh-003.aaplimg.com.

So that’s what aaplimg.com is for. Got it. This is essentially Apple’s very own CDN. I’ve noticed some AWS hosts and some Akamai Edge stuff, but it seems like they also have their own. Some googling tells me that these are specifically for facilitating Apple downloads. Probably for updates for operating systems and the like. That’s good to know. I’ll move on for now.

# masscan-top-ports — rate 10000 -iL ip-blocks-as2709.txt

This turned up a bunch of IP addresses that don’t resolve to any hostname, and have mainly ports 8081 and 443. Any attempts to visit them in a browser or via socket fail.

However, when I attempt to visit one that is running on port 80 in the browser it takes me to http://gsp11-rd12-edge.ls.apple.com/ after a few seconds and gives me an error stating that it failed to redirect. Others on port 8081 redirect to https://courier.push.apple.com/ and give a Secure Connection Failed error. So I either need the proper SSL certificate for, or the server is using an outdated version.

# openssl s_client -connect 17.252.226.27:443

It connects, but gives me no interesting information. After googling I find that these are all Apple’s APNs. APN stands for Apple Push Notification. What these do is basically send those notifications you see pop up on your mobile device screen. These enable third party apps to establish a secure connection with a device and send notifications from a remote server to the user within that secure connection. So, basically to use these I need an APN certificate. Interesting. I can’t wait to run some iPhone traffic through Burpsuite so I can analyze which resources the phone and it’s services and third party apps utilize. But for now I’ll just take note of this. Let’s move on.

I’m guessing this next command will take a century or two.

# screen -S as714.port.scan masscan -p$(cat ./wordlists/interesting-ports.txt) --rate 100000 -iL ip-blocks-as714.txt -oG ports-as714.txt

Great. So it should only take about three hours. I guess that’s not terrible, all things considered. I’m running at a fairly high rate so I’m sure it won’t catch every port, but this should do well enough. Now I’ve got this scan, plus an active amass scan of apple.com running in different screens. I think my VPS has enough to deal with right now. I’ll let it run over night and see what we get in the morning. In the mean time, I may do some deep diving into a certain login portal, just to learn more about Apple’s technologies.

After the masscan completed I find 35,865 ports of the 50-something that I scanned, and it seems they’ve done a fairly decent job of minimizing attack surface. Aside from the massive amount of web servers I see a bunch of DNS, a chunk of SMTP, a few SSH and the odd obscure alternate HTTPS here and there. I couldn’t imagine I’d find much but I’ll check to see the naming conventions of the different kinds of servers.

# cat ports-as714.txt |grep ‘Ports: 53’|cut -d’ ‘ -f2|xargs -n1 -I{} host {}

The DNS servers for example are all hosted on aaplimg.com. A number of the SSH servers have names that suggest they are FTP servers, so perhaps once you log in via SSH you get access to internal FTP servers.

# cat ports-as714.txt |grep ‘Ports: 4443’ |cut -d’ ‘ -f2 |xargs -n1 -I{} host {} <redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.
<redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.
13.48.56.17.in-addr.arpa domain name pointer foundationdb.org.
13.48.56.17.in-addr.arpa domain name pointer prconfig.apple.com.
<redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.
13.48.56.17.in-addr.arpa domain name pointer foundationdb.com.
13.48.56.17.in-addr.arpa domain name pointer foundationdb.net.

Well that’s sort of interesting. I’ve found two hosts that have rather obscure names I more then likely wouldn’t have found using Amass. So thinking about it, I could grep for all ports that aren’t web servers and see which ones I could httprobe or take screenshots of to see which ones also have web servers. May be a decent way to find obscure web servers that I may have missed but are interesting.

Also, it seems we’ve found Apple’s VPN servers.

# cat ports-as714.txt |grep ‘Ports: 10000’ |cut -d’ ‘ -f2 |xargs -n1 -I{} host {}<redacted>.in-addr.arpa domain name pointer <redacted>-vpn6.apple.com.
<redacted>.in-addr.arpa domain name pointer <redacted>.apple.com.

This has already been a productive ten minutes. I’m going to go back and check out the results of the subdomain enumeration of apple.com. But for now let’s call it a day.

--

--

--

Sharing my passion for the world of hacking and bug bounty hunting, and their relation to my unique adventures and experiences.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Buy crypto on KuCoin

SLT Tokenomics 🤩🌟✨

I Believe runescape wants its own”Daily Question/Discussion Megathread”

{UPDATE} BeanKind by Ketnipz Hack Free Resources Generator

Enterprises need to change passwords following ClickStudios, Passwordstate attack

Assignment #6: What does privacy mean today?

{UPDATE} Love Balls Hack Free Resources Generator

5 Factors of Authentication

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DJ Nelson

DJ Nelson

Sharing my passion for the world of hacking and bug bounty hunting, and their relation to my unique adventures and experiences.

More from Medium

Extreme Hacking Mindset

On the way to 2nd Bounty XSS and Apache server .

AlbusSec:- Penetration-List 05 Cross-Site-Scripting (XSS) — Part 2

Hacking with sqlmap