In terms of being late or not starting at all, then it’s never too late. — Alison Headley
I tend to keep fairly thorough (albeit informal) notes while doing recon, however it’s never occurred to me to share anything. I’m not sure why exactly. Especially since a friend once gave me the idea to keep a public journal of all my experiences and endeavors while bug bounty hunting. Years later is better then never I guess.
Sharpening the axe
So the first step is just to figure out what root domains belong to Apple. This bounty program isn’t hosted on Hackerone or Bugcrowd and doesn’t display any scope. So my guess is that anything owned by Apple is fair game. This includes physical devices too (which could be fun later)
My very first move is to visit bgp.he.net and get all the ASNs for Apple
AS714
AS6185
AS2709So far that’s what I’ve got. Apple seems to have a huge IP space, but we will ignore it for now and just focus on ASN enumeration.
# screen -S amass-apple-session amass intel -config ~/.config/amass/config.ini -active -asn 714,6185,2709 -o Targets/Apple/horizontal-domains.txtOnce this is completed, I’ll grep through the output file for icloud, apple, itunes, and anything else that pertains directly to apple. From there I’ll do further checks to make 100% sure that the domains are owned by Apple, Inc and the I’ll have a complete list of all root domains worth looking at by Apple. Then, I can pick a domain and begin subdomain reconnaissance on one or all root domains.
# cat horizontal-domains.txt |sort -u |xargs -n1 -I{} host {} > resolved-hosts.txtSo I just picked a random domain that doesn’t seem to be related to apple and grabbed it’s IP address from the file. In this case I visited https://swell.am which happens to redirect to apple.com itself. Now I know that the IP address 17.253.142.4 points to apple.com. So what I’ll do is grep for all the lines with that IP and I’ll have a list of all of apple.com’s alias
# grep 17.253.142.4 resolved-hosts.txt > apple-aliases.txtSo now what? Well, I have three files. One containing all the domains discovered with amass intel, one with all the domains ran through the host command, and one with all the aliases for apple.com. So I guess what I need to do is remove all of apple.com’s hosts from the first file I mentioned somehow, leaving me with only hosts that don’t point at apple.com. I decided to take the file containing all the results of running host against all the horizontal domains and parsed out duplicates.
# cat horizontal-hosts.txt |cut -d' ' -f1|sort -u > all-domains.txtTurns out a large portion of these seem to point directly back to https://www.apple.com including weird ones like alchemysynth.com and burstly.net. So, I’ll want to loop through all these and check to see which ones point back to apple.com and which ones don’t.
# curl -I http://burstly.netThat returns
HTTP/1.1 301 Moved Permanently
Server: red 3.8
Date: Mon, 9.Nov 2020 23:21:15 GMT
Referer: http://burstly.net/
Location: https://www.apple.com/
Connection: close
Content-Type: text/html
Content-Length: 0So unless if I’m thinking about this the long way around I can just run a loop through all of those domains, curl for the headers, and grep the Location header. If it shows https://www.apple.com then move on, if not, then echo it to a new file. First though, I might as well check to see which ones are even live HTTP servers in the first place, and then the resulting list will be easier to pass to curl
# cat all-domains.txt |httprobe > live-urls.txtSo I ended up writing this script real quick to get a list of where all domains are pointing.
#!/bin/bash for url in $(cat $1); do
echo "$url ->" $(curl -I -k --silent $url |grep "Location"| cut -d' ' -f2) &
done
And then ran it and piped it elsewhere
# ./test.sh all-domains > location-headers.txtOk. Now I have a big list of URLs that all the aliases redirect to. Now I want to parse through it to find domains that aren’t apple.com. May not be pretty but here’s what I came up with ...
# cat location-headers.txt |grep -F '> http'|cut -d'>' -f2|grep -v .apple.com|sort -u > alternate-urls.txtSo then I did some manual editing to remove all http:// and https:// from the file so I could do this….
# cat alternate-urls.txt |cut -d'/' -f1|sort -u|grep 'apple\|icloud\|aaplimg\|itunes' >appleurls.txt
# cat alternate-urls.txt |cut -d'/' -f1|sort -u|grep -v 'apple\|icloud\|aaplimg\|itunes' >non-appleurls.txtNow I’ll manually walk through and whois the non-appleurls.txt to see if they are indeed owned by Apple…. just kidding. More ugly one-liners!
# for n in $(cat non-appleurls.txt |rev|cut -d. -f1,2|rev); do echo $n $(whois $n|grep 'Tech Organization'); done
# for n in $(cat non-appleurls.txt |rev|cut -d. -f1,2|rev); do echo $n $(whois $n|grep 'Admin Email'); doneAnd with that mess, I think I’ve found a decent list of accessible horizontal hosts that don’t just point back to apple.com. Here it is:
apple.channel.support
cdn.apple-cloudkit.com
cvws-proxy.icloud-content.com
essentials.applesurveys.com
icloud.com.cn
secure2.store.v.aaplimg.com
storefront-support.v.aaplimg.com
ww1.itunesmusicstore.com
ww17.itunesmusicstore.com
www.icloud.com
apple.com
beatsbydre.com
mzstatic.comAnd now one very last thing before I move on from horizontal reconnaissance.
# cat appleurls.txt |rev|cut -d. -f1,2|rev|sort -u |tee apple-domains.txt aaplimg.com
apple-cloudkit.com
apple.com
applesurveys.com
beatsbydre.com
channel.support <- this was apple.channel.support
com.cn <- this was icloud.com.cn. I'll fix it in the file and keep it so I can enumerate the china one too
icloud-content.com
icloud.com
itunesmusicstore.com
mzstatic.com
These are all the domains I could do subdomain enumeration on. I feel confident that I vetted this list thoroughly enough as to know that they are all owned by Apple, Inc. Everything else I discovered points to a subdomain or endpoint of apple.com. To add one further note, I visited these manually and found a number of them point to this URL: https://idmsa.apple.com/IDMSWebAuth/SAMLSignin. So I should jot this down. I’m sure it’s hardened by professionals, but I’ll keep it around anyway. It would be good to spend a serious bit of time looking at it in Burpsuite and the Developer Console just to get an idea of the technology being used and try to really understand how it works. Ok, I think that’s it for horizontal recon. Next I’ll tackle subdomain enumeration.
Oh and for the record, I’m truly sorry about all the bash…
