CyberPeace Institute and WhoisXML API: Enumerating Cloud Assets with Passive DNS Intelligence
About
Shahnoor Kiani, a volunteer at the CyberPeace Institute, wanted to demonstrate how malicious actors enumerate cloud application tenants in an effort to help organizations understand the risk multitenant application users face. While Kiani initially used other enumeration techniques in his security research, querying WhoisXML API’s academic passive DNS database provided more data coverage, particularly subdomains for cloud assets and multitenant applications. These subdomains sometimes contain instances of cloud assets or client names, which can be risky in the hands of threat actors.
Highlights
-
Asset enumeration for multitenant applications is a critical yet challenging process.
-
Passive DNS data with broad subdomain data coverage can help with obtaining a comprehensive list of multitenant application users.
-
The researcher found more subdomains for cloud assets and multitenant applications.
Asset Enumeration for Multitenant Applications
Asset enumeration is a fundamental technique in cyber reconnaissance and attack surface management. For multitenant architectures, obtaining a list of subdomains residing on the provider’s root domain can provide a glimpse of who its clients or tenants are. Therefore, understanding the methods threat actors use for subdomain enumeration is essential for organizations to protect against cyber attacks.
The researcher initially used certificate transparency logs and various subdomain enumeration tools but found that these techniques did not work well with multitenant applications.
He needed another solution that would allow him to efficiently enumerate tenants for applications with unique subdomains for each tenant.
Passive DNS Intelligence with Extensive Subdomain Coverage
After researching the most effective method to enumerate users of multitenant applications, Kiani started working with WhoisXML API’s DNS Database Download Lite.
He queried the database and easily obtained subdomains for cloud assets and multitenant applications. Some of the subdomains contained cloud instances or client names, allowing the researcher to get a sense of the application’s users.
He found the database intuitive and easy to use, providing better subdomain coverage than other commercial and free options. The variety of exporting options made it easy to integrate DNS Database Download Lite into the researcher’s workloads as well.
“WhoisXML API’s passive DNS database, even the lite version for academic purposes, has much better subdomain data coverage compared with other commercial and free databases.”
Broader Subdomain Enumeration Coverage
The academic passive DNS database was a highly effective tool for subdomain enumeration, enabling the researcher to uncover more subdomains than he might have with traditional methods.
The database’s fast query response time helped significantly simplify the subdomain enumeration process.