IFIXIT report
introduction
IFIXIT encourages white hat hackers to test there infrastructure as long as no harm is done to users and the services provided. With the green light from IFIXIT. This is an occasion for me to dive into the domain of penetration testing.
information gathering
My entry point is https://www.ifixit.com/ i don't have much more information.
I firstly attempted to get a firm grasp of the attack surface using passive information gathering tools and techniques.
WHOIS
Looking for information in the ICAAN database.
[teko@fedora reports]$ whois -H ifixit.com
Domain Name: IFIXIT.COM
Registry Domain ID: 61143711_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2023-01-14T09:11:53Z
Creation Date: 2001-02-14T13:14:47Z
Registry Expiry Date: 2025-02-14T13:14:47Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2086851750
Name Server: NS11.CONSTELLIX.COM
Name Server: NS21.CONSTELLIX.COM
Name Server: NS31.CONSTELLIX.COM
Name Server: NS41.CONSTELLIX.NET
Name Server: NS51.CONSTELLIX.NET
Name Server: NS61.CONSTELLIX.NET
DNSSEC: unsigned
From there we get 6 namerservers serving the ifixit.com domain name.
Later on I will attempt request a zone transfer on each of theses nameservers.
For now, lets stick to passive information gathering.
passive information gathering
Using Virustotal DNS replication service, I did not find more information.
the ifixit.com certificate contains the *.ifixit.com wildcard,
no more subdomains are discovered here.
Using censys search to find ifixit.com subdomains
[teko@fedora ifixit]$ curl -g -X 'GET' 'https://search.censys.io/api/v2/certificates/search?q=ifixit.com' -H 'Accept: application/json' --user "$CENSYS_API_ID:$CENSYS_API_SECRET" |jq > result.txt
Using cert.sh to find ifixit.com subdomains
[teko@fedora ifixit]$ curl 'https://crt.sh/?q=ifixit.com&output=json' |jq > ifixit_crtsh.txt
To conclude, cert.sh did an amazing job, where censys search did well,
but left me with a lot of unrelated domains & subdomains.
[teko@fedora ifixit]$ cat ifixit_crtsh.txt |grep common_name |uniq |wc -l
622 # actual subdomains of ifixit !
Next step would be to look at the attributes from the crt.sh json output, and look for valuable information other than the subdomain names. For example, is there outdated certificates out there ?
Using the NetCraft data miner domain search service, i could find the following subdomains of ifixit.com.
WaybackMachine, WaybackUrls are passive information gathering tools but there I don't see pertinent usage here, keeping it for later.
now lets sum up all theses subdomains in one main file
#too lazy to isntall sponge to avoid tr and sort nightmares...
# i cannot bash send help
cat netcraft.txt | cut -d '|' -f 2 >> domains.txt
cat ifixit_censys.txt |jq .result.hits[].names | tr -d '[],"' >> domains.txt
cat ifixit_crtsh.txt |jq .[].common_name | head |tr -d '"' >> domains.txt
cat domains.txt | tr -s '\n' > temp.txt
cat temp.txt | tr -d ' ' > domains.txt
sort -u domains.txt -o temp.txt
sort -d temp.txt -o domains.txt
cat domains.txt |grep 'ifixit.com' -w > temp.txt
sort -n temp.txt -o domains.txt
We end up with 34 subdomains, some are wildcards
cat domains.txt |wc -l
90
The subdomain list is available here
infra
Here is a summary of my discoveries.
I'll keep my notes here as weel.
nameservers containing IFIXIT records
Name Server: NS11.CONSTELLIX.COM
Name Server: NS21.CONSTELLIX.COM
Name Server: NS31.CONSTELLIX.COM
Name Server: NS41.CONSTELLIX.NET
Name Server: NS51.CONSTELLIX.NET
Name Server: NS61.CONSTELLIX.NET
subdomain list
ifixit_crtsh.txt
To Do
- whois
- dig
- censys
- certsh
- zone transfer on each nameservers
- NetCraft
- WaybackMachine
- WaybackUrls