Domain analysis 101
#osint #infosec #DFIR #CTI
I got some requests to show what a common domain analysis workflow looks like — here ya go (using an example domain that has been in the news lately, and no, I am not going to do a deep dive on the organization or this domain). Of note, this is an introduction to how to look at a domain, not going to delve into automated methodology, available tools, etc.
I briefly covered some of this within this Twitter thread:
Analyst Summary (BLUF BLUF Baby)
Domain clearview[dot]ai was originally registered on December 15, 2017 by Clearview AI Inc and Digital Privacy Corporation is being used for Domain Privacy. pDNS records do not show initial resolves until May 13, 2018. Originally the domain was utilizing Amazon IP space, but shortly after (within 1 day) moved to use Cloudflare.
The domain in question uses a mixture of certificates issued by Cloudflare, Comodo, and Let’s Encrypt certificate authorities (CA). Email for this domain is handled by Google Mail (gmail) and the email syntax is “@clearview.ai”
Base Domain: clearview[dot]ai
Current Resolve IP (querying Cloudflare DNS | 1.1.1.1): 104.31.78.155,104.31.79.155
(the easiest way to get the resolve is to use the dig command)
$dig clearview[dot]ai @ 1.1.1.1 (hint: remove the space after the @ symbol)
Whois
Date of original registration: 2017–12–15
Registrant:
Registrant Name: Private Registrant
Registrant Organization: Digital Privacy Corporation
Registrant Street: C/O CLEARVIEW.AI
Registrant Email: * digitalprivacy.co
Associated Company:
Clearview AI Inc is funded solely by Kirenaga Partners
Source: https://www.crunchbase.com/organization/clearview-ai
Source: http://kirenaga.com/portfolio/clearview-ai/
Trackers
Trackers are useful as they allow us to find additional domains utilizing them. You can use services like PassiveTotal for scan data, or you can scan the site and search the content for the presence of these trackers.
Google Analytics Tracking ID: ua-156237862–1
Google Analytics Account Number: ua-156237862
Vimeo Video ID: 384810999
Many sites track information related to domains, one of them is Hypestat:
DNS
It’s very helpful to have a graphic (like the one above) if you aren’t familiar with DNS record types or how they all play together.
You can also get a good overview of a base domain using dnstree (now known as rtsak.com)
https://www.rtsak.com/dns-lookup/clearview.ai
Certificate Transparency
Certificate transparency keeps track of all issued certificates (by trusted CAs, not self-signed or untrusted CAs). You can query the data directly (warning, takes a lot of work) or utilize public services such as Censys and crt.sh
Resolve History (h/t PassiveTotal)
- 54.243.190.28 (2018–05–13 to 2018–05–13)
- 54.243.190.47 (2018–05–13 to 2018–05–13)
- 104.31.79.155 (2018–05–14 to Present)
- 104.31.78.155 (2018–05–14 to Present)
Based on the pDNS data from RiskIQ we know they switched to using Cloudflare on May 14, 2018; previously they were using AWS.
A quick way to get bulk information related to an IP is Team Cymru or WHOB.
In this instance there are only 4 IPs, but we can add them to a carriage-return separated file (ips in the example) and perform a bulk lookup:
Command: $whob -gnupf ips
Results:
IP: 54.243.190.28
Origin-AS: 14618
Prefix: 54.242.0.0/15
AS-Path: 37100 1299 16509 14618
AS-Org-Name: Amazon.com, Inc.
Org-Name: Amazon.com, Inc.
Net-Name: AMAZO-ZIAD1
Cache-Date: 1582876874
Latitude: 39.043720
Longitude: -77.487490
City: Ashburn
Region: Virginia
Country: United States
Country-Code: US
IP: 54.243.190.47
Origin-AS: 14618
Prefix: 54.242.0.0/15
AS-Path: 37100 1299 16509 14618
AS-Org-Name: Amazon.com, Inc.
Org-Name: Amazon.com, Inc.
Net-Name: AMAZO-ZIAD1
Cache-Date: 1582876874
Latitude: 39.043720
Longitude: -77.487490
City: Ashburn
Region: Virginia
Country: United States
Country-Code: US
IP: 104.31.79.155
Origin-AS: 13335
Prefix: 104.31.64.0/20
AS-Path: 2905 13335
AS-Org-Name: Cloudflare, Inc.
Org-Name: Cloudflare, Inc.
Net-Name: CLOUDFLARENET
Cache-Date: 1582876874
Latitude: 37.775700
Longitude: -122.395200
City: San Francisco
Region: California
Country: United States
Country-Code: US
IP: 104.31.78.155
Origin-AS: 13335
Prefix: 104.31.64.0/20
AS-Path: 2905 13335
AS-Org-Name: Cloudflare, Inc.
Org-Name: Cloudflare, Inc.
Net-Name: CLOUDFLARENET
Cache-Date: 1582876874
Latitude: 37.775700
Longitude: -122.395200
City: San Francisco
Region: California
Country: United States
Country-Code: US
BGP (Border Gateway Protocol)
BGP lookups are helpful as they give you more information related to the IP as well as the associated ASN (autonomous system number). These lookups, as well as passiveDNS records associated with a given IP will help prevent rabbit hole research (eg. a Cloudflare IP with 81 associated hosts).
Web Archive
Web Archive tells us a few things: when did people start to show an interest in the domain (and when spikes appear), when was the first time it was scanned, which URLs are scanned (and what differences exist).
Protip: a lot of journalists/researchers use Web Archive as reference material for stories. You can often tell when research begins up until when it’s going to be released by using these analytics.
*of note: traffic spiked in January 2020 (this is when initial reports of the lawsuit and the disclosures were released)
OSINT (Open Source Intelligence)
This section is really broad dependent on what you are looking into — Twitter and Google searches are a good place to start if you aren’t looking into specific malicious contexts.
use a simple dork: intext:”clearview.ai” NOT inurl:clearview.ai (Google)
in Twitter: “”clearview.ai”” until:2020–01–26 since:2020–01–18
^ (example Twitter Advanced Search) ^
Example results from the two searches:
For malicious contexts start with VT:
