By using common Internet Security reconnaissance techniques, it is possible to develop insights into technologies used by the Fortune 1000 companies.
A look at the technology stack of the companies main website, the Internet email gateway services, and the external name servers used by the companies primary domains provides a glimpse into the IT infrastructure. The
dns servers are hosted someplace. They may be within the companies own IP space or managed by third party cloud computing companies.
Cloud computing adoption continues at a rapid pace, with Microsoft (Azure), Amazon (AWS), and Google (GCP) dominating the market. Which of these cloud giants is the Fortune 1000 throwing money at?
Of course, many of the companies on the list are massive, with billions of dollars in revenue, numerous divisions, departments, and thousands of personnel. Technology will vary greatly, even within one company. From this limited view, we can still reveal fascinating insights. Which billion-dollar companies are running WordPress, End of life Windows, or unsupported PHP?
The Smallest Site
These guys are taking clean and flat design to the next level with a style that has not changed from the 1990s (confirmed with the Wayback Machine). I guess they are too busy making $81.4 billion in profit to worry about a slick website.
About the Fortune 1000
The Fortune 1000 is a list composed by Fortune magazine of the 1000 largest companies in the USA. On the list are well-known brands along with other less commonly known companies. Using Wappalyzer and open source information, we develop a picture of the technology powering the companies Internet presence. Through the examination of the perimeter technologies, we also gain insight into the corporate information technology that might be in play.
Web Front End Services (CDN)
As expected, a large number of the Fortune 1000 are using global content delivery networks in front of the primary web server. Akamai is well ahead, with CloudFlare the next most popular. These services provide fast global delivery of content, web security, and denial of service protection.
Within the well-known CDN services, we see Amazon and Microsoft have a significant presence on the web front end. These data points include both servers directly hosted within the cloud networks, and content delivery front end services offered by both Amazon (CloudFront) and Microsoft Azure (CDN).
The most popular web servers in the Fortune 1000 are not surprising. The top 3 are Apache, Nginx and Microsoft IIS. Actual numbers for these web servers will likely be higher as the CDN providers hide the web server. Many CDN providers are not providing a
Server: HTTP header so there is no data in the results for these sites.
An interesting (though not unexpected) finding is the high proportion of Microsoft IIS. When compared to IIS in the top 1 million websites, there is a much higher proportion within the Fortune 1000. Many corporations have traditionally had corporate IT systems powered by Microsoft technologies and would therefore have a higher technical proficiency in Microsoft products.
Server Side Technologies
PHP usage on the web servers.
Aligning with the higher proportion of Microsoft IIS mentioned previously, we also see a higher proportion of Java and ASP.NET in use. Developers and technical staff are typically using these technologies within large enterprises, so it makes sense that we would see the higher numbers.
Microsoft IIS and End of Life Software
Windows Server 2008 and Windows Server 2008 R2 are both no longer supported by Microsoft. However, we still found 21 sites running these operating systems. Managing patching and the software life cycle in large corporations is difficult. For these 21 companies, that is clearly the case. Note that while Windows Server 2008 is end of life (out of support), it does receive critical security patches from Microsoft.
PHP End of Life
By looking at the headers of the Fortune 1000 sites, we were also able to confirm the PHP version in use for 59 of the sites. Newer PHP releases and some Linux distributions will hide the PHP version, no longer displaying the X-Powered-By PHP header with the version.
We can see some sites are not running current versions of PHP and are not receiving security patches. For more information on PHP end of life, we did another study looking at the state of PHP in the top 1 million sites.
The numbers for the Web Servers and backend technologies must be taken as a small sample. Many of the sites running behind the CDN providers will also be running these web servers and associated technologies.
Web Application and Content Management
We see a clear trend towards the Adobe Experience Manager platform. It appears to be growing in popularity, particularly among larger companies. We have observed a number of large corporations recently move from WordPress or Drupal as a platform to Adobe Experience Manager.
WordPress, with around 14% of the sites in the Fortune 1000, is well represented. Particularly, when we take into account its open-source background and lack of enterprise technology features. The 14% is lower than the typical 30+% of sites running WordPress observed in larger samples.
The Managed WordPress hosting provider WP Engine, jumped out while looking at the web application usage.
With 42 clients in the Fortune 1000 (~30% of the WordPress installs), WP Engine is clearly doing something right. We have compared this to hosting from Automattic, the company behind WordPress.com, and another high end host for companies wanting managed WordPress hosting.
jQuery & Bootstrap
These two technologies will be familiar to anyone who has done any recent work on websites. Even knowing how popular these are, it is surprising to see just how much these two resources are used. jQuery is included, with over half of all the Fortune 1000 sites and bootstrap on more than 25%.
Email Hosting and Gateways
While the focus above is on the main web presence of these Fortune 1000 companies, the I.T. infrastructure goes much deeper than that. Looking at the mail gateways and email hosting, we found Microsoft dominating with the cloud based Office 365 serving email for more than half of all these corporations.
Examining the mail gateways (identified by MX record), there were a number of popular security providers found in the results. These included Proofpoint with 345 (34.5%); other gateways of note are Messagelabs, FireeyeCloud, and Mimecast.
For a better understanding of Office 365 usage, we used a trick penetration testers use when assessing a companies email. Even though the
MX records of many of these companies point at the email gateway provider, it is possible to identify Office365 email users by putting the company name on the front of the domain (onmicrosoft.com). So if Hacker Target Pty Ltd hosted email on Office 365, we would likely have a valid MX record at - hackertarget.onmicrosoft.com, that points to a typical outlook.com host name.
In the chart above, we separated the results. The blue indicates a gateway provider where we identified the client as using Office365 behind the email gateway. This puts the number of companies using Office 365 at 514. A higher number is likely as companies may have a variation on the standard $company.onmicrosoft.com, in which case they have not been included here.
We are unable to confirm GSuite (Google Business Email) users behind these email gateways; so cannot confirm the numbers. But clearly, the initial number indicates Microsoft maintaining a strong lead in the high end corporate email space.
DNS (NameServers) - Managed internally or outsourced?
Resolving the primary domains to the configured NS servers revealed whether the organisation was using a third party to host the external DNS or if they might be managing the DNS themselves in their own corporate IP space.
The majority of organisations have opted to leave the hosting to the experts. However, close to 30% are managing their own servers.
Expanding the Attack Surface
So far, we have examined the primary web site, the email, and the DNS gateways in use by the companies. To dig a little deeper down the rabbit hole, we can expand our knowledge of companies' external-facing hosts by performing a subdomain search on the primary domain.
Subdomain enumeration is a common reconnaissance technique used by penetration testers, bug bounty hunters, and attackers when assessing an organisations attack surface.
Using open-source intelligence (primarily DNS datasets), we can develop a wider picture of the technologies in use.
Fortune 1000 Companies with Services Hosted by ASN
Below represents the number of occurrences of an ASN across the Fortune 1000. Derived by resolving the discovered subdomains to an IP -> ASN.
Reading the chart, we see that 732 of the Fortune 1000 have at least one service in the AMAZON Cloud (AWS).
From the chart, we can compare the Cloud usage by companies in the Fortune 1000. Amazon is well out in front with its services used by 73% of the Fortune 1000. Microsoft trails with 35% and Google 15%. Note this does not include the Office365 numbers we determined from the email gateways. If these are taken into account, Microsoft would have services in more than 50% of Fortune 1000.
*SalesForce has been identified from hosts found in the EXACT-7 ASN that is owned by SalesForce.
It is a rabbit hole that goes deep. Further analysis could be performed by looking at service banners or other open source intelligence (OSINT) sources, such as Shodan, against the known host IP addresses or even the known company network blocks.
Proliferation of Hosted Services
We found an average of 11 distinct ASN owners per company in the Fortune 1000. It is essential that security teams have the complete picture when it comes to the companies Attack Surface.
- Accurate Asset Registers (have an item in the change control process to update the register)
- Regular Vulnerability Testing against the Attack Surface
- Perform open source reconnaissance against the companies infrastructure
The technologies of the websites were collected using our hosted Wappalyzer tool. It is an excellent open source project and can be downloaded to run locally, or used as a browser plugin to detect technologies as you browse the web. It examines the HTML and HTTP Headers of the site to determine the technologies in use.
In addition, we collected the HTTP headers of the Fortune 1000 websites in order to get granularity on some product versions (PHP & Microsoft IIS).
Mail and name servers were resolved using a simple
bash script and
dig. The resulting list of IP addresses was processed through our ASN Lookup tool to identify the netblock owners hosting the servers.
After gathering the subdomains for each company domain, we performed a simple DNS lookup to get an IP address. Then, querying the IP to get an ASN and finding the unique number of ASN's by company.
Download the Full List
After requests from a number of readers we have made the list available for download. All host information within this document is publicly available simply by visiting the public web site listed. Download it here.