Tutorials | Challenges | Tools | Downloads | Resources | Documentaries

How to find the real IP address of a cloudflare protected website.




A websites IP address and DNS information is public information. If the website's admin wishes to keep this information private, they may use Cloudflare and DNSSEC.
Reasons for wanting to conceal IP and DNS information may vary from being a highly-likely DDoS target, to owning a website that contains illegal or sensitive content.

Cloudflare (CF) is a proxy that stand between a visitor and the website that it is protecting. Therefore, the website's real IP is masked by CF and will be shown as 104....  and include 173...... in the DNS. The main benefit of CF is Layer 4 DDoS protection.
 However, if CF hasn't been configured correctly, the real IP address of the website, can still be resolved by pinging subdomains, which would be done by pinging the most commonly-known. If that doesn't bring success, we'll need to get more creative. For example:

[info title="pinging via a terminal" icon="info-circle"]
ping ftp.example.com
ping admin.example.com
ping mail.example.com
ping checkout.example.com
ping donate.example.com
[/info]

Trying to manually resolve an via terminal, would take a long time, so it's more productive to use tools.

In this tutorial, we'll cover three tools.
Remember that IPs beginning with 104 and 173 are CF.

recon-ng

[info title="recon-ng via terminal" icon="info-circle"]
recon-ng -w example.com
add domains
example.com
use recon/domains-hosts/brute_hosts
run
(wait for module to finish)
show hosts
[/info]
gray hat hackers

The screen shot above show two subdomains that reveal the website's real IP address, which are rowid 1 and 2.

websploit
[info title="websploit via terminal" icon="info-circle"]
 websploit
use web/cloudflare_resolver
set TARGET example.com
run
(wait for module to finish)
[/info]

grayhat hackers


The results include the real IP, the CF IP, and some checked subdomains that do not exist.

dnsrecon
[info title="dnsrecon via terminal" icon="info-circle"]
dnsrecon -d example.com
(wait for module to finish)
[/info]
gray hat hackers

 The dnrecon method is different to the first two, as it check the DNS information rather than pinging subdomains. A hotspot for the real IP tends to be seen in the MX and TXT records. As you can see above, the real IP is in the MX record, which also show that the IP is being shared by another website.

Notes:
 If an email service such as as gmail is being used as a service, the MX file's IP will be that of Google. However, that's not the case above.

There are some websites that provide the same methods with similar results.
Noteworthy websites are:
https://www.adminkit.net/dnsrecords.aspx
http://iphostinfo.com/cloudflare/
https://webresolver.nl/tools/cloudflare
https://webresolver.nl/tools/dns







Labels:
Reactions:

Post a Comment

[blogger]

GrayHatHackers

{twitter https://twitter.com/ghhackers}

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget