How to find IP Address behind Cloudflare


 
CloudFlare one of the most popular firewall mostly used for protecting servers and web applications from DDOS attacks and to improve the security. Its free and easy to use. Thousands of companies are using cloudflare protection.

When you activate the cloudflare protection for your web application it means you are going to tunnel your traffic through cloudflare protected servers if the traffic is legit it will allow or otherwise it will deny. One of its feature is to hide the remote ip address of web server through tunneling. So when you will ping your website domain it will show you different ip which is of cloudflare because Name-servers are pointed to cloudflare and after to your website as mentioned tunneled.



In Information Gathering which is the first step performed while performing penetration testing at any level you need to find all the possible information about your target before you attack or pentest. There are few common ways to find the IP Address of that domain which is protected from cloudflare protection which we will discuss today.

If you will followup the process and steps , there are 80% chances that you will get success. Because there are chances if you are failed to exploit web application , you may get your hands on the server and might be able to bypass some restriction if outdated and shared.


1- Gathering OLD Logs 


This is another great example to find the logs and raw data , information about website , server if protected from cloudflare. i.e when the website was created at the very first stage what was its IP address at that time and after did the owner changed the server if so what was the ip of that server moreover if he applied cloudflare protection what was its ip and whats now ?



 




]

Netcraft is a website which logs old data date wise which includes ip address of server with time and mail server details etc. We can use it because there might be a possibility that server is same and isn't changed yet.



USAGE :-
1- Browse the given link ( http://toolbar.netcraft.com/site_report?url=DOMAIN.COM )
2- Enter the details
3- Analyze the output i.e Information
  


2. Enumerate Sub-domains

This is another trick which is mostly used for checking the ip address of the website. Administrators usually do some mistakes while configuring cloudflare protection. They usually do create sub-domains for different purposes and also there are few sub-domains which already exists just like ftp.website.com or mail.website.com or cpanel.website.com now the point is to find such sub-domains and ping them hopefully you will get the ip address of that domain and server might be same. 



To enumerate the sub-domains we can use many scripts , softwares and other methods but while using Kali Linux which comes pre-loaded with many tools i would prefer you to just switch your terminal on and we are going to perform a sub-domain scan using 2 different automated tools.



Scanning using DNSmap

DNSmap is a tool written in python which is awesome in finding sub-domains , I would recommend this tool too. It is loaded with a wordlist which contain known and unkown words , what it dose is it sends a ping request to all those sub-domains picking up from the dictionary and by linking them with the desired website.
It comes pre-loaded with kali linux OS so you dont need to install it however for windows you can google it on how to install DNSmap for windows because it is available for windows.



1-Open your terminal
2- Type the command mentioned below
“ dnsmap website.com ”
Replace the website.com with your targeted domain
3. Its done now it will show you all the possible sub-domains and their ip address.



After scanning the sub-domains ping them using the ping command
ping abc.website.com
it will show you the ip for the sub-domain as i mentioned that there is a possibility that sub-domain might not be protected by cloudflare so there is a chance that server might be same.



Scanning using Dmitry 
 
We can also use a simple but powerful tool called Dmitry for sub-domain scanning. This tool will find the sub-domain indexed by google , type the below command check the magic.
“ dmitry -s website.com ”



3-Email requests and raw data



When you receive an email from any domain / server in the raw text there is bunch of information included just like time and date stamp. IP address of server is also included in it so just try to email the target and in reverse when you will receive the email check its raw data and you will be able to check the ip. Yes in some cases victim might be using different mail server so skip this step but its worth trying.



4- Enumerate Email Server / MX Record
Like just I mentioned above this case is relative to the case mentioned above , and today I am disclosing this method because I was using this method personally from one year to find the ip address of the websites using cloudflare protection and I configured that it gives almost 100% accurate result if mail server is not different and its a simple but really cool trick which you should also try and hope for the best.



There is MX record which is used for Emailing and communication however cloudflare will not protect it as per my information in majority of websites because its just a record like name servers while giving protection to NS records admin forgets that his mail server is running which is using MX record and it could also disclose information such as hosting provider , Mail Server and IP of the server.



To find the MX record type the below command in steps
1- nslookup
2- set type=mx
3- website.com



Now it will display the mail server record like mx.website.com or mail.website.com all you need to do is to ping that record and it will show you the ip of that mx record and server could be same too.






Visitors must follow the terms and conditions. Content posted on this page is the authority of Security Fuse , content is only for peaceful and educational purpose. Security Fuse is not responsible for any of the act caused by viewers after reading the content from *.securityfuse.com. Republication without our permission is not allowed.

Share on Google Plus

About Ahmed Mehtab

Ahmed Mehtab is a white hat cyber security researcher , speaker , trainer and blogger at security fuse. He loves to research on cyber security issues , cyber crime and hacktivism. Quote " Being a hacker without having knowledge of programming is just like a knife without sharpness ~ Ahmed Mehtab "

4 comments :

  1. well bro nice tut bro wese ap crimefalre bhi use krsakhte ho uspe only apko doamian ka name dena he wo real ip bata dega us web ki :D

    ReplyDelete
  2. you will be able to find with this free seo tool
    https://www.cuteseotools.net/cloudflare-resolver

    ReplyDelete
  3. Pakistani Chat Rooms Trying To Find Totally free Chat Rooms? I will be Likely to let you know about Free Online Chat Rooms without registration. caretofun.net Chat Room is really a Most effective Plate form To Keep Things Interesting. In which you Discover completely new buddies and also pay out great time along with your brand new friends.

    ReplyDelete

Hi , Please take a minute to say somthing about this post