CloudFlare is one of the most popular and fastest growing Content Delivery Network (CDN) providers. CloudFlare has built their reputation partially by being able to protect notorious black hat hacking groups like LulzSec and Lizard Squad from Distributed Denial of Service attacks. When DDoS attacks were launched against LulzSec, CloudFlare was capable of mitigating those attacks. As hackers attempted to take down LulzSec, CloudFlare documented every pattern of the attack. This showed that CloudFlare was not only able to protect its user, but also could use the experience gained to harden their server’s DDoS protection further.
When the user decides to use CloudFlare, it becomes increasingly harder for the attacker to launch a DDoS attack on the website since the origin server IP address is hidden behind the CDN. The methods below should be able to assist you in finding a website’s destination server IP address.
Open up a Command Prompt (on Windows, Press both Windows symbol and press R, type in cmd).
Now type in any of the following:
Go to the website https://whoisrequest.com/history/ and take a look at the website’s nameservers history.
This will enable you to see the target’s nameservers used prior any changes to CloudFlare’s nameservers. A history of the website’s changes and drops over a period of years is shown after searching.
You may very well be able to find the old DNS records and query it using the command below (dig command is available only on Linux and Mac OS X boxes):
dig domain.com @oldns A +short
Note: From the above, replace @oldns.com with the old nameserver from the DNS records.
You may also try http://who.is/. Go to the “History” tab after the search to view all DNS changes. What you couldn’t find at the former website, you may be able at the latter. These old DNS records are typically archived and may contain the server’s origin IP address. If the target discovers that the malicious actor has found his server’s origin IP address and has launched DDoS attacks against the server, he may request from his website host to change the origin IP.
Use a CloudFlare DNS Enumeration tool like this.
Download the Python script or copy and paste the script’s code into a new text editor and save it as name.py.
Install Python from here if you haven’t already.
Go in Terminal or Command Prompt and enter the following code:
./cloudflare_enum.py email@example.com Testing1 website.com
Replace “firstname.lastname@example.org” with the email address from CloudFlare and “Testing1” as password from the CloudFlare account. This script will enable you in querying of CloudFlare’s DNS archive after logging into CloudFlare.
Download a security scanner like the free Nmap from https://nmap.org/download.html.
Open the terminal on your Linux box and type in the following (replace ip address with the target ip):
nmap -sV -sS -F ip address
This command will then proceed to scan the host/website, telling you whether CloudFlare is used by the website or not.
Proceed with typing the following into the terminal:
nmap –script dns-brute -sn ip address
This may give you the server’s origin IP address.
Pretend to be the web host and convince the website owner that you are his web host. This is called social engineering.
Build a friendly, convincing conversation with the owner and attempt to get his server’s origin IP by asking him for it.
But do it subtly with precision. For example, you could say that server maintenance is about to occur and that you require the owner’s origin server IP for verification or some other reason such as their web host management system is currently down or corrupted, thus being unable to get their origin server IP.
To make it even more convincing, the attacker could register a domain similar to the site owner’s host and use a mail server to send such an email to the site owner pretending to be the host. It would be written in a formal, professional matter. Or perhaps a phishing technique could be utilized along with the impersonation just described such as linking to a fictitious page intended to capture the server’s origin IP.