Technology, Tutorials

How To Find The Real IP Address Of A Website Behind CloudFlare

July 7, 2016

Introduction

CloudFlare is one of the most popular and fastest growing Content Delivery Network (CDN) providers. CloudFlare has built their reputation partially by being able to protect notorious black hat hacking groups like LulzSec and Lizard Squad from Distributed Denial of Service attacks. When DDoS attacks were launched against LulzSec, CloudFlare was capable of mitigating those attacks. As hackers attempted to take down LulzSec, CloudFlare documented every pattern of the attack. This showed that CloudFlare was not only able to protect its user, but also could use the experience gained to harden their server’s DDoS protection further.

When the user decides to use CloudFlare, it becomes increasingly harder for the attacker to launch a DDoS attack on the website since the origin server IP address is hidden behind the CDN. The methods below should be able to assist you in finding a website’s destination server IP address.

Method 1

Use online tools from websites like http://www.crimeflare.com/cfs.htmlhttp://iphostinfo.com/cloudflare/, or http://toolbar.netcraft.com/site_report.

Method 2

Open up a Command Prompt (on Windows, Press both Windows symbol and press R, type in cmd).

Now type in any of the following:

ping direct.domain.com

ping direct-connect.domain.com

ping mail.domain.com

cpanel.domain.com

ftp.domain.com

forum.domain.com

Method 3

Go to the website https://whoisrequest.com/history/ and take a look at the website’s nameservers history.

This will enable you to see the target’s nameservers used prior any changes to CloudFlare’s nameservers. A history of the website’s changes and drops over a period of years is shown after searching.

You may very well be able to find the old DNS records and query it using the command below (dig command is available only on Linux and Mac OS X boxes):

dig domain.com @oldns A +short

Note: From the above, replace @oldns.com with the old nameserver from the DNS records.

You may also try http://who.is/. Go to the “History” tab after the search to view all DNS changes. What you couldn’t find at the former website, you may be able at the latter. These old DNS records are typically archived and may contain the server’s origin IP address. If the target discovers that the malicious actor has found his server’s origin IP address and has launched DDoS attacks against the server, he may request from his website host to change the origin IP.

Method 4

Use a CloudFlare DNS Enumeration tool like this.

Download the Python script or copy and paste the script’s code into a new text editor and save it as name.py.

Install Python from here if you haven’t already.

Go in Terminal or Command Prompt and enter the following code:

./cloudflare_enum.py theemail@email.com Testing1 website.com

Replace “theemail@email.com” with the email address from CloudFlare and “Testing1” as password from the CloudFlare account. This script will enable you in querying of CloudFlare’s DNS archive after logging into CloudFlare.

Method 5

Download a security scanner like the free Nmap from https://nmap.org/download.html.

Open the terminal on your Linux box and type in the following (replace ip address with the target ip):

nmap -sV -sS -F ip address

This command will then proceed to scan the host/website, telling you whether CloudFlare is used by the website or not.

Proceed with typing the following into the terminal:

nmap –script dns-brute -sn ip address

This may give you the server’s origin IP address.

Method 6

Pretend to be the web host and convince the website owner that you are his web host. This is called social engineering.

Build a friendly, convincing conversation with the owner and attempt to get his server’s origin IP by asking him for it.

But do it subtly with precision. For example, you could say that server maintenance is about to occur and that you require the owner’s origin server IP for verification or some other reason such as their web host management system is currently down or corrupted, thus being unable to get their origin server IP.

To make it even more convincing, the attacker could register a domain similar to the site owner’s host and use a mail server to send such an email to the site owner pretending to be the host. It would be written in a formal, professional matter. Or perhaps a phishing technique could be utilized along with the impersonation just described such as linking to a fictitious page intended to capture the server’s origin IP.

Sunny Hoi is a Canadian Security blogger, Information Security professional, SysAdmin, Coder, Pentester, OSINT expert, Entrepreneur, Unix/Linux enthusiast, occasional comedian, down-to-earth guy, and lifelong student from Vancouver, B.C. He currently resides in Toronto, Ontario. His notable passions include information security, cyber security, Unix security, system administration, programming, penetration testing, OSINT gathering, intrusion detection, log analysis, music, books, fitness, Law, Computer Science, Criminology, Sociology, and Psychology.

You Might Also Like

Using DOM Based XSS To Bypass WAF

February 5, 2017

My Solution To Overwatch Crashing My Computer

June 28, 2016

How To Spot A Phishing Attempt Easily (With Pictures Included)

May 23, 2017
  • Jamal

    Some good tips here, personally I’ve found methods involving sending outbound traffic from the server if possible like mail to be a good way at finding the server IP. I found some more info on this here which helped me find the server of a website behind cloudflare, very sneaky! Hope it helps anyone else looking for this.

    https://www.rootusers.com/find-the-ip-address-of-a-website-behind-cloudflare/

    Good post keep it up!

    Thanks,
    Jamal.

    • Sunny Hoi

      Hey, Jamal.

      Getting the web server to send out an external email is indeed a method that can work in uncovering the website’s origin IP address. This method is plausible merely if the mail server is hosted on an identical IP as the web server itself. If the administrator of the site is clever enough, he will utilize an email service on another server that is confined from his site. This would close the security aperture, rendering the aforementioned technique ineffective.

      I’m glad that you found this post informative.

      Sincerely,

      Sunny

  • Pingback: How To Prevent Cloud WAF Bypass By Blocking HTTP Access To A Website - Sunny Hoi()

  • Alex R

    Informative article. Saved in my bookmark.

Back to top
%d bloggers like this: