Hacker - WAF bypass. How to find out the IP of a site that uses WAF or DDoS protection

Content

hacker_free

hacker_frei

Ghoustchat

Article Content

  • How to outsmart the system
  • To practice
  • Trying skills in action
  • Conclusions

There are different services that hide the website address behind another IP — for the purpose of protection against DoS, DDoS, or other attacks. These can be well-known cloud services like Cloudflare, as well as web application firewalls (WAF) and other protective solutions. The task of bypassing them comes down to discovering the real IP, and there are ready-made utilities for this. Let's see how to use them in practice.

To begin with, I will tell you a little more about what WAF is and how it works. For example, as part of the well-known web server Apache, there is a module mod_security, which is capable of performing the functions of a web application firewall and helping to protect your service from some trivial DoS attack. One such attack is HTTP(S) GET flood, when the server is sent countless requests for information. The server is unable to process so many requests in a very short period and simply crashes.

A similar function can also be provided by some cloud provider — for simplicity, I will further refer to different services of this type simply as WAF. The principle of their operation can be described as follows.

  1. The web server that needs to be protected operates in normal mode without filtering dangerous requests, and the WAF service is configured on a separate server of the company providing such services.
  2. In some DNS record, the IP of the required site is specified not as its actual address, but as the IP address of the WAF server.
  3. After such configuration, all requests to the domain name of the site will be directed not to the site itself, but to the WAF server.
  4. This server receives the request, processes it, and if the request meets the configured rules, sends it to the protected server. The WAF receives the requested information (web page, file) from this server and redirects it to the client (user).

How to outsmart the system

Since modern WAFs block many malicious requests, it will not be possible to use utilities like sqlmap or WPScan. DoS or DDoS attacks are also not possible.

Therefore, we have two options for action.

Next, we will focus on the second point. To implement it, we need to know the real IP address of the server and be sure that this server is capable of accepting requests directly from the network from anyone. The direct IP address of the server is often referred to as a bypass. Sometimes direct access to it is intentionally preserved so that the server can continue to operate in case of issues on the side of the WAF services.

For this purpose, we will use a script with a long but descriptive name: Bypass firewalls by abusing DNS history.

This utility tries to find out the real IP address of the server we need in two ways.

  1. Analysis of DNS record history.
  2. Search for subdomains and subsequent analysis of their IP addresses.

The script makes requests to check all found IP addresses.

A more detailed exposition of the theory can be found in the article "Calculating the real server IP behind Cloudflare/Qrator".

To practice

The script is publicly available on GitHub. I ran it on Kali Linux, but it can also work on other distributions.

The commands for installation on Kali look like this:

$ sudo apt install jq $ git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history

Command to install in the BlackArch distribution:

$ sudo pacman -S bypass-firewall-dns-history jq

Returning to Kali. The first line installs the necessary module for the script to work, and the second downloads the script from GitHub. To get help on using the tool, simply navigate to its directory and execute the following command:

$ bash bypass-firewalls-by-DNS-history.sh --help

As the report shows, the script developer provided several parameters:

  • -d — required key for using the script. With it, we specify the domain name of the site for which we want to find a bypass;
  • -a — with this parameter, the found IPs will be checked not only for the main domain but also for subdomains;
  • -l — this parameter allows you to load your list of subdomains into the script to perform a more detailed and accurate check;
  • -o — this parameter allows you to save the script's output to a file, the path to which is specified after the parameter.

And now let's run the script:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target>

For example, I found a site that is vulnerable to this type of attack. Here is what the script output looks like for this site.

Result of the script execution

In the IP column, the IP addresses that can be directly accessed to the server will be recorded in turn. The second column indicates the probability that this is the correct IP, expressed as a percentage. In the Organisation column - the name of the company that owns this IP.

Let's take another example and expand the search area: add IP matching with subdomains:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target> -a

Extended search result

Here, among other things, another column appears — Domain, in which the subdomains corresponding to the found IP addresses are listed.

To avoid losing the results of the work later, it is usually saved to a file. Well, let's use the -o parameter and specify the path to save the log in the user's home directory.

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target> -a -o /home/kali/<output.txt>

You can specify not the entire path, but only the file name in which the result will be written. The file will be saved in the folder with the script.

As you know, not everything can be hacked in one click. Sometimes programs also need help — in our case, we can make the task easier for the tool by compiling a comprehensive list of subdomains. We will fill this list using the Amass script, which does this very well. Amass is launched with the following command:

$ Amass enum -d <Your_target> -o <subdomains.txt>

Using the -d parameter, we specify our target, and with -o — the file to save the result.

The result of Amass's work

Returning to WAF Bypass. Now we will use the list of found subdomains to search for the real IP address of the attacked server:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your arget> -l <subdomains.txt>

Result of WAF Bypass using the subdomain list

As we can see, two most likely bypass-ip have been found.

Trying skills in action

To dispel your doubts about the effectiveness of this method, I suggest conducting a small study. We will try to check several sites using this utility and compile a small statistic.

WARNING

All further actions were carried out solely for the purposes of training and research. The author does not intend to harm any company or individuals.

I want to clarify: we will only check servers that are protected by WAF. To verify this, we will use the built-in dig utility in Kali:

$ dig <DOMAIN> NS +short

The utility will output a list of DNS servers to which the site is connected. If you see Cloudflare DNS servers or other WAFs, it means that the site is protected against DOS and DDoS attacks.

We will also use a common command for testing:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target> -a

So, let's go. Let's take, for example, a gaming site protected by Cloudflare. I won't show the domain for obvious reasons. Let's try to use our utility to bypass the WAF and see if we succeed.

Result of the test

As you can see, we received a list of possible bypasses, but it is too huge, and each IP has its own probability rating. This indicates that it is not so easy to break through large companies.

Now let's take a look at one of the servers for multiplayer gaming in Minecraft. They also often use DoS and DDoS protection services.

Result of the test

For the experiment, I take the first servers that come to hand. This one was foreign, and its protection held up.

Let's try something more defenseless — I came across a custom role-playing server for the game GTA V.

Result of the test

One hundred percent success. However, the server was so modest that it had to forcibly stop the full scan.

Now let's check a few news sites. The first "victim" (in quotes, since we caused no harm) was one popular news portal.

Result of the test

We received a huge number of errors. They are related to the fact that the log server limited our ability to make requests. However, this did not prevent the utility from succeeding. In the very first report, a bypass was found with a 100% probability, however, it was a subdomain.

Next, we will try a foreign educational magazine.

Result of the test

It can be noticed that the program has already started to fail, but still tried to find bypasses in the subdomains. The success rate is quite low.

And finally, the last candidate.

Result of the test

Success! A hundred percent bypass found.

Conclusions

As you can see, this method can really be used to find the right bypasses. Of course, it doesn't always work well, otherwise WAFs would be completely useless. However, if you come across one of them, don't give up, because now you have a couple of effective tools in your arsenal.

Read even more paid articles for free: https://t.me/hacker_frei

Link
https://telegra.ph/Haker---WAF-bypass-Kak-vyznat-IP-sajta-kotoryj-ispolzuet-WAF-ili-zashchitu-ot-DDoS-09-29
Summary
The article discusses methods to bypass Web Application Firewalls (WAF) that protect websites from attacks like DoS and DDoS. It explains how WAFs work by redirecting traffic through their servers to filter out malicious requests. To find the real IP address of a server behind a WAF, the article introduces a script called 'Bypass firewalls by abusing DNS history,' which utilizes two techniques: analyzing DNS history and checking subdomains for their IP addresses. The script is available on GitHub and can be run on various Linux distributions, including Kali Linux. Installation commands are provided, along with usage instructions for the script, which includes parameters for specifying the target domain and options for checking subdomains and saving results. The article illustrates the script's output, showing potential IP addresses and their likelihood of being correct, as well as the organizations that own them. This practical guide aims to equip readers with the knowledge to identify vulnerabilities in WAF-protected sites, emphasizing the importance of understanding web security measures.