Use the acquired knowledge for ethical purposes
Cloudflare - a company that provides CDN services, protection against DDOS, etc. Simply put, the cloud helps reduce load and substitute IP addresses, protect against DDOS attacks, redirect all traffic to https, that is, thanks to the certificate, you can connect payment systems and many other functions. This is why the popularity of the cloud is growing every year. You can refer to the statistics of wappalyzer.
Topics covered:
- Briefly. How to set up Cloudflare
- Methods of finding IP outside the cloud
- Ready-made solution for SSL search
Before searching for an IP, it is important to understand what the cloud does and how the administrator configures it, in order to have a rough idea of where the admin might make a mistake.
In short, how it works:
- The administrator registers an account on cloudflare.com
- Specifies the domain and chooses a free or paid plan. The main differences of the paid plan are that you can only add 3 rules. That is, the functionality is limited; if the administrator decides to save money, it will affect the security of his resource.
- Changes the domain's NS servers
- Installs SSL certificate
- Sets the necessary rules. For example, redirecting from http --> https
- Configures WAF. If the administrator approaches the matter wisely, he will not only block OWASP top 10 but also suspicious traffic. How can he block crawling and parsing? Check if the site is being accessed via http and ipv6, then request a captcha and redirect to https. Ipv6 is practically not widespread among ordinary users, usually they are cheap and therefore often used for parsing and other dubious activities. According to statistics, over 98% of the total global internet traffic is accounted for by IPv4 protocols, although IPv6 has many advantages. Next, the admin can prohibit the low http protocol. Behavioral bots predominantly use HTTP/1 and HTTP/1.1 protocols. And finally, he can create a filter so that access to the resource is only from a specific country. Example rule: (ip.geoip.country ne "RU")
Action: Block
As we have seen, setting up Cloudflare is quite a simple task. If the admin tries even a little, they can forget about Acunetix and other automated scanners. I think it's now clear why there is a need to find the IP behind the cloud.
But it's not always enough to just find the IP. For example, here's what an admin can do to protect against direct access to the site via IP for port 80:
server {
listen 80 default_server;
server_name _;
return 404;
}
For port 443:
if ($host != "domain.com") {
return 404;
}
Will create white lists:
- Adding IP addresses to the whitelist. This option is not very good because it will require constantly updating the database with CDN IPs.
- Adding a unique identifier from the request to the whitelist. The CDN will send a unique id to the server.
- Adding a hidden host. A long combination of letters and numbers that will only be known to the CDN.
2.Find the IP behind the cloud - this is a real problem. There are many ways to obtain it. But first, you need to do basic reconnaissance:
- Find the IP range/CIDR
- Services that run on the server
3. DNS records. The main types of records: A - ipv4, AAAA - ipv6, MX - mail, PTR - domain name for IP, CNAME - this record is an alias. The administrator can use CNAME as an alias. For example example.com CNAME exam.com. For load balancing between servers for example: www.exam.com CNAME server.exam.com, server2.exam.com, SOA - contains confidential information, such as the administrator's email, serial number, etc., ns(name server) - defines authoritative name servers for the domain. Authoritative name servers are servers that are used to resolve requests to host names and determine which IP addresses should be used to access this server., TXT - text data. Carefully study all DNS records. Simple records A, AAA, CNAME or MX can serve as a source of the original IP.
- Information about the web server. The whatweb utility can help with this issue.
- Information about vhosts. A type of hosting where multiple websites are located on one web server.
Here are the main ones that you probably already know about:
- Brut subdomains. You can try to brute subdomains, if you're lucky, you will obtain the server's IP.
- View ssl certificate
- Registration on the site and viewing service headers in the mail. Or by any other means to receive a letter from the mail service located on the victim's server. You can try to request a password reset, create a ticket, etc.
- Check the website's source code for IPs in HTML tags or in JS scripts
- MurmurHash. We calculate the hash of the favicon and search https://www.shodan.io/search/report?query=http.favicon.hash:сюдахэш
- Censys, Shodan, SecurityTrails
- Send a message to a non-existent address. For example, send a letter to [email protected]. If we're lucky, we will receive a message delivery error letter and there may be the server address.
Now let's try some methods in practice.
- Let's try to scan the test resource for subdomains
subfinder -d domain.com
Unfortunately, only domain.com and www.domain.com were found.
- Let's look at the DNS records. This can be done through nslookup and other utilities, but there's no point if everything has already been thought out for us and there is a ready-made web resource that will immediately provide the records.
клац xseo и вводим сюда доменку
In essence, there was nothing useful here.
- Now let's engage our brains. Let's remember what IPv4 consists of.
An IPv4 address is a 32-bit address that identifies a device on a network. It consists of 4 groups of digits (octets) with 3 digits in each.
IPv4 identifies the network and a specific host on the network. Here is an example of an IPv4 address: 185.107.80.231.
256.256.256.256 = 256^4 = 4 billion + ipv4 available, if you scan for open port 443, you will have more than 45 million ipv4 in your hands. Now think about what power is needed to get the ip to the target. It is not rational to immediately drive all these 45 million - it is long and expensive.
As one important person said, the more information we know about the victim, the easier it is to hack them.
Pay attention to the social networks attached to the resource:
The more information we learn about the country and the city, the better. There is a high probability that if the admin lives in country N, he will use the services of hosts N. If this is the case, we will save resources significantly.
Let's say, if we have determined that the site belongs to an Italian, then for a quick check we can discard the USA, China, and all other countries except Italy. It will already be clearly not 45 million ipv4:443. And if we also find out the city, then the check will be performed as quickly as possible.
Находим ip range по городу Clifton - click
5.62.114.0-5.62.114.255 in this format. Scanning on port 443 open
**sudo masscan -iL iprange.txt --open-only **
Now we have ip:443 with an open port in the city of Clifton. Now we just need to get the domains from these certs. I have essentially done everything for you.
openssl s_client -connect ip:443 2>&1 | grep -E "target.com"
or if you want to output all domains, then use regex
openssl s_client -connect ip:443 2>&1 | grep -E "\b(?:https?://)?(?:www.)?([a-zA-Z0-9-]+(?:.[a-zA-Z0-9-]+)*.[a-zA-Z]{2,})\b|(*.)"
In CN is where our little house lies.
Here is a perl script that automates the process of finding the required ssl for target.com
#!/usr/bin/perl
use strict;
use warnings;
use Time::HiRes qw(time);
# Reading IP from file
open(my $fh, '<', 'ip') or die "Failed to open file 'ip': $!";
my @ip t_list = <$fh>;
close($fh);
# Command to execute (replace target.com with your)
my $command = q{cat ip | xargs -P 10 -I {} sh -c 'openssl s_client -connect {} 2>&1 | grep -E "CN = target.com" && echo {}'};
# Executing command for each IP
foreach my $ip (@ip ext_list) {
** chomp $ip;**
** my $command extunderscore with extunderscore ip = $command . " -connect $ip";**
** print "Executing command for IP: $ip\n";**
** eval {**
** local $SIG{ALRM} = sub { die "timeout\n" };**
** alarm 5; # Setting the timer for 5 seconds**
** my $start_time = time();**
** my $result = \$command_with_ip";**
** my $end_time = time();**
** alarm 0; # Reset timer**
** my $elapsed_time = $end_time - $start_time;**
** print "Result for IP: $ip\n";**
** if ($elapsed_time >= 5) {**
** print "No response for more than 5 seconds. Moving to the next iteration\n";**
** next;**
** }**
** print $result;**
** };**
** if ($@ && $@ !~ /timeout/) {**
** die "An error occurred while executing the command for IP $ip: $@";**
** }**
}
Everything is basically ready :)
3.Now it's time to look for ready-made solutions on thematic forums
A person is selling the same solution for $1000, but right now he has a discount and is selling it for $500 :DDDDDDDD
To make the article not boring, I decided to buy this thing from him. After all, the topic is relevant and he has 34 responses in the thread, people are interested, some even buy.
Description of his product
What's new in 1.2?
- New design of the Web panel
- Adding a new configuration through the browser
- Editing IP addresses through the browser
- Fix bug with SNI protocol (the software did not append the domain in client-hello)
Software is for sale that finds real IP addresses of servers where websites connected to Cloudflare and other CDNs are located.
The probability of finding it is not 100%, if the website owner has correctly configured their server, then it is impossible to find their real IP (But as a rule, most people ignore this and the IP is found).
Not related to DNS, raising the domain history and public databases)
The real ip localbitcoins.com was found in 2 days on a medium power server.
A server with a powerful processor and a good internet connection is required for operation. The hosting must allow scanning.
You can use multiple servers simultaneously and scan from them centrally.
Web panel is present (since version 1.1), convenient configuration of scanning parameters, statistics, logs, the ability to scan from multiple servers at once, multilingual support.
Also, starting from version 1.2, the Web panel has been completely redesigned (the very first screenshot), now all actions are performed not manually by editing configuration files but through the browser, which is very convenient.
There are 2 ways to search, multithreading is supported. It is possible to search multiple sites simultaneously, there is a configuration file. Results are saved in txt.
The software works on Windows and Linux, however, on Linux the search speed is much faster.
Price: 1000$
500$ together with the source files
Plans to optimize speed, add new search algorithms, implement preliminary search across databases and services, and much more. The price will be increased with the next update!
Everyone who purchased at the current price will receive all future updates for free. Software without bindings and other junk, the code is not obfuscated)
The person sent me an archive after payment
Here is the content:
So he just has a web interface, we launch the scanner and web panel through the screen, import the mysql database, install the necessary libraries, load ip:443 and add targets.
2 operating modes. By http, as he told me it does not work, because a lot of garbage will be flying.
The software for some reason does not accept 45kk ip:443 at once, so it had to be split into 1.3kk
There are also bugs, for example, it checks 1 file with IP addresses, but does not proceed to the next one.
You can choose the number of threads.
Overall, the idea is good, but the project is very raw. It's unclear which servers to purchase to achieve decent speed. On my RDP, a scan with 200 threads would take more than a month for 1 target)))) In short, the software turned out to be useless for me, I don't have such resources.
Output:
Incorrect DNS configuration leads to the exposure of the site's real IP. There are many ways to find the IP behind a CDN, I only covered the most basic ones. It is important to use these methods with caution and in accordance with the law to avoid violating the privacy and security of users.