OP 06 October, 2019 - 09:55 PM
I know probably a lot of people know this, but this is for those who don't. No harm in sharing right? So lets get on..
What is Cloudflare: Cloudflare is a big pain to us hackers. Apparently to Cloudflare they have about 155 data centers around the world that works by caching their customers' websites and static resources. When you visit the website it will use your IP location and use it to connect you to the same server in your country to make the website faster because you will have less bandwidth and reduces latency. This is good for people who own websites and it add more security by DDoS mitigation, Internet security and distributed domain name server services, SQLI, XSS, CSRD and even alerting when it detects an attack for paid subscription. This means you will never get the original servers IP and always Cloudflare IP.
Cloudflare is Bad: I also hate Cloudflare and I have a good reason. They protect anyone's websites. Back when there was OpISIS and OpKKK half of the websites we was attacking was protected by Cloudflare. Meaning it was making it harder for us to do anything. With a Cloudflare IP there are no ports open and you will not find any vulnerabilities. The only way to do recon scans is to get the Original IP
Getting The Original IP By SSL & Subdomains: There are a few ways to getting the Original IP but it does not always work and some sites you will not find the Original IP. Using tools like Burp, Virtual host discovery and Find virtual hosts. you can use them to try and find an Subdomains witch may lead to the original server IP. If your target site has SSL you can use sites like Censys, ZoomEye and Shodan to look up the SSL Certificate and find the servers IP address using the certificate.
WordPress: WordPress is notoriously know to be very good sites to hack and lucky for us the XML-RPC Pingback can expose the servers IP. To check if your target is using XML you can go to "www.target.ru//xmlrpc.php" and if you see "accepts POST requests only" this means the WP has XML enabled. Using Burp and the burp collaborator payloads you might be able to get the servers IP.
Email Headers: Another good way is to try and get your target website to send you an email. using fake email sign up to the site or if they have a newsletter sign up to it. either way, try and get them to email you. When you get the email view the headers and source.Normal if you look up "Return-Path" you will see an email. using the host of the email and curl you might be able to get the servers IP.
Tools: There is lots of tools on GitHub and here is a few.
https://github.com/christophetd/CloudFlair
https://github.com/HatBashBR/HatCloud
https://github.com/vincentcox/bypass-fi ... NS-history
http://www.crimeflare.org:82/cfs.html
https://github.com/m0rtem/CloudFail
DNS Tools:
dns-trails: https://securitytrails.com/dns-trails
Netcraft: https://toolbar.netcraft.com/site_report?url=
DNSdumpster: https://dnsdumpster.com/
DNSQueries: https://www.dnsqueries.com/en/domain_check.php
If i have Missed anything or you would like to add feel free to.
What is Cloudflare: Cloudflare is a big pain to us hackers. Apparently to Cloudflare they have about 155 data centers around the world that works by caching their customers' websites and static resources. When you visit the website it will use your IP location and use it to connect you to the same server in your country to make the website faster because you will have less bandwidth and reduces latency. This is good for people who own websites and it add more security by DDoS mitigation, Internet security and distributed domain name server services, SQLI, XSS, CSRD and even alerting when it detects an attack for paid subscription. This means you will never get the original servers IP and always Cloudflare IP.
Cloudflare is Bad: I also hate Cloudflare and I have a good reason. They protect anyone's websites. Back when there was OpISIS and OpKKK half of the websites we was attacking was protected by Cloudflare. Meaning it was making it harder for us to do anything. With a Cloudflare IP there are no ports open and you will not find any vulnerabilities. The only way to do recon scans is to get the Original IP
Getting The Original IP By SSL & Subdomains: There are a few ways to getting the Original IP but it does not always work and some sites you will not find the Original IP. Using tools like Burp, Virtual host discovery and Find virtual hosts. you can use them to try and find an Subdomains witch may lead to the original server IP. If your target site has SSL you can use sites like Censys, ZoomEye and Shodan to look up the SSL Certificate and find the servers IP address using the certificate.
WordPress: WordPress is notoriously know to be very good sites to hack and lucky for us the XML-RPC Pingback can expose the servers IP. To check if your target is using XML you can go to "www.target.ru//xmlrpc.php" and if you see "accepts POST requests only" this means the WP has XML enabled. Using Burp and the burp collaborator payloads you might be able to get the servers IP.
Email Headers: Another good way is to try and get your target website to send you an email. using fake email sign up to the site or if they have a newsletter sign up to it. either way, try and get them to email you. When you get the email view the headers and source.Normal if you look up "Return-Path" you will see an email. using the host of the email and curl you might be able to get the servers IP.
Tools: There is lots of tools on GitHub and here is a few.
https://github.com/christophetd/CloudFlair
https://github.com/HatBashBR/HatCloud
https://github.com/vincentcox/bypass-fi ... NS-history
http://www.crimeflare.org:82/cfs.html
https://github.com/m0rtem/CloudFail
DNS Tools:
dns-trails: https://securitytrails.com/dns-trails
Netcraft: https://toolbar.netcraft.com/site_report?url=
DNSdumpster: https://dnsdumpster.com/
DNSQueries: https://www.dnsqueries.com/en/domain_check.php
If i have Missed anything or you would like to add feel free to.
