Resolving IP addresses masked by Cloudflare.

Cloudflare(CF) protected websites add a difficult hurdle to the stage of reconnaissance, espcially when resolving the masked IP address is concerned.

This guide contains methods for finding IP addresses of websites masked by CF.

#1 - subdomain enumeration

The target website may have subdomains that are not configured to the Cloudflare proxy. If the target website uses only one static IP, and has unconfigured subdomains, pinging them exposes the real IP addresses.

Where the domain resolves to a CF IP address, subdomain may resolve to the masked IP address.

  • ping - Cloudflare
  • ping - NOT Cloudflare

Keep in mind that websites don’t always use one static IP address, which means even though a non-CF IP address was found on, it doesn’t mean that is running on the same IP address. may resolve to shopify.

The above process is more productive and less time-consuming when using a tool.

Using recon-ng with the related module against our target would go as follows from the terminal:

recon-ng -w target
add domains
use recon/domains-hosts/brute_hosts
show hosts

subdomains There are blank IPs for some of the domains, so we’ll need to resolve those, and also reverse-resolve the IP addresses to extend our intel.

use recon/hosts-hosts/resolve
use recon/hosts-hosts/reverse_resolve


We found two IP addresses that are not CF: & Addionally, we found another domain on the same IP address as our target, which is a great sidenote and greatly extends our progress.

Good subdomain enumeration is key to the success of this method. Although tools are effective at enumerating subdomains with a generic list, compiling and importing a custom subdomain list may prove decisive.

It was discovered that faceapp has mass amounts of subdomains that refer to characters from the Games Of Thrones television show.

#2 - Subject Alternative Name (SAN)

SAN allows various values to be associated with a certificate by using the subjectAltName field. Typically, the field includes multiple domain names.

If a company has other multiple domains configured with Cloudflare, they may be in the subjectAltName field on the same Cloudflare certificate.

SSLscan can check the subjectAltName for domains of a Cloudflare certificate.



The results display domains that correlate to our origninal target domain:


The new found domains can now be used against the subdomain enumeration method.

Scam websites such as tend to use domains that look very similar, making them easy to identify.

#3 - DNS Lookup

If the target website is using an email service, the information is including in the MX field of it’s DNS record. If the same server is being used to host the email service, and not a third part service such as Gmail, the MX field with contain the server IP address.

DNS Recon is a great tool for searching a website’s DNS record.

dnsrecon -d


The results show that the A records are configured corectly with the CF proxy, whereas, the MX record shows as a domain name and exposes a server IP address.

The previous subdomain enumeration results for showed:

  • =
  • =

This means that the domain name isn’t a third party email service provider, and the IP: is the actual IP address of

#3 - Image IP grabbing

The code:

<?php echo $_SERVER['REMOTE_ADDR']; ?>

is used by PHP coded website to store or display and IP address from external agents that visit or crawl the website.

This can be taken advatage of by uploading images to external websites via links that contain this code.

Visit and select invisible image and generate a link. The link can now be posted on a website where image upload options are avaliable.


This method is very useful against forum websites, as they often have avatar and signature image upload options.

The server will parse the uploaded image, then an IP address will be stored under the logged IPs tab.


#4 - Email Headers

The contents of email headers contain the sender IP address and other information. If there is a non-CF IP in the header, it can be futher investigated. If there doesn’t seem to be an avenue to receive an email from the website, we could try send an email to a random recipent of the website domain.

For example: to:

Although the recipient doesn’t exist, doing do may cause the target to reply with an “your email was undelivered” automated email reply.

Take the following email header for example:

Received: by with SMTP id l3csp12958oec;
Mon, 5 Mar 2012 23:11:29 -0800 (PST)
Received: by with SMTP id r24mr7411623yhb.101.1331017888982;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Return-Path: <>
Received: from ( [XXX.XXX.XXX.XXX])
by with ESMTP id t19si8451178ani.110.2012.;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Received-SPF: fail ( domain of does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results:; spf=hardfail ( domain of does not designate XXX.XXX.XXX.XXX as permitted sender)
Received: with MailEnable Postoffice Connector; Tue, 6 Mar 2012 02:11:20 -0500
Received: from ([]) by with MailEnable ESMTP; Tue, 6 Mar 2012 02:11:10 -0500
Received: from User ([])
; Mon, 5 Mar 2012 21:38:11 +0800
Message-ID: <>
Reply-To: <>
From: “”<>
Subject: Notice
Date: Mon, 5 Mar 2012 21:20:57 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-ME-Bayesian: 0.000000

The above header shows two key pieces of information:

  • Received: from ([]) - email server relay IP address.
  • Received: from User ([]) - sender’s location IP address.

Email headers can be an eyesore to view. Luckily, mxtoolbox does a good job of displaying a more viewable output.


There will be a part two of this blog posted soon, which will be about the XML-RPC pingback method.

Keep your HAM radio close by for futher updates.

If you don’t have one, you may prefer to follow me on Twitter.