root@rip:~$

Resolving IP addresses masked by Cloudflare.


Cloudflare(CF) protected websites add a difficult hurdle to the stage of reconnaissance, espcially when resolving the masked IP address is concerned.

This guide contains methods for finding IP addresses of websites masked by CF.


#1 - subdomain enumeration

The target website may have subdomains that are not configured to the Cloudflare proxy. If the target website uses only one static IP, and has unconfigured subdomains, pinging them exposes the real IP addresses.

Where the domain example.com resolves to a CF IP address, subdomain email.example.com may resolve to the masked IP address.

  • ping example.com 104.0.0.0 - Cloudflare
  • ping email.example.com 178.0.0.0 - NOT Cloudflare

Keep in mind that websites don’t always use one static IP address, which means even though a non-CF IP address was found on email.example.com, it doesn’t mean that example.com is running on the same IP address. shop.example.com may resolve to shopify.

The above process is more productive and less time-consuming when using a tool.

Using recon-ng with the related module against our target would go as follows from the terminal:

recon-ng -w target
add domains scammer.info
use recon/domains-hosts/brute_hosts
run
show hosts

subdomains There are blank IPs for some of the domains, so we’ll need to resolve those, and also reverse-resolve the IP addresses to extend our intel.

use recon/hosts-hosts/resolve
run
use recon/hosts-hosts/reverse_resolve
run

resolved

We found two IP addresses that are not CF: 178.32.177.168 & 164.132.207.114. Addionally, we found another domain on the same IP address as our target, which is a great sidenote and greatly extends our progress.

Good subdomain enumeration is key to the success of this method. Although tools are effective at enumerating subdomains with a generic list, compiling and importing a custom subdomain list may prove decisive.

It was discovered that faceapp has mass amounts of subdomains that refer to characters from the Games Of Thrones television show.


#2 - Subject Alternative Name (SAN)

SAN allows various values to be associated with a certificate by using the subjectAltName field. Typically, the field includes multiple domain names.

If a company has other multiple domains configured with Cloudflare, they may be in the subjectAltName field on the same Cloudflare certificate.

SSLscan can check the subjectAltName for domains of a Cloudflare certificate.

sslscan yippeetech.com

sslscan_img

The results display domains that correlate to our origninal target domain:

  • yippeetech.co.uk
  • yippeetech.net

The new found domains can now be used against the subdomain enumeration method.

Scam websites such as yippeetech.com tend to use domains that look very similar, making them easy to identify.

#3 - DNS Lookup

If the target website is using an email service, the information is including in the MX field of it’s DNS record. If the same server is being used to host the email service, and not a third part service such as Gmail, the MX field with contain the server IP address.

DNS Recon is a great tool for searching a website’s DNS record.

dnsrecon -d scammer.info

dnsrecon_img

The results show that the A records are configured corectly with the CF proxy, whereas, the MX record shows lobban.info as a domain name and exposes a server IP address.

The previous subdomain enumeration results for scammer.info showed:

  • lobban.info = 164.132.207.114
  • email.scammer.info = 164.132.207.114

This means that the domain name lobban.info isn’t a third party email service provider, and the IP: 164.132.207.114 is the actual IP address of scammer.info.

#3 - Image IP grabbing

The code:

<?php echo $_SERVER['REMOTE_ADDR']; ?>

is used by PHP coded website to store or display and IP address from external agents that visit or crawl the website.

This can be taken advatage of by uploading images to external websites via links that contain this code.

Visit iplogger.org and select invisible image and generate a link. The link can now be posted on a website where image upload options are avaliable.

accout_img

This method is very useful against forum websites, as they often have avatar and signature image upload options.

The server will parse the uploaded image, then an IP address will be stored under the logged IPs tab.

ip_img

#4 - Email Headers

The contents of email headers contain the sender IP address and other information. If there is a non-CF IP in the header, it can be futher investigated. If there doesn’t seem to be an avenue to receive an email from the website, we could try send an email to a random recipent of the website domain.

For example: to: j0hnd03@example.com

Although the recipient doesn’t exist, doing do may cause the target to reply with an “your email was undelivered” automated email reply.

Take the following email header for example:

Delivered-To: myemail@gmail.com
Received: by 10.60.14.3 with SMTP id l3csp12958oec;
Mon, 5 Mar 2012 23:11:29 -0800 (PST)
Received: by 10.236.46.164 with SMTP id r24mr7411623yhb.101.1331017888982;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Return-Path: <securityalert@verifybyvisa.com>
Received: from ms.externalemail.com (ms.externalemail.com. [XXX.XXX.XXX.XXX])
by mx.google.com with ESMTP id t19si8451178ani.110.2012.03.05.23.11.28;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Received-SPF: fail (google.com: domain of securityalert@verifybyvisa.com does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of securityalert@verifybyvisa.com does not designate XXX.XXX.XXX.XXX as permitted sender) smtp.mail=securityalert@verifybyvisa.com
Received: with MailEnable Postoffice Connector; Tue, 6 Mar 2012 02:11:20 -0500
Received: from mail.lovingtour.com ([211.166.9.218]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 02:11:10 -0500
Received: from User ([118.142.76.58])
by mail.lovingtour.com
; Mon, 5 Mar 2012 21:38:11 +0800
Message-ID: <6DCB4366-3518-4C6C-B66A-F541F32A4C4C@mail.lovingtour.com>
Reply-To: <securityalert@verifybyvisa.com>
From: “securityalert@verifybyvisa.com”<securityalert@verifybyvisa.com>
Subject: Notice
Date: Mon, 5 Mar 2012 21:20:57 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0055_01C2A9A6.1C1757C0″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-ME-Bayesian: 0.000000

The above header shows two key pieces of information:

  • Received: from mail.lovingtour.com ([211.166.9.218]) - email server relay IP address.
  • Received: from User ([118.142.76.58]) - sender’s location IP address.

Email headers can be an eyesore to view. Luckily, mxtoolbox does a good job of displaying a more viewable output.

mxtollbox


There will be a part two of this blog posted soon, which will be about the XML-RPC pingback method.

Keep your HAM radio close by for futher updates.

If you don’t have one, you may prefer to follow me on Twitter.