Resolving IP addresses masked by Cloudflare.
Cloudflare(CF) protected websites add a difficult hurdle to the stage of reconnaissance, espcially when resolving the masked IP address is concerned.
This guide contains methods for finding IP addresses of websites masked by CF.
The target website may have subdomains that are not configured to the Cloudflare proxy. If the target website uses only one static IP, and has unconfigured subdomains, pinging them exposes the real IP addresses.
Where the domain
example.com resolves to a CF IP address, subdomain
email.example.com may resolve to the masked IP address.
ping example.com184.108.40.206 - Cloudflare
ping email.example.com220.127.116.11 - NOT Cloudflare
Keep in mind that websites don’t always use one static IP address, which means even though a non-CF IP address was found on
email.example.com, it doesn’t mean that
example.com is running on the same IP address.
shop.example.com may resolve to shopify.
The above process is more productive and less time-consuming when using a tool.
Using recon-ng with the related module against our target would go as follows from the terminal:
recon-ng -w target add domains scammer.info use recon/domains-hosts/brute_hosts run show hosts
There are blank IPs for some of the domains, so we’ll need to resolve those, and also reverse-resolve the IP addresses to extend our intel.
use recon/hosts-hosts/resolve run use recon/hosts-hosts/reverse_resolve run
We found two IP addresses that are not CF:
18.104.22.168. Addionally, we found another domain on the same IP address as our target, which is a great sidenote and greatly extends our progress.
Good subdomain enumeration is key to the success of this method. Although tools are effective at enumerating subdomains with a generic list, compiling and importing a custom subdomain list may prove decisive.
SAN allows various values to be associated with a certificate by using the subjectAltName field. Typically, the field includes multiple domain names.
If a company has other multiple domains configured with Cloudflare, they may be in the subjectAltName field on the same Cloudflare certificate.
SSLscan can check the subjectAltName for domains of a Cloudflare certificate.
The results display domains that correlate to our origninal target domain:
The new found domains can now be used against the subdomain enumeration method.
Scam websites such as
yippeetech.com tend to use domains that look very similar, making them easy to identify.
If the target website is using an email service, the information is including in the MX field of it’s DNS record. If the same server is being used to host the email service, and not a third part service such as Gmail, the MX field with contain the server IP address.
DNS Recon is a great tool for searching a website’s DNS record.
dnsrecon -d scammer.info
The results show that the A records are configured corectly with the CF proxy, whereas, the MX record shows
lobban.info as a domain name and exposes a server IP address.
The previous subdomain enumeration results for
This means that the domain name
lobban.info isn’t a third party email service provider, and the IP: 22.214.171.124 is the actual IP address of
<?php echo $_SERVER['REMOTE_ADDR']; ?>
is used by PHP coded website to store or display and IP address from external agents that visit or crawl the website.
This can be taken advatage of by uploading images to external websites via links that contain this code.
iplogger.org and select invisible image and generate a link. The link can now be posted on a website where image upload options are avaliable.
This method is very useful against forum websites, as they often have avatar and signature image upload options.
The server will parse the uploaded image, then an IP address will be stored under the logged IPs tab.
The contents of email headers contain the sender IP address and other information. If there is a non-CF IP in the header, it can be futher investigated. If there doesn’t seem to be an avenue to receive an email from the website, we could try send an email to a random recipent of the website domain.
Although the recipient doesn’t exist, doing do may cause the target to reply with an “your email was undelivered” automated email reply.
Take the following email header for example:
Delivered-To: email@example.com Received: by 10.60.14.3 with SMTP id l3csp12958oec; Mon, 5 Mar 2012 23:11:29 -0800 (PST) Received: by 10.236.46.164 with SMTP id r24mr7411623yhb.101.1331017888982; Mon, 05 Mar 2012 23:11:28 -0800 (PST) Return-Path: <firstname.lastname@example.org> Received: from ms.externalemail.com (ms.externalemail.com. [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTP id t19si8451178ani.110.2012.03.05.23.11.28; Mon, 05 Mar 2012 23:11:28 -0800 (PST) Received-SPF: fail (google.com: domain of email@example.com does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of firstname.lastname@example.org does not designate XXX.XXX.XXX.XXX as permitted sender) email@example.com Received: with MailEnable Postoffice Connector; Tue, 6 Mar 2012 02:11:20 -0500 Received: from mail.lovingtour.com ([126.96.36.199]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 02:11:10 -0500 Received: from User ([188.8.131.52]) by mail.lovingtour.com ; Mon, 5 Mar 2012 21:38:11 +0800 Message-ID: <6DCB4366-3518-4C6C-B66A-F541F32A4C4C@mail.lovingtour.com> Reply-To: <firstname.lastname@example.org> From: “email@example.com”<firstname.lastname@example.org> Subject: Notice Date: Mon, 5 Mar 2012 21:20:57 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=”—-=_NextPart_000_0055_01C2A9A6.1C1757C0″ X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-ME-Bayesian: 0.000000
The above header shows two key pieces of information:
Received: from mail.lovingtour.com ([184.108.40.206])- email server relay IP address.
Received: from User ([220.127.116.11])- sender’s location IP address.
Email headers can be an eyesore to view. Luckily, mxtoolbox does a good job of displaying a more viewable output.
There will be a part two of this blog posted soon, which will be about the XML-RPC pingback method.
Keep your HAM radio close by for futher updates.
If you don’t have one, you may prefer to follow me on Twitter.