Cloudflare is a gasket between the user and the site. It works on the principle of reverse proxy, providing additional services, including page caching, protection against DDoS, protection against bad bots, and more. Including, Cloudflare hides the true IP address of the server that hosts the site.
Cloudflare uses its name servers that respond to DNS queries and translate the hostname into an IP address. Those. the site owner configures the use of Cloudflare NS servers for his domain, these NS servers in response to DNS requests are sent by IP belonging to the Cloudflare network. As a result, the request to the site goes to Cloudflare, which receives the page from the server where the site is located (or from its cache) and shows this page to the user who requested it. As a result, the true IP address of the site behind Cloudflare becomes well hidden.
If Cloudflare is configured correctly, then the real IP address of the site is never disclosed or recorded anywhere; but how many people do you know who always do everything right? For this reason, there are tools that look for holes in your Cloudflare settings. One of these tools is CloudFail, this tool will help you to find real ip behind cloudflare and this note is devoted to it.
What is CloudFail
Each site can have subdomains like * .say.com. Where, instead of an asterisk, different values can be substituted, for example:
There can be an unlimited number of such subdomains. Important point: each such subdomain can have its own IP address!
Those. name servers allow you to specify IP (or several addresses at once) for website.com , another IP for test.say.com , another IP for en.say.ru and so on.
There may be a situation when the Cloudflare IP address is registered in the DNS records of the site.ru site, but the DNS records for the subdomain test.site.com point to another IP that is not under Cloudflare protection.
As a result, an IP address is disclosed that:
- may be the real IP address of the site;
- is the IP address of the subdomain only, but gives us information about the owner or a hint for further research.
We can’t just get a list of all subdomains. Therefore, you need to sort out various options. This is exactly what is implemented in CloudFail:
- various subdomain options are tried;
- if there is a DNS record for the subdomain, then we get an IP for it;
- it checks if the received IP is in the Cloudflare range (i.e., protected with Cloudflare or not).
In fact, the described process is already the third stage. In the first stage, CloudFail receives a list of possible subdomains from DNSDumpster.com and checks them.
At the second stage, CloudFail refers to the CrimeFlare service, which has gathered a large IP address base for sites protected by Cloudflare. If the site knows the IP, then it is immediately shown. About CrimeFlare described in more detail here.
And in the third stage, the described brute-force subdomains are performed in the dictionary.
As a result of this integrated approach, it is often possible to find IP addresses that are not protected by Cloudflare. It is important to note that we proceed from the assumption that the IP addresses of the subdomains belong to or are associated with the owner of the main site. Yes, this is usually the case, but you should always remember that in the DNS records of the subdomains the owner of the main domain can specify ANY IP addresses that do not even belong to it …
How to install CloudFail
To install CloudFail on Ubuntu, Kali Linux, Debian, Linux Mint and their derivatives, run the following commands: First we need to install pip3 for python3 dependencies:
sudo apt-get install python3-pip
Then follow those commands
sudo apt update sudo apt install python3-pip git tor git clone https://github.com/m0rtem/CloudFail cd CloudFail /
Then we can run through dependency checks:
pip3 install -r requirements.txt
Before the first launch, as well as from time to time (about once a month), it is recommended to update the databases:
sudo python3 cloudfail.py -u
The list of Cloudflare IP addresses will be updated, as well as the CrimeFlare database containing known IP addresses for some sites.
If you want the program to work through the Tor network, then you need to start the Tor service:
systemctl start tor
If you do not need Tor to send requests, you can skip this step.
If you wish, you can add the Tor service to autoload (then you will not need to start this service after each computer restart):
sudo systemctl enable tor
How to use CloudFail
The program has only one mandatory option -t , after which you need to specify the domain name.
Additionally, you can use the —tor option to make requests via this network.
The program already supplies a list of words ( subdomains.txt file ) for searching possible subdomains in the dictionary. If you want to use your own dictionary, then specify it using the option -s . The dictionary file should be located in the data folder .
For example, if we want to receive data for the tinyjpg.com site, then the launch command looks like this:
sudo python3 cloudfail.py -t tinyjpg.com —tor
CloudFail Results Analysis
The string is part of the Cloudflare network! says that the site is protected by the Cloudflare network. If this were not the case, then the scan stopped at this place, since it is meaningless.
The Testing for misconfigured DNS string using dnsdumpster … speaks of the beginning of the first stage — the retrieval of well-known hosts (subdomains) associated with the analyzed site. This data is taken from dnsdumpster, which, in turn, collects them from various sources (own site surveyors from the first million Alexa Top rankings, search engines, popular surveyors, Certificate Transparency, Max Mind, Team Cymru, Shodan and scans.io) . But brute-force domains are not used.
As you can see, in our results among the DNS records found MX records that point to mail servers. Please note that in this case, MX records do not point to the subdomains of the site of interest to us, but to Google hosts. This is also indicated by the data on IP (belonging to a Google Internet service provider). These hosts are not protected by Cloudflare, but they are not suitable for research from open sources in order to discover this IP server. We can only conclude that the site uses e-mail based on Google’s postal services.
The string Scanning crimeflare database … speaks about the beginning of the second stage – searching the database of sites with known IPs from CrimeFlare.
Inscription Did not find anything . says that nothing is found in this database.
The line Scanning 2897 subdomains (subdomains.txt), please wait … speaks about the beginning of the third stage – enumeration of possible subdomains according to the dictionary.
The red line contains information about the found subdomains, but their IP is protected by the Cloudflare network – therefore, they are useless for determining the real IP (but can be used for other purposes).
Green lines indicate that the IP of the found host does not belong to Cloudflare. Therefore, this can be the real IP of the site of interest.
An example of a line from our case is mail.anti-malware.ru , unfortunately, the IP found again belongs to Google.
But the line test.anti-malware.ru leads us to success – this is the IP VPS server.
Search sites on one IP confirms that this is the real IP of the domain of interest to us.
The next scan example is searchengines.guru.
They say that the first and third stages did not produce results. But in the database CrimeFlare found the real IP of this site, it is 188.8.131.52.
At the first stage, only Google’s mail servers were found. Site not found in the CrimeFlare database.
In the third stage, the following good data:
[09:19:32] [FOUND: SUBDOMAIN] cdn.searchengines.ru IP: 184.108.40.206 HTTP: 403 [09:20:51] [FOUND: SUBDOMAIN] link.searchengines.ru IP: 220.127.116.11 HTTP: 200 [09:21:06] [FOUND: SUBDOMAIN] mail.searchengines.ru IP: 18.104.22.168 HTTP: 200
mail.searchengines points to the IP of the Google mail server.
cdn.searchengines.ru has IP CloudFront – one of the Cloudflare services, i.e. It also does not suit us.
But link.searchengines.ru has an IP address (22.214.171.124) of a third-party server. You can open the link.searchengines.ru page – there is some forgotten, apparently, for many years not used online service. This IP may be an address, including, searchengines.ru. In any case, this IP is associated with the owners of searchengines.ru, even if the host itself is on a different server.
How to set up Cloudflare correctly so that the real IP of the site cannot be found
As you can see from the above examples, incorrect DNS configuration leads to the disclosure of this IP site, even if it is protected using Cloudflare. It is necessary to protect all hosts related to the site network Cloudflare. The same applies to wildcard characters in DNS records – such records should not reveal the true IP address of the site.
It is necessary to remember about the possibility of disclosing the owner through the hosts of the mail servers used by the site.
The site itself should not contain vulnerabilities that allow an attacker to conduct attacks in other areas.