Find Website Real IP by Bypassing CDN (Such As Behind Cloudflare)

There are more and more websites using CDN (Content Delivery Network), such as Cloudflare,  to help deliver their contents to end users. It is faster, safer and more reliable. At the same time, CDN such as Cloudflare company hides your real ip behind their public ip. Is there a way we can bypassing CDN and find out those websites' real ip addresses.

I found following a couple of websites which can help you do that.

Search in Following Websites

• https://censys.io/

Censys uses Internet scan data to give organizations the visibility they need to defend against attacks and improve their overall security hygiene. The foundational technology behind Censys was designed by researchers at the University of Michigan. This team also created the ZMap Scanner, which helped popularize Internet-wide scanning.

• https://www.shodan.io/ - 钟馗之眼

Shodan is a search engine for Internet-connected devices, which gathers information about all devices directly connected to the Internet. If a device is directly hooked up to the Internet then Shodan queries it for various publicly-available information. The types of devices that are indexed can vary tremendously: ranging from small desktops up to nuclear power plants and everything in between.

So what does Shodan index then? The bulk of the data is taken from banners, which are metadata about a software that's running on a device. This can be information about the server software, what options the service supports, a welcome message or anything else that the client would like to know before interacting with the server.

• https://fofa.so/ - fofa搜索

只需输入：title=“网站的title关键字”或者body=“网站的body特征”就可以找出fofa收录的有这些关键字的ip域名，很多时候能获取网站的真实ip。

• https://www.zoomeye.org/

ZoomEyeis a Cyberspace Search Engine recording information of devices, websites, services and components etc. It has two powerful detection engines Xmap and Wmap aiming at devices and websites in the cyberspace. It can be used to identify all the services and components through 24/7 continuous detection. Therefore it is easier for researchers to understand the component coverage and the damage scope of vulnerabilities.

• https://securityonline.info/cloudfail/

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases.

• https://pentest-tools.com/information-gathering/find-virtual-hosts

Find Virtual Hosts by Pentest-Tools will be helpful when you are looking to find the websites configured on a single IP.

DNS History Lookup Websites

微步在线 - https://x.threatbook.cn/

dnsdb - https://dnsdb.io/zh-cn/——DNS查询

netcraft - http://toolbar.netcraft.com/site_report?url= ——在线域名信息查询

Viewdns - http://viewdns.info/ ——DNS、IP等查询

CDN查询IP - https://tools.ipip.net/cdn.php

SecurityTrails

只需在搜索字段中输入网站域名，然后按Enter键即可，这时“历史数据”就可以在search results中找到。

除了过去的DNS记录，即使是当前的记录也可能泄漏原始服务器IP。例如，MX记录是一种常见的查找IP的方式。如果网站在与web相同的服务器和IP上托管自己的邮件服务器，那么原始服务器IP将在MX记录中。

YouTube Video:

Install Tools

IVRE

IVRE is an open-source network reconnaissance framework. It is made with some of the popular tools like Nmap, Zmap, Bro, p0f, Masscan. It’s Docker ready to get you started faster.

Other Methods

Contents

如果原始服务器IP也返回网站的内容，那么相当于你得到了大量在网上可搜索的数据。

浏览网站源代码，您需要寻找独特的代码片段。 在JavaScript中使用带有access/identifier keys的第三方服务（例如Google Analytics，reCAPTCHA）是一个不错的开始。

从HackTheBox网站获取的Google Analytics跟踪代码示例：

ga('create', 'UA-93577176-1', 'auto');

可以使用参数80.http.get.body：来完成按 body/source 过滤Censys数据。

不幸的是，普通搜索字段有局限性。 您可以在Censys上请求研究访问，这样您就可以通过Google BigQuery进行更强大的查询。

Shodan是一种类似于Censys的服务，也提供了http.html搜索参数。

搜索示例：

https://www.shodan.io/search?query=http.html%3AUA-32023260-1

Applications and Services

使用TOR隐藏服务或是通过CloudFlare提供服务的网站也是一个普通的网站。 一个快速的测试也可以揭示IP。

像HTTP服务器头之类的头部可用于查找正在使用的服务和版本的可能漏洞。 当获得对服务器的访问权限时，您显然可以轻松找到IP。

另一种尝试是找到触发错误的边缘情况。 错误消息可以显示敏感信息。 这些信息可以只是IP本身，也可以是任何可以用作此处描述的其他方法的参数的信息。 这些尝试是具有创造性的，可以进行侦察和组合使用。

每一个测试都应在侦察阶段运行gobuster来查找文件和目录。您可以找到的是日志、数据库转储/备份等等。

此外，值得一试的是找出可以使应用程序让网站与其他服务进行交互的方式。 如果您不是NSA，如果他们只是在使用API，您可能无法获得IP。 但作为一个例子，也许你可以在网站上设置一个头像并提供图片的URL而不是上传它。 如果他们正在下载它，他们可能是从他们的原始服务器进行的。 现在IP在您的日志中。

这只是一个快速概述。 你可以做通常做的所有测试技巧的很大一部分，并且网站管理员可能会犯很多错误。

References:

• [工具]绕过CDN查找真实IP方法
• 寻找CloudFlare和TOR背后的真实源IP
• 11种绕过CDN查找真实IP方法
• Cloudflare CDN: How to Setup + Purchase Domain + NGINX Proxy Manager on Unraid (2021)