Latest Posts

Find Website Real IP by Bypassing CDN (Such As Behind Cloudflare)

There are more and more websites using CDN (Content Delivery Network), such as Cloudflare,  to help deliver their contents to end users. It is faster, safer and more reliable. At the same time, CDN such as Cloudflare company hides your real ip behind their public ip. Is there a way we can bypassing CDN and find out those websites' real ip addresses.

I found following a couple of websites which can help you do that.

Search in Following Websites

Censys uses Internet scan data to give organizations the visibility they need to defend against attacks and improve their overall security hygiene. The foundational technology behind Censys was designed by researchers at the University of Michigan. This team also created the ZMap Scanner, which helped popularize Internet-wide scanning.

Shodan is a search engine for Internet-connected devices, which gathers information about all devices directly connected to the Internet. If a device is directly hooked up to the Internet then Shodan queries it for various publicly-available information. The types of devices that are indexed can vary tremendously: ranging from small desktops up to nuclear power plants and everything in between.
So what does Shodan index then? The bulk of the data is taken from banners, which are metadata about a software that's running on a device. This can be information about the server software, what options the service supports, a welcome message or anything else that the client would like to know before interacting with the server.


ZoomEyeis a Cyberspace Search Engine recording information of devices, websites, services and components etc. It has two powerful detection engines Xmap and Wmap aiming at devices and websites in the cyberspace. It can be used to identify all the services and components through 24/7 continuous detection. Therefore it is easier for researchers to understand the component coverage and the damage scope of vulnerabilities.


CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases.

Find Virtual Hosts by Pentest-Tools will be helpful when you are looking to find the websites configured on a single IP.

DNS History Lookup Websites

微步在线 -

dnsdb -——DNS查询

netcraft - ——在线域名信息查询

Viewdns - ——DNS、IP等查询


只需在搜索字段中输入网站域名,然后按Enter键即可,这时“历史数据”就可以在search results中找到。

YouTube Video:

Install Tools


IVRE is an open-source network reconnaissance framework. It is made with some of the popular tools like Nmap, Zmap, Bro, p0f, Masscan. It’s Docker ready to get you started faster.


Other Methods



浏览网站源代码,您需要寻找独特的代码片段。 在JavaScript中使用带有access/identifier keys的第三方服务(例如Google Analytics,reCAPTCHA)是一个不错的开始。

HackTheBox网站获取的Google Analytics跟踪代码示例:

ga('create', 'UA-93577176-1', 'auto');

可以使用参数80.http.get.body:来完成按 body/source 过滤Censys数据。

不幸的是,普通搜索字段有局限性。 您可以在Censys上请求研究访问,这样您就可以通过Google BigQuery进行更强大的查询。



Applications and Services

使用TOR隐藏服务或是通过CloudFlare提供服务的网站也是一个普通的网站。 一个快速的测试也可以揭示IP。

像HTTP服务器头之类的头部可用于查找正在使用的服务和版本的可能漏洞。 当获得对服务器的访问权限时,您显然可以轻松找到IP。

另一种尝试是找到触发错误的边缘情况。 错误消息可以显示敏感信息。 这些信息可以只是IP本身,也可以是任何可以用作此处描述的其他方法的参数的信息。 这些尝试是具有创造性的,可以进行侦察和组合使用。


此外,值得一试的是找出可以使应用程序让网站与其他服务进行交互的方式。 如果您不是NSA,如果他们只是在使用API,您可能无法获得IP。 但作为一个例子,也许你可以在网站上设置一个头像并提供图片的URL而不是上传它。 如果他们正在下载它,他们可能是从他们的原始服务器进行的。 现在IP在您的日志中。

这只是一个快速概述。 你可以做通常做的所有测试技巧的很大一部分,并且网站管理员可能会犯很多错误。


No comments