CloudFare Protected WebServers Unmasking!!

Yo! Mr.Pentesters & also to internet script kiddes who google “how to know cloudfare protected web sites IP ?” here’s a simple Python tool which does the job for you!!

NOTICE: THIS TUTORIAL IS ONLY FOR EDUCATIONAL PURPOSES! SCANNING UNAUTHORIZED
        WEBSITES IS A CRIME!! 
        #STAYSAFEONLINE 

To others who just thinking what on earth is going on?

WHAT IS CLOUD FARE?

” Websites and applications require the resilience and intelligence of a scalable network to combat the biggest and newest attacks. It’s important to ensure that performance is never sacrificed for security and that systems have easy setup and configuration, avoiding configuration errors which can introduce security vulnerabilities.

Mitigate DDoS Attacks

Protect Internet applications and APIs from malicious traffic targeting network and application layers, to maintain availability and performance, while containing operating costs.

Prevent Customer

Data BreachPrevent attackers from compromising sensitive customer data, such as user credentials, credit card information, and other personally identifiable information.

Cloudflare Performance Services improve conversions, reduce churn, and improve visitor experiences by accelerating web and mobile performance, while keeping applications available.

DNSSEC

DNSSEC is the Internet’s non-spoofable caller ID. It guarantees a web application’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden “man-in-the-middle” attacker. ” – CLOUD FLARE ABOUT.

Now you get what am talking about right?

This article is only for educational purposes am stressing on this because i dont want any of you to get in trouble.

LETS TALK ABOUT THE TOOL

CloudFail !!

  / ___| | ___  _   _  __| |  ___|_ _(_) || |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by Cloudflare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases.

  1. Misconfigured DNS scan using DNSDumpster.com.
  2. Scan the Crimeflare.com database.
  3. Bruteforce scan over 2500 subdomains.

Install on Kali/Debian

First we need to install pip3 for python3 dependencies:


$ sudo apt-get install python3-pip
$ pip3 install -r requirements.txt

Then we can run through dependency checks:

Usage

To run a scan against a target:

python3 cloudfail.py --target <EXAMPLE.com>


To run a scan against a target using Tor:
service tor start
(or if you are using Windows or Mac install vidalia or just run the Tor browser)

python3 cloudfail.py --target <EXAMPLE.com> --tor

Please make sure you are running with Python3 and not Python2.*

python cloudfail.py --target notprotected.com --no-tor
   ____ _                 _ _____     _ _ 
  / ___| | ___  _   _  __| |  ___|_ _(_) || |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem


[20:57:45] Initializing CloudFail - the date/time is: 
[20:57:45] Fetching initial information from: notprotected.com...
[20:57:45] Server IP: XXX.XXX.XXX.XXX
[20:57:45] Testing if notprotected.com is on the Cloudflare network...
[20:57:45] notprotected.com is part of the Cloudflare network!
[20:57:45] Testing for misconfigured DNS using dnsdumpster...
[20:57:50] [FOUND:HOST] dbadmin.notprotected.com  XXX.XXX.XXX.XXX ASXXXX BackConnect, Inc. Chile
[20:57:50] [FOUND:HOST] www.notprotected.com  XXX.XXX.XXX.XXX ASXXXXXX BackConnect, Inc. Chile
[20:57:50] [FOUND:HOST] irc.notprotected.com  XXX.XXX.XXX.XXX ASXXXXX Hetzner Online GmbH Germany
[20:57:50] [FOUND:HOST] mail.notprotected.com  XXX.XXX.XXX.XXX ASXXXX Coreix Ltd United Kingdom
[20:57:50] [FOUND:MX] XXX.XXX.XXX.XXX AS31708 Coreix Ltd 0 mail.notprotected.com.
[20:57:50] Scanning crimeflare database...
[20:57:51] [FOUND:IP] XXX.XXX.XXX.XXX
[20:57:51] Scanning 2898 subdomains, please wait...
[20:59:58] [FOUND:SUBDOMAIN] FOUND: dev.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 401
[21:07:43] [FOUND:SUBDOMAIN] FOUND: mail.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:08:50] [FOUND:SUBDOMAIN] FOUND: news.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:09:14] [FOUND:SUBDOMAIN] FOUND: old.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 401
[21:14:16] [FOUND:SUBDOMAIN] FOUND: static.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:14:19] [FOUND:SUBDOMAIN] FOUND: support.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:15:58] [FOUND:SUBDOMAIN] FOUND: webmail.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:16:39] [FOUND:SUBDOMAIN] FOUND: www.notprotected.com ON CLOUDFLARE NETWORK!
[21:17:20] Scanning finished...
Looks good!

Everything looks good right??

Wait!! There’s one small thing that you need to know as they say on their developer page:

Disclaimer:

This tool is a PoC (Proof of Concept) and does not guarantee results. 
It is possible to setup Cloudflare properly so that the IP is never released 
or logged anywhere; this is not often the case and hence why this tool exists. 
This tool is only for academic purposes and testing under controlled 
environments. Do not use without obtaining proper authorization from the
network owner of the network under testing. The author bears no responsibility 
for any misuse of the tool.

Other Reference tools you can check out:

  • HatCloud build in Ruby. It makes bypass in CloudFlare for discover real IP. This can be useful if you need test your server and website. Testing your protection against Ddos (Denial of Service) or Dos. CloudFlare is services and distributed domain name server services, sitting between the visitor and the Cloudflare user’s hosting provider, acting as a reverse proxy for websites. Your network protects, speeds up and improves availability for a website or the mobile application with a DNS change