11 Ways to bypass CDN to find real IP

0x01 Verify the existence of CDN\

 Method 1:

Very simple, using a variety of multi-ping services, to see if the corresponding IP address is unique, if not the only most of the use of CDN, the multi-ping site is:
http://ping.chinaz.com/
http://ping.aizhan.com/

Method 2:

Using Nslookup to detect, the same principle, if the return domain name resolution for multiple IP addresses is mostly used CDN. There are examples of CDN:

Www.163.com

Server: public1.114dns.com

address:114.114.114.114

Non-authoritative response:

Name: 163.xdwscache.ourglb0.com

addresses:58.223.164.86

125.75.32.252

Aliases:www.163.com

Www.163.com.lxdns.com

Examples of no CDN:

Xiaix.me

Server: public1.114dns.com

address:114.114.114.114

Non-authoritative response:

Name: xiaix.me

address:192.3.168.172

0x02 Bypass CDN Find Site Real IP 

Method 1: Query history DNS Records

1) View the history of IP and domain binding, there may be a pre-CDN record, the relevant query site is:
https://dnsdb.io/zh-cn/# # #DNS query
https://x.threatbook.cn/# # #Microstep online
Http://toolbar.netcraft.com/site_report?url= # # #Online domain name information inquiry
http://viewdns.info/# # #DNS, IP and other queries
https://tools.ipip.net/cdn.php # # #CDN query IP

2) with the Securitytrails platform(https://securitytrails.com/), attackers can pinpoint the real original IP. They simply enter the site domain name in the search field and press ENTER, and "historical data" can be found in the menu on the left.

How to find the real original IP hidden behind CloudFlare or Tor

In addition to past DNS records, even current records may leak the original server IP. For example, an MX record is a common way to find IP. If a Web site hosts its own mail server on the same server and IP as the Web, the original server IP will be in the MX record.

Method 2: Query the subdomain

After all, the CDN is still not cheap, so a lot of webmasters may only be the main station or traffic large sub-site to do a CDN, and a lot of small station sub-site with the master in the same server or the same C segment, at this time can be queried by the IP corresponding to the sub-domain to help find the real IP site.

Here are some common methods and tools for sub-domain lookup:

1) Micro-step Online (https://x.threatbook.cn/)

The above mentioned micro-step online powerful, hackers only need to enter the domain name to find (such as baidu.com), click the Sub-domain option to find its sub-domain, but free users only 5 times a month free query opportunities.

2) Dnsdb Query method. (https://dnsdb.io/zh-cn/)

Hackers only need to enter baidu.com TYPE:A can collect Baidu's subdomain and IP.

3) Google Search

Google Site:baidu.com-www can see sub-domains except WWW,

4) Each seed domain scanner

Here, we mainly recommend the sub-domain excavator and Lijiejie subdomainbrute (Https://github.com/lijiejie/subDomainsBrute)

Sub-domain excavator only need to enter the domain name can be based on the dictionary mining its sub-domain name,

Subdomainbrute in Windows, for example, hackers only need to open cmd into its directory input Python subdomainbrute.py baidu.com--full can collect Baidu subdomain,

Note: After collecting subdomains to try to resolve IP not on CDN IP resolution master, the real IP is obtained successfully.

Method 3: Web Space Engine Search method

Common with previous Zhong eyes, Shodan,FoFa (https://fofa.so/)search. Take FoFA as an example, just enter: Title: "The title of the site keyword" or body: "The body of the site" can find FoFA included in the IP domain with these keywords, many times to obtain the real IP site,

Method 4: Use the SSL certificate to find the real original IP

Using the given domain name

If you host a service on xyz123boot.com, the original server IP is 136.23.63.44. CloudFlare will provide you with DDoS protection, Web application firewalls, and other security services to protect your services from attack. To do this, your Web server must support SSL and have a certificate, at which point the communication between CloudFlare and your server is encrypted (i.e., no flexible SSL exists), just like the communication between you and CloudFlare. This looks safe, but the problem is that when you connect directly to the IP on port 443 (https://136.23.63.44:443), the SSL certificate is exposed.

At this point, if an attacker scans 0.0.0.0/0, the entire Internet, they can obtain a valid certificate on port 443 on the xyz123boot.com to obtain the Web server IP provided to you.

The Censys tool is now capable of scanning the entire internet, and Censys is a new search engine for information on networked devices that security experts can use to assess the security of their implementation, while hackers can use it as a powerful tool for early detection of attack targets and gathering of target information. Censys Search engines can scan the entire Internet, Censys scans the IPV4 address space every day to search all networked devices and gather relevant information and return a general report on the configuration and deployment information for resources such as devices, websites, and certificates.

The only thing an attacker needs to do is to translate the search terms described above into the actual search query parameters.

The search query parameters for the xyz123boot.com certificate are: parsed.names:xyz123boot.com

The query parameters that show only valid certificates are: tags.raw:trusted

An attacker could implement a combination of multiple parameters on the Censys, which can be accomplished by using simple Boolean logic.

The combined search parameters are: parsed.names:xyz123boot.com and tags.raw:trusted

Censys will show you all the standard certificates that meet the above search criteria, which are found in the scan.

To view these search results individually, an attacker could open a drop-down menu with multiple tools by clicking Explore on the right. 

What ' s using this certificate? > IPv4 Hosts

At this point, the attacker will see a list of IPV4 hosts that use a specific certificate, and the real original IP is hidden in it.

You can verify by navigating to the IP on port 443 to see if it is redirected to xyz123boot.com? Or does it display the website directly on the IP?

Using the given SSL certificate

If you're a law enforcement officer, want to find a child pornography site hidden under cheesecp5vaogohv.onion. The best way to do this is to find the original IP, so you can trace it to its hosted server, and even check out the carriers and financial clues behind it.

Hide the service has an SSL certificate, to find the IPV4 host it uses, simply paste the "SHA1 fingerprint" (the SHA1 value of the signing certificate) into the Censys IPv4 host search to find the certificate, and use this method to easily locate the misconfigured Web server.

Method 5: Use the HTTP header to find the real original IP

With a platform like Securitytrails, anyone can search the vast big data for their goals, and even compare HTTP headers to find the original server.

Especially when users have a very special server name and software name, it's easier for attackers to find you.

If you are searching for quite a lot of data, as described above, an attacker could combine search parameters on Censys. Suppose you are sharing your server HTTP headers with 1500 Web servers, all of which send the same combination of header parameters and values. And you also use the new PHP framework to send a unique HTTP header (for example: X-GENERATED-VIA:XYZ framework), which is currently used by about 400 webmasters. And eventually the intersection of three servers, just manual operation can find the IP, the entire process only a few seconds.

For example, the search parameter on Censys that matches the server header is 80.http.get.headers.server: The parameters for locating a Web site serviced by CloudFlare are as follows:

80.http.get.headers.server:cloudflare

Method 6: Use the content returned by the website to find the real original IP

If the original server IP also returned the content of the site, then you can search the Internet for a large number of related data.

Browse the site source code to find unique snippets of code. Using third-party services that have access or identifier parameters in JavaScript, such as Google Analytics,recaptcha, is a common way for attackers to use them.

The following is an example of the Google Analytics tracking code obtained from the Hackthebox website:

GA (' Create ', ' ua-93577176-1 ', ' auto ');
You can use 80.http.get.body: parameters to filter Censys data through Body/source, unfortunately, the normal search field has limitations, but you can request research access in Censys, which allows you to pass Google BigQuery for more powerful queries.

Shodan is a service similar to Censys and also provides http.html search parameters.

Search Example: https://www.shodan.io/search?query=http.html%3AUA-32023260-1

Method 7: Use a foreign host to resolve the domain name

Many domestic CDN manufacturers for a variety of reasons only to do domestic lines, and foreign lines may be almost no, at this time we use foreign direct access to the host may be able to obtain the real IP.

Method 8: Site Vulnerability Lookup

1) Target sensitive file leaks, such as probes such as phpinfo, github information leaks, etc.
2) XSS blind Fight, command execution bounce SHELL,SSRF, etc.
3) Whether using social workers or other means, get the target webmaster in the CDN account, in order to find the real IP site from the CDN configuration.

Method 9: Site Mail Subscription Lookup

RSS Mail subscription, many websites bring SendMail, will send an email to us, at this time to check the source of the mail will contain the server's real IP.

Method 10: Sweep the whole network with Zmap

Need to find the real IP xiaix.me website, we first obtain the IP segment from APNIC, and then use Zmap banner-grab scan out 80 ports open host for Banner crawl, finally in the Http-req host write Xiaix . Me.

Method 11: f5 Ltm Decoding method

When the server uses the F5 LTM to do load balancing, it can also be obtained by decoding the real IP to the Set-cookie keyword, for example: set-cookie:bigipserverpool_8.29_8030= 487098378.24095.0000, take the decimal number of the first bar, which is 487098378, and then convert it to hexadecimal number 1d08880a, then from the back to the front to take four digits out, That is 0a.88.08.1d, in turn they turn them into decimal number 10.136.8.29, which is the last real IP.

11 Ways to bypass CDN to find real IP

Alibaba Cloud Hot Products
Elastic Compute Service (ECS)	Dedicated Host (DDH)	ApsaraDB RDS for MySQL (RDS)	ApsaraDB for PolarDB(PolarDB)	AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL)	Data Transmission Service (DTS)	Server Load Balancer (SLB)	Global Accelerator (GA)	Cloud Enterprise Network (CEN)
Object Storage Service (OSS)	Content Delivery Network (CDN)	Short Message Service (SMS)	Container Service for Kubernetes (ACK)	Data Lake Analytics (DLA)
ApsaraDB for Redis (Redis)	ApsaraDB for MongoDB (MongoDB)	NAT Gateway	VPN Gateway	Cloud Firewall
Anti-DDoS	Web Application Firewall (WAF)	Log Service	DataWorks	MaxCompute
Elastic MapReduce (EMR)	Elasticsearch