Bypass CDN to get Real IP

Source: Internet
Author: User
Keywords cdn cdn acceleration cdn meaning
0x01 CDN
In the process of penetration, we often encounter websites using CDN, and the fake IP of CDN often causes various difficulties for us. Here I have collected a lot of information and summarized the methods of bypassing CDN to obtain real IP.

0x02 Identify CDN
Before bypassing CDN, you must first identify whether the website uses CDN

Ping websites in different regions
For a domain name, if we use ips from different regions to ping it, and if the ips obtained are different, then we can judge that it uses CDN, because CDN is a mechanism that follows the principle of proximity.

Use multiple ping services
http://ping.chinaz.com/
http://ping.aizhan.com/
http://ce.cloud.360.cn/
http://tools.fastweb.com.cn/Index/Ping
Use nslookup
If multiple ips are returned, it can be judged that CDN is used

Use the online website to query

0x03 Bypass CDN
nslookup method
nslookup www.xxx.com 8.8.8.8
The format is nslookup main domain name, dns that is not popular abroad
Since many domestic CDN providers may only provide domestic services, but do not provide services to foreign countries, it is possible to resolve the real IP through foreign dns (Note: 8.8.8.8 here is not considered a foreign unpopular dns)

View historical dns records
The real ip can be judged by viewing the historical dns records, because it should be the real ip before using the CDN

Query subdomain
In many cases, because the CDN service is more expensive, some websites only configure the CDN service for the main website, so you can Google the subdomain to see if the corresponding IP is correct

Use foreign ip to resolve domain names
In fact, the principle is similar to the nslookup method. If there is a foreign vps, directly ping the domain name to see if there is a real IP

Target sensitive file leakage
Get the real ip through some sensitive files on the website, or probes like phpinfo


Some servers have their own sendmail (mail transfer agent) registered locally, they will take the initiative to send an email to us, open the source code of the email, you can see the real IP of the server. Some large Internet sites will have their own Mailserver. But it should be in a network segment, just scan the C segment address.

After DDOS finishes CDN traffic, there will be real IP (not advisable)

Find a way to let the website visit our own server and get the real ip from the log

Use command execution loopholes, ssrf, etc.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.