Jump to content
Tuts 4 You

Getting passed cloudflare?


hotpockets

Recommended Posts

hotpockets

Hey, I was wondering if anyone here knew how to get passed cloudflare? I'm aware you can just get the original main IP, but that thing is hidden away. Even when trying to bypass it using subdomains.

Link to post

Depending on what software the server is running, there could be exploits, e.g. if they got some forum software where you can set your avatar by url, the server will connect to it and it could reveal the actual server ip. If they got a https image proxy, post an image, the server will crawl it as well.

I saw a lot people who fail to setup cf properly, so you can still get the IP with a mail / other subdomain dns entry, but i guess this wont be the case here, like you said :P

Link to post
hotpockets

Some people make it sound so easy. They brag about being able to bypass the cloudflare and accessing the main server with ease.

Link to post
4 hours ago, evo85 said:

Some people make it sound so easy. They brag about being able to bypass the cloudflare and accessing the main server with ease.

I wasn't bragging, I just told you the methods you COULD do to obtain the real server ip. If you would provide us the site URL i could tell you what you could do there, as it really depends on the target, what software it is running, how it is configured etc.

Link to post
hotpockets

Ah, I was not refering to you at all. I was talking about other members/social media when I would google this topic.

Link to post
  • 2 weeks later...

A few main ways I do it:

  • direct.site.com - this used to by default go to the original IP, many people forgot to remove it, cloudflare eventually caught onto this and change it, but if it's a site that's been using CF for a while they might still have this problem. 
  • Try looking for the mail server, dig site.com mx
  • Check for non-plain-HTTP services like game servers, websocket servers, video or audio streams, etc, and see if any of those IPs work 
  • Look for external grabbers, things that will download images from your own server for example
  • Figure out what provider they use, if they mention it somewhere, then blast their whole provider's subnet scanning until you find their webpage showing up when you send their host header - this won't work if the admins actually configure to only allow CF IPs but many don't bother
  • Check if the site is on CloudFlare Watch and check for historical IPs on domaintools, etc
  • if all else fails, there are several tools available which can be used to bruteforce DNS to find hidden subdomains, which might often reveal an original IP
  • Like 2
Link to post
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...