Jump to content
Tuts 4 You
evo85

Getting passed cloudflare?

Recommended Posts

evo85

Hey, I was wondering if anyone here knew how to get passed cloudflare? I'm aware you can just get the original main IP, but that thing is hidden away. Even when trying to bypass it using subdomains.

Share this post


Link to post
Share on other sites
A200K

Depending on what software the server is running, there could be exploits, e.g. if they got some forum software where you can set your avatar by url, the server will connect to it and it could reveal the actual server ip. If they got a https image proxy, post an image, the server will crawl it as well.

I saw a lot people who fail to setup cf properly, so you can still get the IP with a mail / other subdomain dns entry, but i guess this wont be the case here, like you said :P

Share this post


Link to post
Share on other sites
evo85

Some people make it sound so easy. They brag about being able to bypass the cloudflare and accessing the main server with ease.

Share this post


Link to post
Share on other sites
A200K
4 hours ago, evo85 said:

Some people make it sound so easy. They brag about being able to bypass the cloudflare and accessing the main server with ease.

I wasn't bragging, I just told you the methods you COULD do to obtain the real server ip. If you would provide us the site URL i could tell you what you could do there, as it really depends on the target, what software it is running, how it is configured etc.

Share this post


Link to post
Share on other sites
evo85

Ah, I was not refering to you at all. I was talking about other members/social media when I would google this topic.

Share this post


Link to post
Share on other sites
cynent

A few main ways I do it:

  • direct.site.com - this used to by default go to the original IP, many people forgot to remove it, cloudflare eventually caught onto this and change it, but if it's a site that's been using CF for a while they might still have this problem. 
  • Try looking for the mail server, dig site.com mx
  • Check for non-plain-HTTP services like game servers, websocket servers, video or audio streams, etc, and see if any of those IPs work 
  • Look for external grabbers, things that will download images from your own server for example
  • Figure out what provider they use, if they mention it somewhere, then blast their whole provider's subnet scanning until you find their webpage showing up when you send their host header - this won't work if the admins actually configure to only allow CF IPs but many don't bother
  • Check if the site is on CloudFlare Watch and check for historical IPs on domaintools, etc
  • if all else fails, there are several tools available which can be used to bruteforce DNS to find hidden subdomains, which might often reveal an original IP
  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×