├── README.md
└── cloudsub
├── cloudsub.php
└── style.css
/README.md:
--------------------------------------------------------------------------------
1 |
2 | **This is Full Algorithm on Detection of Real IP behind Cloudflare**
3 |
4 | 
5 | 1) subdomain bruteforce ( https://github.com/aboul3la/Sublist3r ) and https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration &
6 | https://github.com/Elsfa7-110/Sfa7sub
7 |
8 | 2) sslyzer ( get ssl cert and info about other domains and extract their ip comparing with our domain in order to get real ip)
9 | https://github.com/iSECPartners/sslyze
10 |
11 | 3) send email to wrong dddddd@domain.com email and wait for answer, get info about header and extract ip
12 |
13 | 4) dns enumiration https://github.com/mandatoryprogrammer/cloudflare_enum (works fine, extracts csv) ( 1038@p33.org login and 1038@p33.org password)
14 |
15 | 5) LIST of cloudflare ns http://www.crimeflare.info/cfnsdump.html ,
16 | http://www.crimeflare.com/cfs.html get info about this bases and work with it ( use to resolve real ip)
17 |
18 | 6) Can be helpful https://github.com/SageHack/cloud-buster and https://github.com/hasanemrebeyy/cloudflare-resolver
19 |
20 | 7) Get domain history of ip changing https://github.com/neocorv/rdns.py , extract it and check
21 |
22 | 8) access https://webresolver.nl/tools/cloudflare this website and check their api, after integrate it as long as they having database for resolvation
23 |
24 | 9) https://github.com/m0rtem/CloudFail look here in order to see if we missed something ( DNSDumpster.com )
25 |
26 | 10) Go to https://www.netcraft.com/ and see domain history - we can find it from there. ( https://github.com/PaulSec/API-netcraft.com )
27 |
28 | 11) https://github.com/danneu/cloudflare-ip cloudflare range
29 |
30 | 12) CHECK dns of subdomain - it can give us real DNS and IP
31 | http://support.simpledns.com/kb/a196/how-to-delegate-a-sub-domain-to-other-dns-servers.aspx
32 |
33 | 13) https://builtwith.com/relationships/lol.com lookup other domains,get their IP and try this ip on interested domain
34 |
35 | find all alternative services as cloudflare and list them in issues so they will be added.
36 |
37 | 14) https://github.com/vulnz/cloudflare/tree/master/cloudsub Simple Subdomain IP resolver
38 |
39 | 15) https://github.com/pirate/sites-using-cloudflare Check in this list CloudBleed
40 |
41 | Example of **OK** header from cloudflare:
42 |
43 | (lol.com)
44 |
45 | HTTP/1.1 200 OK
46 | Date: Thu, 27 Jul 2017 23:31:20 GMT
47 | Content-Type: text/html; charset=utf-8
48 | Connection: keep-alive
49 | Set-Cookie: __cfduid=d842d0725fb36d19e5e633eb675960d5e1501198280; expires=Fri, 27-Jul-18 23:31:20 GMT; path=/; domain=.lol.com; HttpOnly
50 | Last-Modified: Sun, 18 Mar 2012 16:28:13 GMT
51 | Vary: Accept-Encoding
52 | Server: cloudflare-nginx
53 | CF-RAY: 38536443d38f56bd-IAD
54 |
55 | **BAD** request example (ebanoe.it)
56 |
57 | HTTP/1.1 503 Service Temporarily Unavailable
58 | Date: Thu, 27 Jul 2017 23:45:55 GMT
59 | Content-Type: text/html; charset=UTF-8
60 | Connection: close
61 | Set-Cookie: __cfduid=d6061892dab2231d5c139577a0719f9101501199155; expires=Fri, 27-Jul-18 23:45:55 GMT; path=/; domain=.ebanoe.it; HttpOnly
62 | X-Frame-Options: SAMEORIGIN
63 | Cache-Control: no-cache
64 | X-Content-Type-Options: nosniff
65 | Server: cloudflare-nginx
66 | CF-RAY: 385379a323175693-IAD
67 |
68 | headers send using dog.py ( recondog)
69 |
--------------------------------------------------------------------------------
/cloudsub/cloudsub.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Simple Cloudflare Subdomain resolver
5 |
6 |
7 |
8 |
9 |
21 |
22 |
23 |
24 |
25 |