Bypassing CloudFlare Part 1

Courtesy of gf2juatsqdph6x2h.onion

There are many ways to locate the backend IP of a site using CloudFlare, here is one way.
CloudFlare only acts as a reverse proxy between the client and the server, although there are many ways to reveal the backend IP to run uninterrupted scans.

The most common way is by finding a subdomain that hosts the webapp and isn't behined cloudflare, this is bad and lazy implementation of the service and can instantly be undermined. Although by running a subbrute even if you don't find the backend location of the webapp you might still find a mail or admin server.

For this example we will use knock, a neat little subbruter written in python that comes with a default subdomain wordlist of around 2000. Since this tool isn't out of the box on some major pentesting distros you might need to download it, also make sure you have python installed.
:~$ python --version
:~$ git clone https://github.com/guelfoweb/knock knock (then enter that directory)
:~$ python knock.py domain.com

Common subdomain leakers are ftp,mail,email,adm,admin,dev

Here is an example of a website that is owned by the second richest man in the world:
blueorigin.com and www.blueorigin.com are both behind CloudFlare:

http://blueorigin.com [302] HTTPServer[cloudflare-nginx],
IP[104.20.30.25],
RedirectLocation[https://www.blueorigin.com],
UncommonHeaders[cf-ray],
cloudflare

But au.blueorigin.com leaks 23.21.219.158 - now you can run a scan and find what you couldn't from scanning through CloudFlare like php info disclosure at 23.21.219.158/static/phpinfo.php or
Emails found:
rachel.h.kraft@nasa.gov
candrea.k.thomas@nasa.gov
mike@hyperreal.org
michael.j.braukus@nasa.gov
kevinh@kevcom.com
gwen@griffincg.com
astronauts@blueorigin.com
jobs@blueorigin.com
brooke@griffincg.com