Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Courtesy of gf2juatsqdph6x2h.onion
- There are many ways to locate the backend IP of a site using CloudFlare, here is one way.
- CloudFlare only acts as a reverse proxy between the client and the server, although there are many ways to reveal the backend IP to run uninterrupted scans.
- The most common way is by finding a subdomain that hosts the webapp and isn't behined cloudflare, this is bad and lazy implementation of the service and can instantly be undermined. Although by running a subbrute even if you don't find the backend location of the webapp you might still find a mail or admin server.
- For this example we will use knock, a neat little subbruter written in python that comes with a default subdomain wordlist of around 2000. Since this tool isn't out of the box on some major pentesting distros you might need to download it, also make sure you have python installed.
- :~$ python --version
- :~$ git clone https://github.com/guelfoweb/knock knock (then enter that directory)
- :~$ python knock.py domain.com
- Common subdomain leakers are ftp,mail,email,adm,admin,dev
- Here is an example of a website that is owned by the second richest man in the world:
- blueorigin.com and www.blueorigin.com are both behind CloudFlare:
- http://blueorigin.com [302] HTTPServer[cloudflare-nginx],
- IP[104.20.30.25],
- RedirectLocation[https://www.blueorigin.com],
- UncommonHeaders[cf-ray],
- cloudflare
- But au.blueorigin.com leaks 23.21.219.158 - now you can run a scan and find what you couldn't from scanning through CloudFlare like php info disclosure at 23.21.219.158/static/phpinfo.php or
- Emails found:
- rachel.h.kraft@nasa.gov
- candrea.k.thomas@nasa.gov
- mike@hyperreal.org
- michael.j.braukus@nasa.gov
- kevinh@kevcom.com
- gwen@griffincg.com
- astronauts@blueorigin.com
- jobs@blueorigin.com
- brooke@griffincg.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement