【11 ways to bypass CDN and find the real IP】

SecBooks/[Public account article] bypass/11 ways to bypass CDN and find the real IP.md at main

---

💻Collection search tools + analysis🔧

🔗【 ❤️ Download ❤️ 】

---

[method 1:]

It's very simple. Use various ping services from multiple places to check whether the corresponding IP address is unique. If it is not unique, it is probably because you are using a CDN. The ping websites from multiple places are:

[Method 2:]

Use nslookup for detection, the principle is the same as above. If the returned domain name resolution corresponds to multiple IP addresses, it is likely that a CDN is used. Examples of CDNs:

Note: After collecting the subdomain names, try to resolve the main site with an IP that is not on the CDN, and the real IP is successfully obtained.

[Method 3: Cyberspace engine search method]

Common ones include the previous Zhong Kui Eye, shodan, and fofa searches. Taking fofa as an example, you only need to enter: title: "title keyword of the website" or body: "body characteristics of the website" to find out the IP domain names with these keywords included in fofa. In many cases, the real IP of the website can be obtained , as shown in the figure:

[Method 4: Use SSL certificate to find the real original IP]

Use given domain name

If you host a service on xyz123boot.com, the original server IP is 136.23.63.44. CloudFlare will provide you with DDoS protection, web application firewall and other security services to protect your services from attacks. To do this, your web server must support SSL and have a certificate, and the communication between CloudFlare and your At this point, if an attacker scans 0.0.0.0/0, which is the entire Internet, they can obtain a valid certificate on xyz123boot.com on port 443 and thus obtain the web server IP provided to you.

Currently, the Censys tool can scan the entire Internet. Censys is a new search engine used to search for network device information. Security experts can use it to evaluate the security of their implementation solutions, and hackers can use it as early detection. A powerful tool for attacking targets and collecting target information. The Censys search engine is capable of scanning the entire Internet. Censys scans the IPv4 address space every day to search for all networked devices and collect related information, and returns an overall report on the configuration and deployment information of resources (such as devices, websites, and certificates).

The only thing an attacker needs to do is translate the textual search terms described above into actual search query parameters.

The search query parameters for the xyz123boot.com certificate are: parsed.names: xyz123boot.com

The query parameter to display only valid certificates is: tags.raw:trusted

An attacker can achieve the combination of multiple parameters on Censys, which can be done by using simple Boolean logic.

The combined search parameters are: parsed.names: xyz123boot.com and tags.raw: trusted

Censys will show you all standard certificates found in the scan that match the search criteria above.

To view these search results one by one, an attacker can open a drop-down menu containing multiple tools by clicking "Explore" on the right. What's using this certificate? > IPv4 Hosts

At this point, the attacker will see a list of IPv4 hosts using a specific certificate, but the real original IP is hidden within it.

You can verify this by navigating to the IP on port 443 and see if it redirects to xyz123boot.com? Or does it display the website directly on the IP?

Use the given SSL certificate

If you are a law enforcement officer and want to find a child pornography website hidden under cheesecp5vaogohv.onion. The best way to do it is to find its original IP, so that you can track the server it is hosted on, and even find out the operator and financial clues behind it.

The hidden service has an SSL certificate, to find the IPv4 host it uses, just paste the "SHA1 fingerprint" (the sha1 value of the signing certificate) into the Censys IPv4 host search and you will find the certificate. You can easily find misconfigured ones using this method. Web server.

[Method 5: Use HTTP headers to find the real original IP]

With a platform like SecurityTrails, anyone can search for their target in the vast amount of big data, and even find the origin server by comparing HTTP headers.

Especially when the user has a very special server name and software name, it becomes easier for attackers to find you.

If there is a considerable amount of data to be searched, as mentioned above, an attacker can combine search parameters on Censys. Suppose you are sharing your server HTTP headers with 1500 web servers, all sending the same combination of header parameters and values. And you also send unique HTTP headers using the new PHP framework (for example: X-Generated-Via:XYZ framework), which is currently used by about 400 webmasters. For the final intersection of three servers, the IP can be found by manual operation, and the whole process only takes a few seconds.

For example, the search parameters on Censys for matching server headers are 80.http.get.headers.server: and the parameters for finding sites served by CloudFlare are as follows:

80.http.get.headers.server:cloudflare

[Method 6: Use the content returned by the website to find the real original IP]

If the original server IP also returns the content of the website, then a large amount of relevant data can be searched online.

Browse the website source code and look for unique snippets of code. Using third-party services with access or identifier parameters in JavaScript (e.g. Google Analytics, reCAPTCHA) is a method often used by attackers.

Here is an example of the Google Analytics tracking code taken from the HackTheBox website:

ga('create','UA-93577176-1','auto');
Censys data can be filtered by body/source using the 80.http.get.body: parameter. Unfortunately, the normal search field has limitations, But you can request research access at Censys, which allows you to run more powerful queries through Google BigQuery.

Shodan is a service similar to Censys that also provides http.html search parameters.

[Method 7: Use a foreign host to resolve domain names]

Many domestic CDN manufacturers only provide domestic lines for various reasons, and there may be almost no foreign lines. At this time, we may be able to obtain the real IP by using a foreign host to access directly.

[Method 8: Find website vulnerabilities]

1) Target sensitive files are leaked, such as probes such as phpinfo, GitHub information leaks, etc.
2) XSS blind typing, command execution rebound shell, SSRF, etc.
3) Whether using social engineering or other means, obtain the CDN account of the target website administrator, and then find the real IP of the website from the CDN configuration.

[Method 9: Website email subscription search]

RSS email subscription, many websites come with sendmail, which will send emails to us. At this time, if you check the email source code, it will contain the real IP of the server.

[Method 10: Use Zmap to scan the entire network]

We need to find the real IP of the xiaix.me website. We first obtain the IP segment from apnic, then use Zmap's banner-grab to scan out hosts with port 80 open for banner grabbing, and finally write xiaix.me in the Host in http-req.

[Method 11: F5 LTM decoding method]

When the server uses F5 LTM for load balancing, the real IP can also be obtained by decoding the set-cookie keyword, for example: Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000, first put the decimal number in the first section, which is 487098378 Take it out, and then convert it to the hexadecimal number 1d08880a, and then from back to front, take out the four digits, which is 0a.88.08.1d, and finally convert them to the decimal number 10.136.8.29, that is This is the final real IP.