Cloudflare is, as many have heard, protection against DDoS of your servers. To be more precise, it is a pad (tampon) between the user and the site. It works like a proxy, providing additional services, including page caching, protection from bad uncles who do DDoS, protection from bad bots, and so on. In particular, Cloudflare hides the true IP address of the server hosting your website.
So if Cloudflare is configured correctly, then the real IP address of your site is never revealed or recorded anywhere. But let's be honest, how many people do you know who always do everything right? For this reason, there are tools that look for Pro-tags in your Cloudflare settings. One of these programs is CloudFail, which we will talk about in this article.
- www.site.ua
- kiev.site.ua
- forum.site.ua
- and so on
And there can be a lot of such subdomains. There is also an important point: each subdomain can even have its own IPaddress .
In other words, name servers allow you to specify an IP address (or several addresses at once) for site.ua, a different IP address for www.site.ua, a different IP address for kiev.site.ua and so on.
There may be a situation when the domain's DNS records contain site.ua registered cloudflare IP address, Noooo DNS records for subdomain www.site.UAS point to a different IPaddress that is not protected by Cloudflare.
In the final result, an IP address will be revealed, which is:
- it may turn out to be the real IP address of the site;
- is the IP address of the subdomain only, but it gives us information about the owner or a hint for further research.
We can't just get a list of all subdomains at once. Therefore, we need to go through various options. This is exactly what CloudFail implements:
- various subdomain variants are being tried;
- if there is a DNS record for the subdomain, then we get the IP address for it;
- it also checks whether the received IP is in The cloudflare range (i.e. protected with Cloudflare or not).
As a result of this knight move, it is quite often possible to find IP addresses that are not protected by Cloudflare. It is important to note that we assume that the IP addresses of subdomains belong to or are associated with the owner of the main site. Yes, this is usually true, but you should always remember that in the DNS record of subdomains, the owner of the main domain can specify any IP addresses, even those that do not belong to him.
- sudo apt update)
- sudo apt install python3-pip git tor (install the component)
- git clone https://github.com/m0rtem/CloudFail (we clone the app from Gita)
- cd CloudFail/ (go to the directory on the computer that was cloned)
- sudo pip3 install-r requirements.txt (install CloudFail)
- python3 cloudfail.py -h (app health check)
- sudo python3 cloudfail.py -u (for the first and subsequent launches, update the app. The list of Cloudflare IP addresses will be updated, as well as the CrimeFlare database containing known IP addresses for some sites.)
- sudo systemctl start tor (if you want the program to work over the Tor network, you must start the Tor service
- sudo systemctl enable tor (you can send Tor to startup, then you will not need to start this service after each reboot of the computer)
The program already comes with a list of words (the subdomains.txt file) for sorting through possible subdomains in the dictionary. If you want to use a custom dictionary, specify it using the-s option. The dictionary file must be located in the data folder.
For example, if we want to get data for a site site.ua, then the startup command looks like this:
The string is part of the Cloudflare network! tells us that the site is protected by Cloudflare. If this were not the case, then the scan would stop at this point, since it is meaningless.
The string Testing for misconfigured DNS using dnsdumpster tells us about the search for known hosts (subdomains) associated with the analyzed site. This data is taken from dnsdumpster.
The red line says that such and such subdomains are found, but their IP is protected by Cloudflare – from this conclusion, they are useless for determining the real IP.
The green line indicates that the IP address of the found host is not protected by Cloudflare. Therefore, this may be the real IP address of the site.
What can I do with these IP addresses now?
- DDoS because it is not protected by Cloudflare;
- scan nmap to find out about weaknesses;
- use metasploit, and it is possible to get inside the web application.
- and so on.
From this article, you now understand how important it is to check your site after adding it to Cloudflare. Experienced attackers know about these shortcomings, incorrect settings, when adding Cloudflare to the site
So if Cloudflare is configured correctly, then the real IP address of your site is never revealed or recorded anywhere. But let's be honest, how many people do you know who always do everything right? For this reason, there are tools that look for Pro-tags in your Cloudflare settings. One of these programs is CloudFail, which we will talk about in this article.
What is CloudFail and how does It work?
Let's start with the fact that each site can have subdomains of the form *.site.ua. Where different values can be substituted for an asterisk, for example:- www.site.ua
- kiev.site.ua
- forum.site.ua
- and so on
And there can be a lot of such subdomains. There is also an important point: each subdomain can even have its own IPaddress .
In other words, name servers allow you to specify an IP address (or several addresses at once) for site.ua, a different IP address for www.site.ua, a different IP address for kiev.site.ua and so on.
There may be a situation when the domain's DNS records contain site.ua registered cloudflare IP address, Noooo DNS records for subdomain www.site.UAS point to a different IPaddress that is not protected by Cloudflare.
In the final result, an IP address will be revealed, which is:
- it may turn out to be the real IP address of the site;
- is the IP address of the subdomain only, but it gives us information about the owner or a hint for further research.
We can't just get a list of all subdomains at once. Therefore, we need to go through various options. This is exactly what CloudFail implements:
- various subdomain variants are being tried;
- if there is a DNS record for the subdomain, then we get the IP address for it;
- it also checks whether the received IP is in The cloudflare range (i.e. protected with Cloudflare or not).
As a result of this knight move, it is quite often possible to find IP addresses that are not protected by Cloudflare. It is important to note that we assume that the IP addresses of subdomains belong to or are associated with the owner of the main site. Yes, this is usually true, but you should always remember that in the DNS record of subdomains, the owner of the main domain can specify any IP addresses, even those that do not belong to him.
How to install CloudFail
To install in Ubuntu, Kali Linux, Debian, Linux Mint and so on, it is necessary to execute the following commands:- sudo apt update)
- sudo apt install python3-pip git tor (install the component)
- git clone https://github.com/m0rtem/CloudFail (we clone the app from Gita)
- cd CloudFail/ (go to the directory on the computer that was cloned)
- sudo pip3 install-r requirements.txt (install CloudFail)
- python3 cloudfail.py -h (app health check)
- sudo python3 cloudfail.py -u (for the first and subsequent launches, update the app. The list of Cloudflare IP addresses will be updated, as well as the CrimeFlare database containing known IP addresses for some sites.)
- sudo systemctl start tor (if you want the program to work over the Tor network, you must start the Tor service
- sudo systemctl enable tor (you can send Tor to startup, then you will not need to start this service after each reboot of the computer)
How to use CloudFail
This program has only one mandatory option -t, after which you need to specify the site name. Information about all CloudFail optionsThe program already comes with a list of words (the subdomains.txt file) for sorting through possible subdomains in the dictionary. If you want to use a custom dictionary, specify it using the-s option. The dictionary file must be located in the data folder.
For example, if we want to get data for a site site.ua, then the startup command looks like this:
The string is part of the Cloudflare network! tells us that the site is protected by Cloudflare. If this were not the case, then the scan would stop at this point, since it is meaningless.
The string Testing for misconfigured DNS using dnsdumpster tells us about the search for known hosts (subdomains) associated with the analyzed site. This data is taken from dnsdumpster.
The red line says that such and such subdomains are found, but their IP is protected by Cloudflare – from this conclusion, they are useless for determining the real IP.
The green line indicates that the IP address of the found host is not protected by Cloudflare. Therefore, this may be the real IP address of the site.
What can I do with these IP addresses now?
- DDoS because it is not protected by Cloudflare;
- scan nmap to find out about weaknesses;
- use metasploit, and it is possible to get inside the web application.
- and so on.
From this article, you now understand how important it is to check your site after adding it to Cloudflare. Experienced attackers know about these shortcomings, incorrect settings, when adding Cloudflare to the site