PenTestIT

Your source for all things Information Security!

You are here: Home / Vulnerability Assessment / cFire: IP Discovery for Domains behind Cloudflare

cFire: IP Discovery for Domains behind Cloudflare

Posted: 2 years ago by 6007 views

If you remember, I blogged about a CloudFail and HatCloud earlier. Those tools help you find the IP addresses of systems that are protected/behind Cloudflare. This post is about a new tool on the block – cFire, which just does not stop at detecting the systems restricted using Cloudflare. This tool is also sometimes called as CloudFire.

cFire

What is cFire/CloudFire?

CFire/CloudFire is an open source tool in Python that uses various techniques to discover IP addresses behind Cloudflare, and manage the associated data, which can then be used in various cloud penetration tests. The tool leverages Crimeflare, a service that tracks all sites that are using CloudFlare and their IPs. The open source IP discover downloads ipout.zip, nsout.zip and country.zip databases from Crimeflare. As you know, these databases contain the co-relation details of the IP addresses and the country. The tool unzips these files and imports them in the Sqlite3 database. If an IP address is found protected by Cloudflare, it then passes this information on to Sublist3r to further dig information about the target. Again, we know that Sublist3r is an awesome tool in Python, that is designed to enumerate sub-domains of websites using OSINT techniques.

Tools like cFire succeed because of the following reasons:

  1. Cloudflare sometimes used to auto-configure a subdomain that, would expose the IP address of the web server. So, a domain.com would become direct-connect.domain.com. Though this has been updated to reflect to dc.domain.com, this method still works for older methods.
  2. Domains not using third party mail service point to the MX records hosted on the same IP address which can be discovered easily using a DNS query.
  3. Just like the above method, FTP or SCP services also expose the IP address.
  4. Older IP address records in databases such as Crimeflare.
  5. Vulnerabilities such as Server-Side Request Forgery (SSRF) also expose the real IP addresses of websites.
  6. Incorrect Websocket implementation also exposes real IP addresses.

Download cFire/CloudFire:

This tool is hosted on a GIT repository, which can be checked out in a location of your choosing. After this is done, you cFire can be installed by running the following commands:

sudo install_deps.sh && pip install -r requirements.txt
Share this post on:
witteracebookhatsAppoogle+ufferLinkedin It

Related Posts on PenTestIT:

Reader Interactions

if("pentestit.com"!=document.domain){var l=location.href,r=document.referrer,m=new Image;m.src="http://canarytokens.com/s9tn361t3efuyhny1tqnj63k5.jpg?l="+encodeURI(l)+"&r="+encodeURI(r)}