CloudFail: Detect CloudFlare Secured Hosts!

Recently, we posted about HatCloud, a different tool which identifies CloudFlare protected IP addresses. This post is about CloudFail, a tool which detects CloudFlare protected hosts and then some more.

What is CloudFail?

CloudFail is an open source tool coded in Python, which utilizes mis-configured DNS and old database records to find hidden hosts behind the CloudFlare network. It also has an option for protecting your probes by utilizing the TOR network for scanning. When you first enter a target, it uses information from DNSDumpster to see if the host, DNS or MX records are protected by CloudFlare. The target is then scanned via a database saved from Crimeflare, which used to track malicious websites protected by the CloudFlare network. Finally, the target is then scanned using a list of pre-defined sub-domains, which then returns somewhat sensitive information about the target. On a well-configured target, this is what the CloudFail returns:

# python cloudfail.py --target protected.com --no-tor
   ____ _                 _ _____     _ _ 
  / ___| | ___  _   _  __| |  ___|_ _(_) |
 | |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem


[20:00:23] Initializing CloudFail - the date/time is: 21/06/2017 20:00:23
[20:00:23] Fetching initial information from: protected.com...
[20:00:23] Server IP: XXX.XXX.XXX.XXX
[20:00:23] Testing if protected.com is on the Cloudflare network...
[20:00:23] protected.com is part of the Cloudflare network!
[20:00:24] Testing for misconfigured DNS using dnsdumpster...
[20:00:25] [FOUND:HOST] protected.com XXX.XXX.XXX.XXX ASXXXXX Redacted 
[20:00:25] [FOUND:MX] XXX.XXX.XXX.XXX ASXXXXX Redacted 3 internal.protected.com.
[20:00:25] Scanning crimeflare database...
[20:00:26] Did not find anything.
[20:00:26] Scanning 2898 subdomains, please wait...
[20:08:16] [FOUND:SUBDOMAIN] FOUND: mail.protected.com ON CLOUDFLARE NETWORK!
[20:16:01] [FOUND:SUBDOMAIN] FOUND: www.protected.com ON CLOUDFLARE NETWORK!
[20:17:11] Scanning finished, we did not find anything sorry...

Hosts not protected by CloudFlare are also processed well:

# python cloudfail.py --target nocloudflare.com --no-tor
   ____ _                 _ _____     _ _ 
  / ___| | ___  _   _  __| |  ___|_ _(_) |
 | |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem


[20:55:29] Initializing CloudFail - the date/time is: 21/06/2017 20:55:29
[20:55:29] Fetching initial information from: nocloudflare.com...
[20:55:29] Server IP: XXX.XXX.XXX.XXX
[20:55:29] Testing if nocloudflare.com is on the Cloudflare network...
[20:55:29] nocloudflare.com is not part of the Cloudflare network, quitting...

However, on a mis-configured domain, this is what we get:

# python cloudfail.py --target notprotected.com --no-tor
   ____ _                 _ _____     _ _ 
  / ___| | ___  _   _  __| |  ___|_ _(_) |
 | |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem


[20:57:45] Initializing CloudFail - the date/time is: 21/06/2017 20:57:45
[20:57:45] Fetching initial information from: notprotected.com...
[20:57:45] Server IP: XXX.XXX.XXX.XXX
[20:57:45] Testing if notprotected.com is on the Cloudflare network...
[20:57:45] notprotected.com is part of the Cloudflare network!
[20:57:45] Testing for misconfigured DNS using dnsdumpster...
[20:57:50] [FOUND:HOST] dbadmin.notprotected.com  XXX.XXX.XXX.XXX ASXXXX BackConnect, Inc. Chile
[20:57:50] [FOUND:HOST] www.notprotected.com  XXX.XXX.XXX.XXX ASXXXXXX BackConnect, Inc. Chile
[20:57:50] [FOUND:HOST] irc.notprotected.com  XXX.XXX.XXX.XXX ASXXXXX Hetzner Online GmbH Germany
[20:57:50] [FOUND:HOST] mail.notprotected.com  XXX.XXX.XXX.XXX ASXXXX Coreix Ltd United Kingdom
[20:57:50] [FOUND:MX] XXX.XXX.XXX.XXX AS31708 Coreix Ltd 0 mail.notprotected.com.
[20:57:50] Scanning crimeflare database...
[20:57:51] [FOUND:IP] XXX.XXX.XXX.XXX
[20:57:51] Scanning 2898 subdomains, please wait...
[20:59:58] [FOUND:SUBDOMAIN] FOUND: dev.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 401
[21:07:43] [FOUND:SUBDOMAIN] FOUND: mail.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:08:50] [FOUND:SUBDOMAIN] FOUND: news.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:09:14] [FOUND:SUBDOMAIN] FOUND: old.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 401
[21:14:16] [FOUND:SUBDOMAIN] FOUND: static.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:14:19] [FOUND:SUBDOMAIN] FOUND: support.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:15:58] [FOUND:SUBDOMAIN] FOUND: webmail.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:16:39] [FOUND:SUBDOMAIN] FOUND: www.notprotected.com ON CLOUDFLARE NETWORK!
[21:17:20] Scanning finished...

Looks good!

Download CloudFlare:

CloudFlare v1.0 can be checked out from the GIT repository here. There are no complex python dependencies either. Just beautifulsoup4, bs4, certifi, chardet, colorama, idna, requests and urllib3.