• Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Google Dorks
  • Shodan Queries
  • Malware Sources

PenTestIT

Your source for all things Information Security!

You are here: Home / Vulnerability Assessment / CloudFail: Detect CloudFlare Secured Hosts!

CloudFail: Detect CloudFlare Secured Hosts!

Posted: 10 months ago by @pentestit 2746 views
Updated: September 1, 2017 at 11:54 am

Recently, we posted about HatCloud, a different tool which identifies CloudFlare protected IP addresses. This post is about CloudFail, a tool which detects CloudFlare protected hosts and then some more.

CloudFail

What is CloudFail?

CloudFail is an open source tool coded in Python, which utilizes mis-configured DNS and old database records to find hidden hosts behind the CloudFlare network. It also has an option for protecting your probes by utilizing the TOR network for scanning. When you first enter a target, it uses information from DNSDumpster to see if the host, DNS or MX records are protected by CloudFlare. The target is then scanned via a database saved from Crimeflare, which used to track malicious websites protected by the CloudFlare network. Finally, the target is then scanned using a list of pre-defined sub-domains, which then returns somewhat sensitive information about the target. On a well-configured target, this is what the CloudFail returns:

# python cloudfail.py --target protected.com --no-tor
   ____ _                 _ _____     _ _ 
  / ___| | ___  _   _  __| |  ___|_ _(_) |
 | |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem


[20:00:23] Initializing CloudFail - the date/time is: 21/06/2017 20:00:23
[20:00:23] Fetching initial information from: protected.com...
[20:00:23] Server IP: XXX.XXX.XXX.XXX
[20:00:23] Testing if protected.com is on the Cloudflare network...
[20:00:23] protected.com is part of the Cloudflare network!
[20:00:24] Testing for misconfigured DNS using dnsdumpster...
[20:00:25] [FOUND:HOST] protected.com XXX.XXX.XXX.XXX ASXXXXX Redacted 
[20:00:25] [FOUND:MX] XXX.XXX.XXX.XXX ASXXXXX Redacted 3 internal.protected.com.
[20:00:25] Scanning crimeflare database...
[20:00:26] Did not find anything.
[20:00:26] Scanning 2898 subdomains, please wait...
[20:08:16] [FOUND:SUBDOMAIN] FOUND: mail.protected.com ON CLOUDFLARE NETWORK!
[20:16:01] [FOUND:SUBDOMAIN] FOUND: www.protected.com ON CLOUDFLARE NETWORK!
[20:17:11] Scanning finished, we did not find anything sorry...

Hosts not protected by CloudFlare are also processed well:

# python cloudfail.py --target nocloudflare.com --no-tor
   ____ _                 _ _____     _ _ 
  / ___| | ___  _   _  __| |  ___|_ _(_) |
 | |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem


[20:55:29] Initializing CloudFail - the date/time is: 21/06/2017 20:55:29
[20:55:29] Fetching initial information from: nocloudflare.com...
[20:55:29] Server IP: XXX.XXX.XXX.XXX
[20:55:29] Testing if nocloudflare.com is on the Cloudflare network...
[20:55:29] nocloudflare.com is not part of the Cloudflare network, quitting...

However, on a mis-configured domain, this is what we get:

# python cloudfail.py --target notprotected.com --no-tor
   ____ _                 _ _____     _ _ 
  / ___| | ___  _   _  __| |  ___|_ _(_) |
 | |   | |/ _ \| | | |/ _` | |_ / _` | | |
 | |___| | (_) | |_| | (_| |  _| (_| | | |
  \____|_|\___/ \__,_|\__,_|_|  \__,_|_|_|
    v1.0                        by m0rtem


[20:57:45] Initializing CloudFail - the date/time is: 21/06/2017 20:57:45
[20:57:45] Fetching initial information from: notprotected.com...
[20:57:45] Server IP: XXX.XXX.XXX.XXX
[20:57:45] Testing if notprotected.com is on the Cloudflare network...
[20:57:45] notprotected.com is part of the Cloudflare network!
[20:57:45] Testing for misconfigured DNS using dnsdumpster...
[20:57:50] [FOUND:HOST] dbadmin.notprotected.com  XXX.XXX.XXX.XXX ASXXXX BackConnect, Inc. Chile
[20:57:50] [FOUND:HOST] www.notprotected.com  XXX.XXX.XXX.XXX ASXXXXXX BackConnect, Inc. Chile
[20:57:50] [FOUND:HOST] irc.notprotected.com  XXX.XXX.XXX.XXX ASXXXXX Hetzner Online GmbH Germany
[20:57:50] [FOUND:HOST] mail.notprotected.com  XXX.XXX.XXX.XXX ASXXXX Coreix Ltd United Kingdom
[20:57:50] [FOUND:MX] XXX.XXX.XXX.XXX AS31708 Coreix Ltd 0 mail.notprotected.com.
[20:57:50] Scanning crimeflare database...
[20:57:51] [FOUND:IP] XXX.XXX.XXX.XXX
[20:57:51] Scanning 2898 subdomains, please wait...
[20:59:58] [FOUND:SUBDOMAIN] FOUND: dev.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 401
[21:07:43] [FOUND:SUBDOMAIN] FOUND: mail.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:08:50] [FOUND:SUBDOMAIN] FOUND: news.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:09:14] [FOUND:SUBDOMAIN] FOUND: old.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 401
[21:14:16] [FOUND:SUBDOMAIN] FOUND: static.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:14:19] [FOUND:SUBDOMAIN] FOUND: support.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:15:58] [FOUND:SUBDOMAIN] FOUND: webmail.notprotected.com IP: XXX.XXX.XXX.XXX HTTP: 200
[21:16:39] [FOUND:SUBDOMAIN] FOUND: www.notprotected.com ON CLOUDFLARE NETWORK!
[21:17:20] Scanning finished...

Looks good!

Download CloudFlare:

CloudFlare v1.0 can be checked out from the GIT repository here. There are no complex python dependencies either. Just beautifulsoup4, bs4, certifi, chardet, colorama, idna, requests and urllib3.

Share this post on:
witteracebookhatsAppoogle+ufferLinkedin It

Related Posts on PenTestIT:

  • List of Adversary Emulation Tools
  • UPDATE: Prowler 2.0 BetaUPDATE: Prowler 2.0 Beta
  • UPDATE: Nmap 7.70 Upgrade Available!UPDATE: Nmap 7.70 Upgrade Available!
  • UPDATE: Kali Linux 2018.1 Release!UPDATE: Kali Linux 2018.1 Release!

Filed Under: Open Source, Vulnerability Assessment Tagged With: CloudFail, CloudFlare, HatCloud, open source, python, Short Post, vulnerability assessment

Reader Interactions

Primary Sidebar

Recent Posts

  • List of Adversary Emulation Tools
  • UPDATE: OWASP Dependency-Check 3.1.2
  • AutoSploit = Shodan/Censys/Zoomeye + Metasploit
  • Apache JMeter RMI Code Execution PoC (CVE-2018-1297)
  • UPDATE: Prowler 2.0 Beta

Featured Post

List of Adversary Emulation Tools

List of Adversary Emulation Tools

April 15, 2018 By Black Leave a Comment

Every once in a while, the security industry brings forth a new buzz word and introduces terminologies that sound über cool and generate lot’s of interest. One such word going around now-a-days is automated “adversary emulation“. Let’s first understand what this really means. Adversary emulation/simulation offers a method to test a network’s resilience against anRead more about List of Adversary Emulation Tools

Secondary Sidebar

Categories

  • Docker Security
  • Fuzzing
  • Malware Analysis
  • Open Source
  • OSINT
  • Penetration Testing
  • Reverse Engineering
  • Site News
  • Tool Updates
  • Tools
  • Vulnerability Assessment
  • Web Application Security
  • Wireless

Archives

  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017

Tags

Anchore APT2 Brute Force CloudFlare Cross-Site Scripting Cuckoo Sandbox DataSploit docker dockerscan docker scan FOCA Kali Linux Local File Inclusion malware malware analysis man-in-the-middle Metadata Metasploit Microsoft Windows MicroSploit Nmap open source OSINT OSRFramework OWASP OWASP Dependency-Check penetration testing penetration testing toolkit PowerMeta PowerShell PowerSploit python Raspberry Pi RedSnarf reverse engineering Short Post software composition analysis SQL injection Sysdig Falco vulnerability assessment Web Application Security WiFi Wireshark WordPress WPXF

Copyright © 2018 - PenTestIT | Information shared to be used for LEGAL purposes only!