This short post is about HatCloud, an open source tool coded in Ruby that helps you find the IP addresses of websites that are protected by CloudFlare. You know why would you need the real IP addresses right?
The tool is quiet simple, needs just net/http, open-uri, json, socket and optparse. It leverages CrimeFlare to get the IP address behind CloudFlare and then uses ipinfo.io to get more information about the IP address. It sends a HTTP POST with your input via the cfS parameter to http://www.crimeflare.com/cgi-bin/cfsearch.cgi
To run it, you simply pass arguments to it in the following manner:
ruby hatcloud.rb -b websiteaddress.com
It works good for resources protected by CloudFlare, but messes up when the resource is NOT behind CloudFlare. An example is:
ruby hatcloud.rb -b google.com [+] Site analysis: google.com [+] CloudFlare IP is 22.214.171.124 [+] Real IP is [+] Hostname: YOUR-PUBLIC-HOSTNAME [+] City: YOUR-LOCATION [+] Region: YOUR-REGION [+] Location: YOUR-LOCATION [+] Organization: YOUR-NETWORK-PROVIDER
The Ruby script does not have any error checks for such conditions. It should atleast look for “Search aborted — these are not CloudFlare-user nameservers” and abort further tasks. But, it ends up going to the index page of ipinfo.io which prints your host information. Infact, this problem has also been reported to the author. Hope the developer fixes this in the future versions.
HatCloud v1.0 can be downloaded here.