This is Full Algorithm on Detection of Real IP behind Cloudflare
-
subdomain bruteforce ( https://github.com/aboul3la/Sublist3r ) and https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration & https://github.com/Elsfa7-110/Sfa7sub
-
sslyzer ( get ssl cert and info about other domains and extract their ip comparing with our domain in order to get real ip) https://github.com/iSECPartners/sslyze
-
send email to wrong [email protected] email and wait for answer, get info about header and extract ip
-
dns enumiration https://github.com/mandatoryprogrammer/cloudflare_enum (works fine, extracts csv) ( [email protected] login and [email protected] password)
-
LIST of cloudflare ns http://www.crimeflare.info/cfnsdump.html , http://www.crimeflare.com/cfs.html get info about this bases and work with it ( use to resolve real ip)
-
Can be helpful https://github.com/SageHack/cloud-buster and https://github.com/hasanemrebeyy/cloudflare-resolver
-
Get domain history of ip changing https://github.com/neocorv/rdns.py , extract it and check
-
access https://webresolver.nl/tools/cloudflare this website and check their api, after integrate it as long as they having database for resolvation
-
https://github.com/m0rtem/CloudFail look here in order to see if we missed something ( DNSDumpster.com )
-
Go to https://www.netcraft.com/ and see domain history - we can find it from there. ( https://github.com/PaulSec/API-netcraft.com )
-
https://github.com/danneu/cloudflare-ip cloudflare range
-
CHECK dns of subdomain - it can give us real DNS and IP http://support.simpledns.com/kb/a196/how-to-delegate-a-sub-domain-to-other-dns-servers.aspx
-
https://builtwith.com/relationships/lol.com lookup other domains,get their IP and try this ip on interested domain
find all alternative services as cloudflare and list them in issues so they will be added.
-
https://github.com/vulnz/cloudflare/tree/master/cloudsub Simple Subdomain IP resolver
-
https://github.com/pirate/sites-using-cloudflare Check in this list CloudBleed
Example of OK header from cloudflare:
(lol.com)
HTTP/1.1 200 OK Date: Thu, 27 Jul 2017 23:31:20 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Set-Cookie: __cfduid=d842d0725fb36d19e5e633eb675960d5e1501198280; expires=Fri, 27-Jul-18 23:31:20 GMT; path=/; domain=.lol.com; HttpOnly Last-Modified: Sun, 18 Mar 2012 16:28:13 GMT Vary: Accept-Encoding Server: cloudflare-nginx CF-RAY: 38536443d38f56bd-IAD
BAD request example (ebanoe.it)
HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 27 Jul 2017 23:45:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Set-Cookie: __cfduid=d6061892dab2231d5c139577a0719f9101501199155; expires=Fri, 27-Jul-18 23:45:55 GMT; path=/; domain=.ebanoe.it; HttpOnly X-Frame-Options: SAMEORIGIN Cache-Control: no-cache X-Content-Type-Options: nosniff Server: cloudflare-nginx CF-RAY: 385379a323175693-IAD
headers send using dog.py ( recondog)