Here I will share with you what I have used and tried that helped in getting real IP address/Info of websites hiding behind Cloudflare.
Cloudflare is one of the fastest-growing CDN provider powering more than 16 Million websites. having both free and premium service to speed up, optimize & secure websites.
Using Cloudflare makes your website get masked with Cloudflare proxy, so visitors won’t be hitting your naked website.
But, if you are doing recon as a security researcher on any target website and you discovered the site hides behind Cloudflare WAF.
Uncovering the site main IP address and accessing it can really help in testing.
Let’s dive right in.
SecurityTrails To Uncover IP/INFO powered by Cloudflare
SecurityTrails is a good platform with up to date, huge domain information.
They are doing great work over there. if you are Sec Researcher, Pentester or Bug Hunter. you can check their domain reconnaissance data out.
Now let us Uncover the IP of a domain I own, which I moved to Cloudflare last month, first let us do DNS Lookup.
As you can see the records is showing Cloudflare IP and CloudFlare name server.
Lets check who host this chrome extension, it also points us to CloudFlare,
Let’s check CrimeFlare, it will show us if the site is being hosted on Cloudflare and it will find us the IP.
Well, Crimeflare can’t find the website IP address also, so this domain is masked. But how then do I get this website IP?
Here comes the rescuer, SecurityTrails,
Go to SecurityTrails.com. enter the domain of the website you are doing recon on, and navigate to the Historical data of the domain.
This is where you will see the movement and the journey of the domain. The Domain IP/ Hosting provider details and many more.
Here is an example with my personal domain,
I bought the domain from Namecheap and I hosted the site on Firebase using Firebase Hosting Services.
I believe you can see the Namecheap LLC and the IP address of the domain name from start.
And that Fastly IP address you are seeing is the IP address I got from Firebase. Which I inserted in my website domain DNS settings, so I can point my domain to my hosted website on Firebase.
I don’t know why it’s showing Fastly instead of Firebase, maybe there is some inside partnership between Firebase and Fastly, who knows.
Furtherly, you see the data changed to DigitalOcean, LLC. Yes, this is when I moved my website from Firebase to Netlify.
And Netlify seems to rests on DigitalOcean and some other available Cloud. but I think their Netlify Edge is Self-hosted by them.
Finally, the records changed to Cloudflare. by now you should have an idea of where the website is being hosted and some information about the website.
Lets further our recon by checking the Nameserver records(NS),
As you can see here, it started with “dns2.registrar-servers.com“, “dns1.registrar-servers.com“.
This is the name server used by Namecheap. but if you don’t know the owner of the NS you get from your own recon, you can always turn to google for help.
Using the keyword “who owns <ns name>” and you will have a head point of which domain or hosting platform that owns the NS.
Furtherly, the records changed to porkbun, yeah I moved my domain to porkbun. as you can see the NS changed again. its is now showing Netlify NS, before finally showing that I have moved to Cloudflare.
I believe by now, you should have all data you might need about a website that’s behind Cloudflare proxy.
CrimeFlare To Uncover IP/INFO powered by Cloudflare
The above method shows that CrimeFlare was unable to get the Website IP address. but this doesn’t apply to all websites, and as you can see CrimeFlare is a straight forward revealer.
It will point you the real IP address, nothing like Records on how things changed.
So always try CrimeFlare before moving to other solutions.
Because if CrimeFlare can get the IP address for you straight. you don’t need the long digging of record data like SecurityTrails
Using CLI tools to Uncover IP/INFO hiding behind Cloudflare
There are also some tools/script written to help reveal the automate this process here are some handy ones
Conclusion
There are tools to help in finding website origin IP address.
These guide can be handy for a security researcher in testing.
It will also help people in identifying the Hosting platform or domain provider of any website that’s behind Cloudflare.
Are you on the defensive side? you can always protect your website Origin server using the Cloudflare Argo Tunnel. Don’t let someone bypass Cloudflare protection and misuse your origin server!