Server Real IP address disclosure
Hi, there.
See, my blog is updating faster than Flash was jerking off, isn’t it? By the way, shame on me for that long inactive period here. It’s happening because of many projects right now and because of my fat lazy ass of course. I’ll try write here often and more interesting.
Ok, a minute of self-criticism is over and let’s start.
Today I want to share with you simple method to find real IP of the server. This is not kind of private or secret information, it is just structured and located in one place.
There are so many DDoS protectors and IP hiders things today.
You know, services like Cloudflare and Incapsula and Qrator, I see it all the time at blackbox testing.
I have some steps that I’m always repeating to win almost sets in “Find real IP” game. Here they are.
1) First method used by most of Cloudflare resolvers. Main principles of its work are trying to find sub-domains that have direct IP address or should I say different than IP of the main domain.
Ok, here’s what we’re going to do. By the way, this is one of the basic tasks in blackbox testing that’s why it’s useful by itself. I’m brute subdomains with Sublist3r (https://github.com/aboul3la/Sublist3r) tool and there is dictionary I’m using https://github.com/allyshka/vhostbrute/blob/master/vhosts_full.list dictionary.
After successful bruteforce process, you need to filter not Cloudflare IP and try to connect with them using your domain Host header. You can use wfuzz (https://github.com/xmendez/wfuzz), for example, but I use this simple bash script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | #!/bin/bash display_usage() { echo "This script check connection to list of URLs with specified host." echo -e "\nUsage:\n$0 ipsfile hostname\n" echo -e "\nExample:\n$0 moz-com.list moz.com\n" } if [ $# -le 1 ] then display_usage exit 1 fi while read -r line; do response_http=$(curl -H "Host: $2" --connect-timeout 5 --write-out "code: %{http_code}, length: %{size_download}, redirect: %{redirect_url}" --silent --output /dev/null -k http://$line) response_https=$(curl -H "Host: $2" --connect-timeout 5 --write-out "code: %{http_code}, length: %{size_download}, redirect: %{redirect_url}" --silent --output /dev/null -k https://$line) echo "HTTP: $line response [ $response_http ]" echo "HTTPS: $line response [ $response_https ]" done < "$1" |
Unfortunately, this method is rarely effective and works only in case of incorrect Cloudflare DNS setup. Because of that, we’re going to go to next method.
2) Very simply, but at the same time, it’s most powerful method. You can try to find old IP of a domain. Maybe now IP is cloaked, but it wasn’t always.
For that purposes, I’m using http://viewdns.info/iphistory/ and http://ptrarchive.com/ domain IP history service. It’s free to use and save my time so many times that I can’t count.
Let’s take https://www.baincapital.com/ site for example.
Ok, 104.16.bla-bla-bla looks familiar, try to browse it.
Oh yes, I was right. Cloudflare is here, bitchez. Time to get some naked IP’s.
Go to the http://viewdns.info/iphistory/?domain=baincapital.com
We can find 162.218.138.176, browse it. There is redirect to https://162.218.138.176 follow and now we can see Bain Capital main page, also the certificate of that server is issued to baincapital.com. It’s a good sign. Compare the found page with https://baincapital.com it’s identical.
Good, maybe IP is not “real IP” literally because Armor Defense Inc is the owner of that IP but here we can scan, dirbust and working with the server without any Cloudflare limitations.
There are situations that server with found IP return default index page or 404, 403 HTTP code etc. Well, in that cases you can try to set “Host” header with your domain address. In our example you get:
1 | curl -H "Host: www.baincapital.com" https://162.218.138.176 -k |
Sometimes it can be really helpful.
3) This step follows from step two. Like, check ‘A’ records history of a domain, you can try to get real IP from old name servers.
For that purposes, you can use one of many DNS history services. A lot of that is paid for now. In my work, I’m using http://dnstrails.com/, http://dnshistory.org/, and http://whoisrequest.com/history/. For viewing history of .ru, .su and .рф domains you can check http://www.whoishistory.ru/. It is a good enough.
If you’re looking for premium service then I recommend https://whois.domaintools.com/. It’s very functional and has all-you-need tools for domain investigation in-place but costs $99/month. For that money, I can buy a bottle of vodka and two brown bears here on the market.
Anyway, search old NS server and try to resolve IP through it. I use dig tool for that.
1 | dig @old.ns.server.pes.com pes.com |
4) Try to search by the domain name in https://censys.io and https://shodan.io. Its step is useful by itself because you expand your target scope.
For example, check for real IP of https://moz.com domain. It’s also protected. Only now with Incapsula. Go to https://censys.io/ipv4?q=moz.com:
Pay attention to “names on certificate” in search results it will help you in separating the wheat from the chaff.
I write down all found IPs into a file. I like to automate all operations because of that I use small piece of jQuery code to fast grab IP from page:
1 | $('span.ip a').each(function(n,e){console.log($(e).prop("href").split("v4/")[1])}) |
You can also use export API method https://censys.io/api/v1/docs/export. Next, I execute host.sh script again (from method No. 1, remember?). With that script, I’ll try to find IP addr which return valid page for our domain name.
Now I need to check all IPs with 200 response code. Be careful while checking them because sometimes you can get developer server. Look, my example have dev server on IPs: 209.249.132.146. You can check the type of server by many ways. Watch at response headers, check links, compare pages, register on the main site and try to login with your account on found server etc.
Ok, I’ll find some working nodes of moz.com without Cloudflare protection – 209.249.132.129, 209.249.132.153, 209.249.132.135, 209.249.132.151, 209.249.132.142. Now I add it to my hosts file and voila, access by real IP working well.
5) Last but not least. Say “thanks” to my friend bo0om (https://bo0om.ru) because he told me about this method. Thanks, bo0om.
The whole idea is to get an email message from service you want to disclosure and see at that mail headers. You can find much interesting information like IP or domain of company SMTP server. Next, you can use this IP as a base point. Then makes sense to scan subnetwork or check it by shodan or censys.
Let’s find IP of https://shop.eurovision.tv. Cloudflare again. Register there and check your email for interesting information:
Next, ping found host and try to connect with it with custom Host header:
Many of sites have registration functional for now and after successful reg, you receive a message on your email. But not only registration can help you get a message from service, also you can use subscriptions or feedback or issue report in a word use your imagination. Many big companies use SMTP-providers like SendGrid, but this method working well during an audit of small companies.
Ok, that’s all that I want to tell you about today. Good luck, be safe and don’t drink too much.
Rajiv
October 20, 2016 @ 9:14 am
yesterday i was searching about finding the real ip address of information gathering on particular server . In the morning, when i see the newsfeed, your article was shown
Many thanks .. 🙂
vicky
March 12, 2019 @ 5:03 pm
very good post loved and very informative