Server Real IP address disclosure

Hi, there.
See, my blog is updating faster than Flash was jerking off, isn’t it? By the way, shame on me for that long inactive period here. It’s happening because of many projects right now and because of my fat lazy ass of course. I’ll try write here often and more interesting.
Ok, a minute of self-criticism is over and let’s start.
Today I want to share with you simple method to find real IP of the server. This is not kind of private or secret information, it is just structured and located in one place.
There are so many DDoS protectors and IP hiders things today.
You know, services like Cloudflare and Incapsula and Qrator, I see it all the time at blackbox testing.
I have some steps that I’m always repeating to win almost sets in “Find real IP” game. Here they are.

1) First method used by most of Cloudflare resolvers. Main principles of its work are trying to find sub-domains that have direct IP address or should I say different than IP of the main domain.
Ok, here’s what we’re going to do. By the way, this is one of the basic tasks in blackbox testing that’s why it’s useful by itself. I’m brute subdomains with Sublist3r ( tool and there is dictionary I’m using dictionary.

After successful bruteforce process, you need to filter not Cloudflare IP and try to connect with them using your domain Host header. You can use wfuzz (, for example, but I use this simple bash script:

Unfortunately, this method is rarely effective and works only in case of incorrect Cloudflare DNS setup. Because of that, we’re going to go to next method.


2) Very simply, but at the same time, it’s most powerful method. You can try to find old IP of a domain. Maybe now IP is cloaked, but it wasn’t always.
For that purposes, I’m using and domain IP history service. It’s free to use and save my time so many times that I can’t count.
Let’s take site for example.


Ok, 104.16.bla-bla-bla looks familiar, try to browse it.

Default direct access Cloudflare page
Default direct access Cloudflare page

Oh yes, I was right. Cloudflare is here, bitchez. Time to get some naked IP’s.
Go to the IP history service IP history service

We can find, browse it. There is redirect to follow and now we can see Bain Capital main page, also the certificate of that server is issued to It’s a good sign. Compare the found page with it’s identical.

Bain Capital uncloaked IP
Bain Capital uncloaked IP

Good, maybe IP is not “real IP” literally because Armor Defense Inc is the owner of that IP but here we can scan, dirbust and working with the server without any Cloudflare limitations.
There are situations that server with found IP return default index page or 404, 403 HTTP code etc. Well, in that cases you can try to set “Host” header with your domain address. In our example you get:

Sometimes it can be really helpful.


3) This step follows from step two. Like, check ‘A’ records history of a domain, you can try to get real IP from old name servers.
For that purposes, you can use one of many DNS history services. A lot of that is paid for now. In my work, I’m using,, and For viewing history of .ru, .su and .рф domains you can check It is a good enough.
If you’re looking for premium service then I recommend It’s very functional and has all-you-need tools for domain investigation in-place but costs $99/month. For that money, I can buy a bottle of vodka and two brown bears here on the market.
Anyway, search old NS server and try to resolve IP through it. I use dig tool for that.


4) Try to search by the domain name in and Its step is useful by itself because you expand your target scope.
For example, check for real IP of domain. It’s also protected. Only now with Incapsula. Go to search by domain name search by domain name

Pay attention to “names on certificate” in search results it will help you in separating the wheat from the chaff.
I write down all found IPs into a file. I like to automate all operations because of that I use small piece of jQuery code to fast grab IP from page: grab IPs from page grab IPs from page

You can also use export API method Next, I execute script again (from method No. 1, remember?). With that script, I’ll try to find IP addr which return valid page for our domain name.

Host check
Host check

Now I need to check all IPs with 200 response code. Be careful while checking them because sometimes you can get developer server. Look, my example have dev server on IPs: You can check the type of server by many ways. Watch at response headers, check links, compare pages, register on the main site and try to login with your account on found server etc.
Ok, I’ll find some working nodes of without Cloudflare protection –,,,, Now I add it to my hosts file and voila, access by real IP working well. real IP browse real IP browse

5) Last but not least. Say “thanks” to my friend bo0om ( because he told me about this method. Thanks, bo0om.
The whole idea is to get an email message from service you want to disclosure and see at that mail headers. You can find much interesting information like IP or domain of company SMTP server. Next, you can use this IP as a base point. Then makes sense to scan subnetwork or check it by shodan or censys.

Let’s find IP of Cloudflare again. Register there and check your email for interesting information:

Account creation on
Account creation on
Interesting mail's header
Interesting mail’s header

Next, ping found host and try to connect with it with custom Host header: IP disclosure IP disclosure

Many of sites have registration functional for now and after successful reg, you receive a message on your email. But not only registration can help you get a message from service, also you can use subscriptions or feedback or issue report in a word use your imagination. Many big companies use SMTP-providers like SendGrid, but this method working well during an audit of small companies.

Ok, that’s all that I want to tell you about today. Good luck, be safe and don’t drink too much.