Information Gathering Techniques
◾
91
Let’s take a look at one of the popular resolvers, cloudflare-watch.org. It contains a list of
around 381,314 domains that have
recently shifted to CloudFlare, and they are actively testing it.
People at CloudFlare believe that CloudFlare was started for the purpose of helping “bad guys”
such as hackers, DDoSers, and copyright pirates. Here is what they say on their homepage:
CloudFlare is a venture-funded startup that routes around Internet abuse by acting as
a reverse proxy. They also encourage
illegality by allowing hackers, DDoSers, cyber-
bullies, and copyright pirates to hide behind their servers.
All you need to do is go to the following URL and type your domain name and click on “Search”:
http://www.cloudflare-watch.org/cfs.html
A direct IP connect is found in the database. If you compare this IP address with the IP address
that we
get while we ping the website, it will be different.
On navigating to
http://199.47.222.125
, we find that this particular webserver belongs to
Page.ly, which is the real web hosting company for attack-secure.com.
92
◾
Ethical Hacking and Penetration Testing Guide
Method 2: Subdomain Trick
Most people don’t configure CloudFlare properly. Their main domain would have a CloudFlare IP
address, but the subdomains will point to the real IP address.
For example:
attack-secure.com—Pointing to 173.245.61.19
Cpanel.attack-secure.com—Pointing to the real IP address 199.47.222.125
ftp.attack-secure.com—Pointing to the real IP address 199.47.222.125
forums.attack-secure.com—Pointing to the real IP address 198.199.81.93
In the same way, we can use other subdomains to find the real IP address of CloudFlare.
Alternatively, you find scripts and tools online that would utilize the same
trick to figure out the
real IP. There are also automated scripts utilizing the same attack vector. One such script I found
was coded in PHP. Here is the output:
Dostları ilə paylaş: