Find Real IP behind CloudFlare with CloudSnare Python Script

CloudFlare is one of the most popular CDN provider who offers a complete package of WAF i.e. Web Application Firewall and DDOS Protection (Distributed Denial of Service) for websites.

List of Features –

  • Stop attacks directed at a website
  • Dynamically modify content in order to improve performance
  • Insert applications into web pages
  • Provide rich analytics on all the requests to your website
  • Automatically determine what objects are static and cacheable at the network’s edge without any user configuration
  • Provide a network gateway between protocols like IPv6 \ IPv4
  • Make installing SSL flexible and one-click easy
  • Original Server IP Masking
    etc

With the help of CloudFlare, you can easily hide your original server hosting IP address whether its Ipv4 or Ipv6. You can setup your domain with CloudFlare in just less than 5 minutes with no code changes required. They’ve around more than 100+ data centers around the world which helps your site to push and load faster.

But there is one website (http://www.crimeflare.com/cfs.html) which claims that they can easily find the original IP behind any CloudFlare service. CrimeFlare also maintains a database of IPs that appear to have been exposed.

Functionality –

When you use CloudFlare service, an SSL/TLS certificate is automatically registered by CloudFlare for your domain. This means that traffic going to your site is initially encrypted when it hits CloudFlare’s servers. In order to maintain a trusted certificate, you must prove to some level of degree that you are the owner of a domain.

This burden of proof, and trust mechanism makes it easy to associate true server IPs to CloudFlare protected domains. By utilizing large data sets that have been scraped from the Internet, it’s possible to find non-CloudFlare servers by associating previously generated certificates with live hosts.

Find Real IP with the help of Censys.io –

Censys.io is a great resource that relies on data sets from Scans.io. Both are incredible repositories of information that have been gathered by scanning the Internet at regular intervals. There are multiple types of scans from DNS and FTP to HTTP/HTTPS scans of all public IPv4 space. Censys has graciously offered a public API for researchers to use. We are going to use the scraped certificates from across the Internet to identify potential servers hiding behind CloudFlare.

Steps to configure Censys.io –

In very first step, you need to register a free account on Censys.io.


Verify that newly created account with your mail. (You can use any mail service provider).

After that Go to My Account and you’ll see a section named as API Credentials. Note down both API ID and Secret ID.

Download Cloudsnare script which is a python based script. Edit your python file with API ID and Secret ID details.

And at the end you also need to install the censys package which you can easily install by typing:

Command: pip install censys

Now finally Run Cloudsnare script by typing “python cloudsnare.py website.com

Mitigation –

You should restrict inbound traffic to your HTTP/HTTPs ports, and only allow connections from CloudFlare IPs. If you are worried about CloudFlare changing IP space, you can use your host’s default domain while registering certificates.

Reference – http://www.chokepoint.net/

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts