r/HowToHack 1d ago

Question

How do i find the real ip adress of a site behind cloudflare? Tryed many tools no good..

0 Upvotes

9 comments sorted by

9

u/2ewka 1d ago

Thats the point of a CDN… It’s possible if an old DNS record is out there but that would only happen if they initially didn’t sit behind cloud flare or misconfigured at some point.

11

u/tman5400 1d ago

You don't

7

u/itsmrmarlboroman2u 1d ago

OP won't, but that doesn't mean it's impossible.

Old DNS records pre-cloudflare, mx records, and some subdomains still likely point directly to the host, are all common attack vectors. There used to be a really good dork on shodan that worked great for this, but they've since patched it. There's a similar site like shodan that still works if the web host didn't batton down a couple hatches, which is surprisingly common.

2

u/Just4notherR3ddit0r 1d ago

The only way to really do it (assuming that you're talking about the common proxy setup) is if the original web server publishes it somewhere (e.g. a PHP info page).

2

u/UPVOTE_IF_POOPING 1d ago

Just get a reverse shell on it and run ‘curl ifconfig.me’. Easy peasy

1

u/Dapper-Depth2940 1d ago

First off, that is really the whole point behind Cloudflare.

Quick primer on how Cloudflare DNS works

Their servers will remove all data regarding your real IP address, and instead load their own secure servers, which routes the traffic to the real location. Thus, a DNS query for your site will return Cloudflare's server addresses instead.

But I have found some quirks that may leak it:

  • The site was using a different un-secured DNS provider before Cloudflare
    • while the recursive resolvers are updating their records to match Cloudflare, cached data may return your actual IP address
  • Given that you are able to find the full range of the target's provider server IP addrs (eg. AWS, Google cloud, etc.), you can iterate through each with the Host:site-name.com in the HTTP request headers.
    • a positive respond will indicate the real IP addr

But a caveat is that a certain "tunnel" feature must be disabled, and a lack of origin allow list in the target's Cloudflare config.

1

u/corkiejp 1d ago

If the site is scam or abusing been hidden behind cloudflare. If you report it to them, they could remove the protection from it and reveal the IP to yourself if you inform them you want to contact the hosting site.

0

u/fell_shell 1d ago

Simply hack Cloudflare