When you are a cybersecurity professional, it is sometimes needed to get the real IP address of a website which is using Cloudflare as a security layer.
Reverse proxy services, like Cloudflare, are like bodyguards for websites. They not only make websites faster and safer, but they also help keep the true identity of the website a secret. Cyberwarzone.com has been using it for years now.
If you want to find out where a website is hosted when it’s protected by Cloudflare, you need to become a bit of a detective. You’ll have to look for clues that might have been left behind by mistake.
Toolkit
| Tool | Description |
|---|---|
| NMAP dns-brute script | Enumerate (sub)domains with Nmap. Use it to get a listing of potentially interesting (sub)domains. |
| WhoIS7.ru | Use it to retrieve WhoIS information |
| Dig | Quickly retrieve A and MX records |
| Alvosec XML-RPC guide | Get WordPress IP address with XML-RPC |
| VirusTotal and URLscan | Both platforms can be used to get IP information and domain history. |
| CrimeFlare | This tool by ZidanSec helps you to find IP addresses of CloudFlare protected sites |
Use DNS records
Start by checking the website’s DNS records. Think of these as the footprints that the website leaves behind. You can use tools like Whois or Dig to look up these records.
Subdomains
Websites often have little siblings called subdomains. These are like different sections of the same site. You can try to guess their names or use tools to find them.
You can use a tool like Nmap with a special script or just use tools that can help you list subdomains.
Web Applications
In some cases, web applications are installed. These might provide the real IP address. So keep an eye out for them and learn more about the Web Application as soon as you find one.
WordPress XML-RPC
You can find an IP address by making pingback XMLRPC calls. In WordPress, there’s a feature called pingback that lets one website tell another website when they’ve added a link to it. You can use this function of WordPress to get the actual IP address of the domain you are trying to identify. Alvosec provided a nice guide on how to do this.
Virustotal
This platform thrives on crowdsourced intelligence and the information you want, can be access for free. Make use of Virustotal and search for the domain you want. Once you have the report open, navigate to the ‘relations’ tab. There you will find a history of IP addresses bound to the specific domain you searched for.
URLscan
Another tool which you should try is the URLscan.io platform. This is also free, and with some luck, the domain might have been indexed before it got protected by Cloudflare. Navigate to URLscan.io and use the following command to quickly get the info you want.
page.domain:[REPLACE_ME_WITH_THE_DOMAIN]
CrimeFlare
You can also try the CrimeFlare tool created by ZidanSec. You simply visit the website, provide the domain and you will get an IP address back. You can also download it on Github.
So here you have it, a collection of tools that you can use to identify the real IP address behind a Cloudflare protected website. If this guide has helped you forward, please do share it around.
