Automate and finds the IP address of a website behind Cloudflare

calfcrusher
System Weakness
Published in
2 min readNov 8, 2022

Hello Fellow Hackers, today i want show you how to automate the discovering of origin IP of those sites behind CloudFlare, using Censys and CloudFlair tool.

Why this ?

Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable. Cloudflare is a reverse proxy, cdn, load balancer, waf and so on… For Bounty Hunters is useful to try to discover the origin IP of any site behind CloudFlare to evade WAF !

Sometimes you can’t get to work a XSS payload due to CloudFlare WAF, so if we discover the origin IP our way to heaven will be easier because we bypass CloudFlare entirely !

Before to start, first you need to register an account on Censys (https://search.censys.io) and get your APIs.

Then get CloudFlair tool: https://github.com/christophetd/CloudFlair

Let’s start !

# Run Nuclei on subdomains

nuclei -list subdomains.txt -o nuclei_results.txt -c 2

# Extract cloudflare protected hosts from nuclei output

cat nuclei_results.txt | grep ":cloudflare" | awk '{print $(NF)}' | sed -E 's/^\s*.*:\/\///g' | sed 's/\///'g | sort -u > cloudflare_hosts.txt

# Try to get origin ip using SSL certificate (cloudflair and censys)

while IFS='' read -r DOMAIN || [ -n "${DOMAIN}" ]; dopython3 cloudflair.py $DOMAIN --censys-api-id YOUR_API_ID --censys-api-secret YOUR_SECRET | tee -a origin_IPs.txtdone < cloudflare_hosts.txt

Sign up to discover human stories that deepen your understanding of the world.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in System Weakness

System Weakness is a publication that specialises in publishing upcoming writers in cybersecurity and ethical hacking space. Our security experts write to make the cyber universe more secure, one vulnerability at a time.

Responses (1)

What are your thoughts?

Have u tried HakorginFinder tool? I was using it to find origin ip , and wasn’t that much affective. but i haven’t try this method you talked about. which method you preferred ?

--