How to bypass the CDN to query the real IP of a website

About CDN

In the process of penetration testing by penetration testers, we often encounter some websites that have CDNs. What is CDN? CDN is a content distribution network. The problem of low network speed and performance caused by transmission distance and different network operator nodes. In fact, it is a set of high-speed cache servers at the docking point between different operators. The static data resources frequently accessed by users are directly cached on the node server. When the user requests again, it will be directly distributed to the operators close to the user. The node server responds to the user, and only when the user has actual data interaction will respond from the remote web server, which can greatly improve the website's response speed and user experience.

When the penetration target has a CDN service, when we ping the target domain name directly through the ping command, we get the real IP of the target server, which is not the real IP of the target server, but the CDN server of the target node closest to us, which will cause us There is no way to directly obtain the real IP range of the target being infiltrated.

So in the penetration test, in order to know the real IP of the website server, we must bypass the CDN to find the real IP address of the website.

About the advantages of CDN

The existence of CDN can increase user access rate and optimize user experience.
It can hide the IP of the real server and
provide the WAF function. At present, many CDNs also provide the WAF function. The access request will be filtered by the CDN node first, and it can be used for SQL injection, XSS, Webshell upload, command injection, malicious scanning and other attacks. Effective detection and interception. The CDN node server will submit data deemed harmless to the real host server after being filtered by WAF rules.

The difference between several access methods

Traditional Internet access: user access domain name -> resolution server IP -> access target host
Ordinary CDN server access: user access domain name -> CDN node -> real server IP -> access target host
CDN server with WAF: user access domain name- >CDN node (cloud WAF) -> real server IP -> access target host

How to judge whether the website has a CDN?

It's very simple. Use the ping service in different places to check whether the corresponding IP address is unique. If it is not unique, it is most likely that a CDN is used.

The ping test websites are:

Global Ping test, online ping tool: https://wepcc.com/
Ping server in multiple locations, website speed test: http://ping.chinaz.com/ website speed test tool_super
ping _ multi-site ping detection: http:/ /ping.aizhan.com/

Bypass CDN to find real IP

After confirming that the penetration test target uses the CDN, it is necessary to bypass the CDN to find the real IP. Next, we introduce several conventional ways to bypass the CDN to query the real IP.

Internal mailbox

In general, the mail system is internal and has not been resolved by CDN. Some networks provide registration services, may verify emails, and RSS subscription emails, forget passwords, and so on. User registration or RSS subscription function through the target website. Check the mailbox mail on the WEB side and look for the mail server domain name IP in the mail header. Of course, this IP must also be verified as the main site. If the target mail server is a third-party or public mail server, this method is useless.

Subdomain or subdomain

The main website of many websites has a relatively large number of visits, so CDNs are often linked to the main website. But the substation is not necessarily the case. After all, CDN requires money, and after all, this thing is old and expensive.
So maybe some substations don't have CDN hanging, so sometimes you can try to check the substation IP. By pinging the second-level domain name to obtain the sub-site IP, it may happen that the sub-site and the main battle are not the same IP but under the same C segment. It may also be the same IP or the same site.

Probe for scanning website test files

Target sensitive files are leaked, scan for probes such as phpinfo(), files such as test(), robot.txt, GitHub information leaks, etc. to obtain the real IP of the target.

Foreign visit

For various reasons, many domestic CDN manufacturers have only made domestic lines to accelerate the access of domestic users, while there may be almost no lines for foreign countries. Therefore, it is possible to obtain the real IP through the direct access of the foreign host through the foreign online proxy network.

View domain name history resolution records

Maybe the target did not use CDN a long time ago, so there may be records before using CDN. So you can observe the IP history of the domain name through the website https://www.netcraft.com .

Capture data packet analysis with packet capture tool

If the target site has its own APP, you can try to grab the request packet of the APP through Fiddler or BurpSuite to find the real IP of the target site.

Bypass CloudFlare CDN lookup

Now many websites use the CND service CloudFlare offers, in determining the target site using a CDN, you can try to bypass the online website CloudFlareWatch (http://www.crimrflare.us/cfs.html#box) for CloudFlare's website Perform real IP query

Cyberspace Engine Search

The common ones are Zhong Kui’s Eye , shodan , and fofa search . Take fofa as an example, just enter: domain="domain name" or title:"title keyword of the website" to find out the IP domain names with these keywords included in fofa. In many cases, you can get the real IP of the website, as shown in the figure :
fofa-baidu

Guess you like

Origin blog.csdn.net/weixin_42250835/article/details/111460459