CMS fingerprinting bypasses cdn to find the real ip of the website with the help of cyberspace search engine

CMS Online Identification Tool

http://finger.tidesec.com/
https://fp.shuziguanxing.com/#/
http://whatweb.bugscaner.com/look/

github open source tool
CMSeek-master
Webfinger-master
WhatWeb-master

What is a CDN?

The full name of CDN is Content Delivery Network, that is, Content Delivery Network. CDN is an intelligent virtual network built on the basis of the existing network, relying on edge servers deployed in various places, through the load balancing, content distribution, scheduling and other functional modules of the central platform, so that users can obtain the desired content nearby, reducing network congestion, Improve user access response speed and hit rate. The key technologies of CDN mainly include content storage and distribution technology.

To put it bluntly, it is a local warehouse

Why do websites need a CDN?

Performance is important, if a website doesn't use a CDN, all users should send their requests to a single server, as this puts a lot of load on the server and the performance of the website decreases. Today, most websites use CDN because it helps them increase loading speed, reduce bandwidth cost, improve security, etc.
CDN also provides many special benefits to different types of businesses and organizations, such as:

1. e-commerce
2. government
3. finance
4. Media/Publishing
5. mobile application

What are the benefits of using a CDN?

1. Improve website speed and load time.
2. Reduce bandwidth costs.
3. Improve website security.
4. SEO Advantage
5. Traffic spikes and scalability
6. higher conversion rate
7. reliability
8. Etc.
   So if you want to have a reliable website with good performance, you should consider using a CDN.
   
   With a CDN, all users requesting a website's content will get its cached version from the nearest CDN edge server, so the content loads faster and the website's performance improves.

CDN reverse proxy

A reverse proxy is a server that receives client requests and forwards them to a backend server. It is an intermediate server between the client and the origin server itself. CDN reverse proxies take this concept a step further by caching responses from origin servers back to clients. As a result, the CDN's servers are able to deliver assets to nearby visitors faster. This method is also ideal for the following reasons:

Load Balancing and Scalability
Improved Website Security

CDN security and WAFs

CDNs by themselves do not prevent malicious programs from infecting websites, CDNs themselves are vulnerable, so you need to use a WAF.
A WAF or Web Application Firewall helps protect Web applications by filtering and monitoring HTTP traffic between the Web application and the Internet.
In general, it protects web applications from attacks such as cross-site scripting (XSS), file inclusion, and SQL injection.

website source ip

Many websites use the above protections to hide their origin IPs to protect attackers from DDoS attacks and other malicious actions that attackers can perform.
Most of these sites use cloud-based security, proxies, or DNS-based services, which makes finding the original IP a little tricky.

Why do we need the original IP of a website?

The answer is simple. Once you have the original IP of your website, you can bypass all the protections provided by the CDN.

How to find the original IP of a website

1. Internal mailbox source, collected the IP address of the internal mailbox server
2. Website phpinfo file phpinfo.php
3. Sub-site IP address, it is expensive to query sub-domain CDN, it is very likely that the sub-site will no longer use CDN
4. Visit https://asm.ca.com/en/ping.php from abroad

You can consider querying the domain name for subdomains: because in many cases, many sites, often out of financial pressure or unexpected, often only configure cdn in the main site.

query historical ip

https://dnsdb.io/zh-cn dns queryhttps:
//x.threatbook.cnWeibu Online
http://toolbar.netcraft.com/site_report?url=xxxOnline domain name queryhttp:
//viewdns.info dnsip query
https://tools.ipip.net/newping.php Global and national ping
SecurityTrails history ip
uses ddos ​​to paralyze the station:
Principle: Domestic CDNs often charge for intercepted ddos ​​traffic. If you have sent The traffic of the packets is greater than the capacity of the service purchased by the server. At this time, the operator of the cdn stops providing services and forwards all traffic to the real ip.

We just had a basic understanding of what defenders were trying to protect their original site, and knowing that, we got a mind map of what we were going to do in our thought process while trying to get around those restrictions and finding the original IP . web server

reconnaissance

The most important part is doing some basic scouting to get as much information as possible. The idea is to find useful information such as:

1. IP Range/CIDR
2. Host related information
3. DNS records
4. Network Server
5. web hosting
6. A hosting server on the same server as the web server (e.g. a mail server)
7. Information Disclosure Vulnerability

All information about DNS records query history ip

DNS records store history in many places. These historical DNS records may contain the website 原来的IP地址CDN.
As mentioned earlier, some websites may have misconfigured DNS records from which we cannot glean useful information.

SecurityTrails website

SecurityTrails enables you to browse complete current and historical data for any Internet property. IP and DNS history, domain, SSL and open port intelligence.

We'll perform a simple query on the target to see its historical data, specifically DNS records, as it allows you to find current and historical data for A, AAAA, MX, NS, SOA, and TXT records.
This makes it easy to find out the real server's IP when the website is running directly on the server's IP and then moved to a CDN.

None of the DNS records should contain any information about the original IP, look carefully at any SPF and TXT records to make sure they contain any information about the original.
A simple A, AAA, CNAME or MX record pointing to the origin server will expose the origin IP.
Similar sites can

All about MX records

The MX record is a mail exchange record, which points to a mail server and is used to locate the mail server according to the recipient's address suffix when the email system sends mail.

MX records are one of the most favored methods because the original IP can sometimes be easily found. If the mail server is hosted by the same IP as the web server, the attacker can find the IP address from outgoing emails.

If the mail server is hosted on the same IP as the web server, then we have another interesting option to use the "reset password" function, so we just create an account on the target website and then use reset password, receive , may show the origin server IP.

Note that you should collect all the IP addresses you can see in the emails you receive and try them manually to see if it's the original IP of the server. For example, sometimes the value of "return path" can come in handy.

Here's what a CDN provider/blue team member does to hide their website's origin IP:

Keep all subdomains on the same CDN
When using other subdomains, they have a higher chance of success compared to the root domain, as they may leak the original IP by serving files that could lead to an information disclosure vulnerability.

Do not initiate outbound connections based on user action
If we can make the web server connect to an arbitrary address, the source IP will be displayed. Features like "upload from URL" that allow users to upload photos from a given URL should be configured so that the server doing the download is not the website origin server. This is important because if attackers can choose the URL they enter, they can either build a website specifically to monitor who is connecting to, or use a public service that monitors the IP associated with the unique URL.

Changing its original IP
DNS records when configuring a CDN stores history in many places. These historical DNS records will contain the original IP record CDN of the website origin.

Restricting direct access to websites using IP
Another interesting option for defenders is to restrict users trying to access a website using an IP address, so the website only loads if a domain name is provided. Let's explore how to do it on Nginx

To disable/block direct access to IPs on port 80, we create new server configuration as follows:

server {
    
    
 listen 80 default_server;
 server_name _;
 return 404;
}

To disable/block direct access to IPs on port 443, we use the following command in one of the server configuration modules:

if ($host != "example.com") {
    
    
 return 404;
}

example:

server {
    
    
 listen 443 ssl;
 server_name example.com
 
 ssl_certificate /etc/nginx/ssl/example.com.crt;
 ssl_certificate_key /etc/nginx/ssl/example.com.key;

 if ($host != "example.com") {
    
    
  return 404;
 }
}

This will block all traffic to https://your ip

We'll discuss an interesting way to bypass this restriction.

A possible solution to whitelisting
only requests from CDNs is simply to whitelist the CDNs, as this approach seems promising and is enough to allow defenders to hide their Origin Servers, which is quite challenging in practice as they only have 3 methods, and only one of them might work:

Option A: Whitelist the IP address

The problem with whitelisting IP addresses is that they must have the IP addresses of all their CDN edge servers that can reach their origin.
There are some problems with this. Many CDNs don't give a list of IP addresses, and even if they do, they may add an IP address or even change it, forgetting to notify them. These whitelists need to be updated regularly so as not to break the site.

Option B: Whitelist unique identifiers in requests

The idea is simple. The CDN will send the origin server a unique identifier in their request, which they can use on the origin server to identify the CDN and allow its request. However, this method is not completely safe. The attacker is also free to set the request. That is, if we know the CDN provider they use, and we also know how the CDN provider identifies itself to the origin server. If an attacker has this information, the request can easily be spoofed.

Option C: Unguessable original hostname

This is probably the most reliable solution for defenders because when attackers try to access the web server, they won't be able to find it. Defenders create some random set of long alphanumeric characters and use that as a subdomain. For example, if their domain name is "HolyBugx.com", they set up a subdomain like "2547d0jeid15ma.HolyBugx.com".
That way, the hostname will be known only to them and their CDN provider, and they can whitelist requests with that hostname.

Summarize

Keep all subdomains on the same CDN Block outbound connections
Block outbound connections
Change their origin IP when configuring the CDN
Restrict direct access to websites using IP addresses

References
Cloudflare.com
CDN.net
Sitelock.com
knoldus.com
keycdn.com
Imagekit.io Author: Rahul Nanwani
GeekFlare.com Author: Chandan Kumar
Detectify.com Author: Gwendallecoguic
Secjuice.com Author: Paul dannewitz
Nixcp.com Author: Esteban Borges
Pielco11.ovh User: Pielco11
WAF Evasion Technique By Soroush Dalili

from