Deploy CDN website to find real IP
1. Overview
At present, many websites use cdn service. Using this service can hide the real IP of the server and speed up the access of static files on the website. When you request website services, the cdn service will choose the appropriate line according to your region. You visit, and thus achieve the effect of website acceleration. CDN can not only speed up website access, but also provide waf services, such as preventing cc attacks, SQL injection interception and other functions. Besides, the cost of using CDN is not too high, and many cloud servers also This service is provided free of charge. When conducting black-box testing, it often becomes a roadblock, so mastering CDN to find real IP has become a technology that has to be mastered.
2. Determine whether the CDN
pings the domain name
Use super ping
http://ping.chinaz.com/
http://ping.aizhan.com/
https://www.17ce.com/
http://ping.chinaz.com/www.t00ls.net
Different regions have different IPs for access, so it is determined that the domain name uses CDN.
3. A collection of methods to
find the real IP. If you find the real IP, you can continue to detect other sites, find other sites to break through, or bypass the CDN for access, so as to bypass waf’s interception of attack sentences. If there are attack sentences, the IP of the attack will be detected. blockage.
3.1.Dns historical binding records
You can access the resolution of dns through the following websites, and there may be records before binding CDN.
https://dnsdb.io/zh-cn/ ###DNS query
https://x.threatbook.cn/ ###Weibu online
http://viewdns.info/ ###DNS, IP etc. query
https ://tools.ipip.net/cdn.php ###CDN query IP
https://sitereport.netcraft.com/?url=domain name
Query the history of WWW.T00Ls.net
https://site.ip138.com/www.t00ls.net/
3.2. Sub-domain name resolution
It is also possible to point to the same IP of the target through the resolution of the sub-domain name.
Use tools to exhaustively enumerate its subdomains
Online subdomain query
https://securitytrails.com/list/apex_domain/t00ls.net
http://tool.chinaz.com/subdomain/t00ls.net
https://phpinfo.me/domain/
Find the sub-domain name and continue to confirm that the sub-domain name does not have a CDN to perform domain name resolution queries in batches, and continue to query the history if there is a CDN.
Domain name batch analysis
http://tools.bugscaner.com/domain2ip.html
3.3. The foreign dns obtains the real IP
part of the cdn only for domestic ip access, if the foreign ip accesses the domain name, the real IP can be obtained
Worldwide DNS address:
http://www.ab173.com/dns/dns_world.php
https://dnsdumpster.com/
https://dnshistory.org/
http://whoisrequest.com/history/
https:// completedns.com/dns-history/
http://dnsrails.com/
https://who.is/domain-history/
http://research.domaintools.com/research/hosting-history/ http://site. ip138.com/
http://viewdns.info/iphistory/
https://dnsdb.io/zh-cn/
https://www.virustotal.com/
https://x.threatbook.cn/
http:// viewdns.info/
http://www.17ce.com/
http://toolbar.netcraft.com/site_report?url= https://securitytrails.com/
https://tools.ipip.net/cdn.php
3.4 The .ico icon finds the real IP through space search
https://www.t00ls.net/favicon.ico Download the icon and place it in fofa for identification
Search icon by fofa
Quickly locate resources by querying like this to see if the port is open. It is not open here.
Search icon by zoomeye
Check port opening status
Bind hosts for testing
This should be the real ip.
3.5. fofa search real IP
domain="t00ls.net" 302 is usually cdn
3.6. Find the real ip through censys
The Censys tool can scan the entire Internet. Censys is a new search engine used to search for networked device information. It can scan the entire Internet. Censys will scan and connect all ips on the Internet , and certificate detection.
If the target site has an https certificate, and the default virtual host is equipped with an https certificate, we can find all sites with the https certificate.
Query
https://censys.io/ipv4?q=((www.t00ls.net) AND protocols: “443/https”) AND tags.raw: “https”&
443.https.tls.certificate.parsed by protocol .extensions.subject_alt_name.dns_names:moonsec.com
3.7.360 Surveying and Mapping Center
https://quake.360.cn
3.8. Use SSL Certificates to Find Real IP
Certificate Authorities (CAs) must publish every SSL/TLS certificate they issue to a public log. SSL/TLS certificates usually contain domain names, subdomains, and email addresses. Therefore, SSL/TLS certificates become an entry point for attackers.
Obtain the HASH of the SSL certificate of the website and combine it with Censys
to use Censys to search the SSL certificate and HASH of the website, find the HASH of the SSL certificate of the target website on https://crt.sh and
use Censys to search for the HASH to get the real IP address
SSL certificate search engine:
https://censys.io/ipv4?q=b6bce7fb8f7723ea63c6d0419e7af1f780d6b6cb1b4c2240e657f029142e2aae
https://censys.io/certificates?q=parsed.names%3A+t00ls.net+and+tags.raw%3A+trusted
find the hash
Convert to ipv4 for search
Find two IP
two ip
222.186.129.100
118.184.255.28
Or put the hash into the network space to search for
7489210725011808154949879630532736653
After successfully finding the network IP, the next step is to judge whether the IP belongs to this domain name.
3.9. The mailbox obtains the real IP.
When the website sends a letter, it will enter the mailbox with the real IP address to check the header information of the source file and select from
Whether it is true or not requires the email to send whether it is the same IP address as the website.
3.10. Obtain real IP for website sensitive files
File probe
phpinfo
Website source code
Information leakage
GitHub information leakage
js files
3.11.F5 LTM decoding method
When the server uses F5 LTM for load balancing, the real ip can also be obtained by decoding the set-cookie keyword,
for example: Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000, first put the first The decimal number of the subsection
is 487098378, and then convert it to the hexadecimal number 1d08880a, and then from the back to the front,
take four digits, that is, 0a.88.08.1d, and finally convert them to The decimal number 10.136.8.29 is
the final real ip.
rverpool-cas01=3255675072.20480.0000; path=/
3255675072 to hexadecimal c20da8c0 Take c0a80dc2 from right to left and convert to decimal 192 168 13 194
3.12.APP obtains the real IP.
If the website has an app, use Fiddler or BurpSuite to capture the data packets, it is possible to obtain the real IP
emulator mimi emulator to capture packets
3.13. The applet obtains the real IP
3.14. Improper configuration Obtain real IP
When configuring CDN, you need to specify domain name, port and other information. Sometimes small configuration details can easily lead to CDN protection being bypassed.
Case 1: In order to facilitate user access, we often resolve www.test.com and test.com to the same site, and the CDN is only configured with www.test.com. By visiting test.com, the CDN can be bypassed .
Case 2: The site supports http and https access at the same time, and the CDN only configures the https protocol, so access to http can be easily bypassed at this time.
3.15.banner
Obtain the banner of the target site and search it in the search engine of the whole network. You can also use AQUATONE to search for the same fingerprint site on Shodan.
You can use the IP data of the Internet Information Center to filter the IP of the target area, and traverse the banner of the Web service to compare the banner of the CDN station to determine the source IP.
Europe:
http://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
North America:
https://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
Asia:
ftp://ftp.apnic.net/public/apnic/stats/apnic/delegated-apnic-latest
Africa:
ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
Latin America:
ftp: //ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latestGet
the IP of CN
http://www.ipdeny.com/ipblocks/data/countries/cn.zone
For example:
After finding the IP segment of the target server, you can directly perform brute force matching, use zmap and masscan to scan the HTTP banner, and then match to the same banner of the target domain name
zmap -p 80 -w bbs.txt -o 80.txt
Use zmap's banner-grab to grab the banner of the scanned host with port 80 open.
cat /root/bbs.txt |./banner-grab-tcp -p 80 -c 100 -d http-req -f ascii > http-banners.out
According to the characteristics of the website return package, perform feature filtering
location: plugin.php? id=info:index
https://fofa.so/
title="T00LS | Low-key development - Concentrate on safety - T00ls.Net"
https://www.zoomeye.org/
title: "T00LS | Low-key development-concentration Learning Safety-T00ls.Net”
https://quake.360.cn/
response: “T00LS | Low-key development-Dedicated to Learning Safety- T00ls.Net”
1. ZMap claims to be the fastest Internet scanning tool, which can scan the entire Internet in 45 minutes. https://github.com/zmap/zmap
2. Masscan claims to be the fastest Internet port scanner, which can scan the Internet within six minutes at the fastest.
https://github.com/robertdavidgraham/masscan
3.16. Long-term attention
During long-term penetration, the setting program visits the website every day, and new discoveries may be made. At midnight every day or when business needs increase, it will change the IP and change the server.
3.17. Traffic attack
The contract sender can send a large amount of traffic at once.
This method is very stupid, but it is recommended to infiltrate under specific targets.
In addition to hiding ip, cdn may also consider the distribution of traffic.
Undefended cdn will hang when the volume is large, and high-defense cdn requires large traffic access.
The real ip may be displayed when it cannot withstand the impact of heavy traffic.
Webmaster->Business is not normal->cdn is not used->Replace the server.
3.18. Passive acquisition
Passive acquisition is to let the server or website actively connect to our server to obtain the real IP of the server.
If the website has an editor that can fill in the remote url picture, you can get the real IP.
If there is an ssrf vulnerability or xss, let the server actively connect to us The server can obtain the real IP.
3.19. Scan the whole network to get real IP
https://github.com/superfish9/hackcdn
https://github.com/boy-hack/w8fuckcdn deploy CDN website to find real IP
1. Overview
At present, many websites use cdn service. Using this service can hide the real IP of the server and speed up the access of static files on the website. When you request website services, the cdn service will choose the appropriate line according to your region. You visit, and thus achieve the effect of website acceleration. CDN can not only speed up website access, but also provide waf services, such as preventing cc attacks, SQL injection interception and other functions. Besides, the cost of using CDN is not too high, and many cloud servers also This service is provided free of charge. When conducting black-box testing, it often becomes a roadblock, so mastering CDN to find real IP has become a technology that has to be mastered.
2. Determine whether the CDN
pings the domain name
Use super ping
http://ping.chinaz.com/
http://ping.aizhan.com/
https://www.17ce.com/
http://ping.chinaz.com/www.t00ls.net
Different regions have different IPs for access, so it is determined that the domain name uses CDN.
3. A collection of methods to
find the real IP. If you find the real IP, you can continue to detect other sites, find other sites to break through, or bypass the CDN for access, so as to bypass waf’s interception of attack sentences. If there are attack sentences, the IP of the attack will be detected. blockage.
3.1.Dns historical binding records
You can access the resolution of dns through the following websites, and there may be records before binding CDN.
https://dnsdb.io/zh-cn/ ###DNS query
https://x.threatbook.cn/ ###Weibu online
http://viewdns.info/ ###DNS, IP etc. query
https ://tools.ipip.net/cdn.php ###CDN query IP
https://sitereport.netcraft.com/?url=domain name
Query the history of WWW.T00Ls.net
https://site.ip138.com/www.t00ls.net/
3.2. Sub-domain name resolution
It is also possible to point to the same IP of the target through the resolution of the sub-domain name.
Use tools to exhaustively enumerate its subdomains
Online subdomain query
https://securitytrails.com/list/apex_domain/t00ls.net
http://tool.chinaz.com/subdomain/t00ls.net
https://phpinfo.me/domain/
Find the sub-domain name and continue to confirm that the sub-domain name does not have a CDN to perform domain name resolution queries in batches, and continue to query the history if there is a CDN.
Domain name batch analysis
http://tools.bugscaner.com/domain2ip.html
3.3. The foreign dns obtains the real IP
part of the cdn only for domestic ip access, if the foreign ip accesses the domain name, the real IP can be obtained
Worldwide DNS address:
http://www.ab173.com/dns/dns_world.php
https://dnsdumpster.com/
https://dnshistory.org/
http://whoisrequest.com/history/
https:// completedns.com/dns-history/
http://dnsrails.com/
https://who.is/domain-history/
http://research.domaintools.com/research/hosting-history/ http://site. ip138.com/
http://viewdns.info/iphistory/
https://dnsdb.io/zh-cn/
https://www.virustotal.com/
https://x.threatbook.cn/
http:// viewdns.info/
http://www.17ce.com/
http://toolbar.netcraft.com/site_report?url= https://securitytrails.com/
https://tools.ipip.net/cdn.php
3.4 The .ico icon finds the real IP through space search
https://www.t00ls.net/favicon.ico Download the icon and place it in fofa for identification
Search icon by fofa
Quickly locate resources by querying like this to see if the port is open. It is not open here.
Search icon by zoomeye
Check port opening status
Bind hosts for testing
This should be the real ip.
3.5. fofa search real IP
domain="t00ls.net" 302 is usually cdn
3.6. Find the real ip through censys
The Censys tool can scan the entire Internet. Censys is a new search engine used to search for networked device information. It can scan the entire Internet. Censys will scan and connect all ips on the Internet , and certificate detection.
If the target site has an https certificate, and the default virtual host is equipped with an https certificate, we can find all sites with the https certificate.
Query
https://censys.io/ipv4?q=((www.t00ls.net) AND protocols: “443/https”) AND tags.raw: “https”&
443.https.tls.certificate.parsed by protocol .extensions.subject_alt_name.dns_names:moonsec.com
3.7.360 Surveying and Mapping Center
https://quake.360.cn
3.8. Use SSL Certificates to Find Real IP
Certificate Authorities (CAs) must publish every SSL/TLS certificate they issue to a public log. SSL/TLS certificates usually contain domain names, subdomains, and email addresses. Therefore, SSL/TLS certificates become an entry point for attackers.
Obtain the HASH of the SSL certificate of the website and combine it with Censys
to use Censys to search the SSL certificate and HASH of the website, find the HASH of the SSL certificate of the target website on https://crt.sh and
use Censys to search for the HASH to get the real IP address
SSL certificate search engine:
https://censys.io/ipv4?q=b6bce7fb8f7723ea63c6d0419e7af1f780d6b6cb1b4c2240e657f029142e2aae
https://censys.io/certificates?q=parsed.names%3A+t00ls.net+and+tags.raw%3A+trusted
find the hash
Convert to ipv4 for search
Find two IP
two ip
222.186.129.100
118.184.255.28
Or put the hash into the network space to search for
7489210725011808154949879630532736653
After successfully finding the network IP, the next step is to judge whether the IP belongs to this domain name.
3.9. The mailbox obtains the real IP.
When the website sends a letter, it will enter the mailbox with the real IP address to check the header information of the source file and select from
Whether it is true or not requires the email to send whether it is the same IP address as the website.
3.10. Obtain real IP for website sensitive files
File probe
phpinfo
Website source code
Information leakage
GitHub information leakage
js files
3.11.F5 LTM decoding method
When the server uses F5 LTM for load balancing, the real ip can also be obtained by decoding the set-cookie keyword,
for example: Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000, first put the first The decimal number of the subsection
is 487098378, and then convert it to the hexadecimal number 1d08880a, and then from the back to the front,
take four digits, that is, 0a.88.08.1d, and finally convert them to The decimal number 10.136.8.29 is
the final real ip.
rverpool-cas01=3255675072.20480.0000; path=/
3255675072 to hexadecimal c20da8c0 Take c0a80dc2 from right to left and convert to decimal 192 168 13 194
3.12.APP obtains the real IP.
If the website has an app, use Fiddler or BurpSuite to capture the data packets, it is possible to obtain the real IP
emulator mimi emulator to capture packets
3.13. The applet obtains the real IP
3.14. Improper configuration Obtain real IP
When configuring CDN, you need to specify domain name, port and other information. Sometimes small configuration details can easily lead to CDN protection being bypassed.
Case 1: In order to facilitate user access, we often resolve www.test.com and test.com to the same site, and the CDN is only configured with www.test.com. By visiting test.com, the CDN can be bypassed .
Case 2: The site supports http and https access at the same time, and the CDN only configures the https protocol, so access to http can be easily bypassed at this time.
3.15.banner
Obtain the banner of the target site and search it in the search engine of the whole network. You can also use AQUATONE to search for the same fingerprint site on Shodan.
You can use the IP data of the Internet Information Center to filter the IP of the target area, and traverse the banner of the Web service to compare the banner of the CDN station to determine the source IP.
Europe:
http://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
North America:
https://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
Asia:
ftp://ftp.apnic.net/public/apnic/stats/apnic/delegated-apnic-latest
Africa:
ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
Latin America:
ftp: //ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latestGet
the IP of CN
http://www.ipdeny.com/ipblocks/data/countries/cn.zone
For example:
After finding the IP segment of the target server, you can directly perform brute force matching, use zmap and masscan to scan the HTTP banner, and then match to the same banner of the target domain name
zmap -p 80 -w bbs.txt -o 80.txt
Use zmap's banner-grab to grab the banner of the scanned host with port 80 open.
cat /root/bbs.txt |./banner-grab-tcp -p 80 -c 100 -d http-req -f ascii > http-banners.out
According to the characteristics of the website return package, perform feature filtering
location: plugin.php? id=info:index
https://fofa.so/
title="T00LS | Low-key development - Concentrate on safety - T00ls.Net"
https://www.zoomeye.org/
title: "T00LS | Low-key development-concentration Learning Safety-T00ls.Net”
https://quake.360.cn/
response: “T00LS | Low-key development-Dedicated to Learning Safety- T00ls.Net”
1. ZMap claims to be the fastest Internet scanning tool, which can scan the entire Internet in 45 minutes. https://github.com/zmap/zmap
2. Masscan claims to be the fastest Internet port scanner, which can scan the Internet within six minutes at the fastest.
https://github.com/robertdavidgraham/masscan
3.16. Long-term attention
During long-term penetration, the setting program visits the website every day, and new discoveries may be made. At midnight every day or when business needs increase, it will change the IP and change the server.
3.17. Traffic attack
The contract sender can send a large amount of traffic at once.
This method is very stupid, but it is recommended to infiltrate under specific targets.
In addition to hiding ip, cdn may also consider the distribution of traffic.
Undefended cdn will hang when the volume is large, and high-defense cdn requires large traffic access.
The real ip may be displayed when it cannot withstand the impact of heavy traffic.
Webmaster->Business is not normal->cdn is not used->Replace the server.
3.18. Passive acquisition
Passive acquisition is to let the server or website actively connect to our server to obtain the real IP of the server.
If the website has an editor that can fill in the remote url picture, you can get the real IP.
If there is an ssrf vulnerability or xss, let the server actively connect to us The server can obtain the real IP.
3.19. Scan the whole network to get the real IP
https://github.com/superfish9/hackcdn
https://github.com/boy-hack/w8fuckcdn