Summary of methods to bypass CDN and find real IP

Preface

The full name of CDN is Content Delivery Networkcontent distribution network. After CDN is turned on, the website will access the CDN node server according to the user's location, and will not directly access the source server. This can reduce the bandwidth resources of the website server and reduce server pressure. This is why everyone is pinging Baidu, but different regions receive different feedback IP addresses. Due to the blocking protection of CDN nodes, the security of the server can be better protected. Specifically, CDN actually acts as a stand-in. Regardless of whether the server is penetrated or attacked by DD0S, the target of the attack will be the CDN node, which indirectly protects the website itself.
During penetration testing or red-blue confrontation, we often encounter websites that use CDN. Finding the real IP is very helpful for subsequent penetration. For example, direct access to the IP may bypass cloud waf, scan ports, etc.

User access to the website process:

   传统访问：用户访问域名–>解析服务器IP–>访问目标主机
   普通CDN：用户访问域名–>CDN节点–>真实服务器IP–>访问目标主机
   带WAF的CDN：用户访问域名–>CDN节点（云WAF）–>真实服务器IP–>访问目标主机

1. How to determine whether to use CDN

1.1. Direct ping

When directly pingsetting the website domain name, if the website is used, cdna situation similar to the following will occur:

~ ping www.syxxx.cn
PING 539b1c6d114eec86.360safedns.com (221.2xx.1xx.1x): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

1.2. Ping from multiple places

Use various multi-region pingservices to check whether the corresponding IP address is unique. If it is not unique, it is probably used CDN. The multi-region Ping websites include:

• http://ping.chinaz.com/

• http://ping.aizhan.com/

• https://www.17ce.com/

1.3. nslookup

Use nslookupfor detection, the principle is the same as above. If the returned domain name resolution corresponds to multiple IP addresses, it is probably used CDN.

• SomeCDN examples:

～ nslookup www.16xx.com
服务器: public1.114dns.com
Address: 114.114.114.114
非权威应答:
名称: 163.xdwscache.ourglb0.com
Addresses: 58.xxx.xx.86
xxx.75.32.xxx
Aliases: www.16xx.com
www.16xx.com.lxdns.com

• Example without CDN:

~ nslookup xxxx.com
服务器: public1.114dns.com
Address: 114.114.114.114
非权威应答:
名称: xxxx.com
Address: 192.3.168.172

1.4. View the "X-cache" field in the response header

Access in the browser and observe the "X-cache" field in the response header

• "MISS" is displayed, indicating that the CDN cache was not hit and the source was returned
  . For example:X-cache:MISS Tcp_MISS dirn:-2:-2
• Displaying "HIT" indicates that the cdn cache has been hit
  . For example:X-cache:HIT TCP_HIT dirn:0:402545

2. How to bypass CDN and find the real IP

The real IP may not be found

2.1. Spatial search engine

• According to website characteristics

a. It can be based on the website's specific title or website body characteristics, such as used in fofa title:xxxxxor body:xxxx
b. Server response content fingerprint. When the server's response content (response header and response body) to the request has special information (fingerprint), it can Use this unique feature to search in search engines and obtain information such as IP addresses that are highly relevant to the target website.

• Search domain name

Directly domain:xxxx.com, you can search subdomain names and other information to find the real IP, ps: learn to use the matching conditions of search engines

My favorite search engines:

Zhong Kui's Eye: https://www.zoomeye.org
Shodan: https://www.shodan.io
Fofa: https://fofa.so
···

2.2. Website vulnerabilities

• Target sensitive files are leaked, such as probes such as phpinfo, GitHub information leaks, etc.
• XSS blind typing, command execution rebound shell, SSRF, etc., the server actively initiates external connections and leaks the real IP address.

2.3. Improper website configuration

When configuring CDN, you need to specify domain name, port and other information. Sometimes small configuration details can easily cause CDN protection to be bypassed.

• Some websites often resolve www.xxx.com and xxx.com to the same site, but the CDN is only configured with www.xxx.com. By accessing xxx.com, the CDN can be bypassed.
• The site supports both http and https access, and the CDN is only configured with the https protocol, so accessing http can be easily bypassed.

2.4. Domain name

• subdomain

After all, CDN is still not cheap, so many webmasters may only use CDN for the main website or sub-sites with high traffic, and many small website sub-sites are on the same server or the same C segment as the main website. At this time You can help find the real IP of the website by querying the IP corresponding to the subdomain name.

• Other domain names

The website associated with the website may not use a CDN. It is possible that the associated website and the main site are on the same server or in the same C segment. In this case, you can query the IP corresponding to the domain name of the associated website to assist in finding the real IP of the website.

2.5. Mail server source

If the website does not use a third-party mailbox, you can use functions such as registration or password retrieval, subscription, etc. to ask the other party's mail server to actively send you an mailbox and view the source code (or information header), as shown below. It is possible to find the real IP. If you find that the other party's mail server is independent, you can check the c section.

2.6. APP client

It is possible that some API interfaces of the APP client use the IP interface directly. In this case, you can check the server IP or the c section.

2.7. DOS (not recommended)

If DDOS exhausts the CDN traffic, it will go back to the source, so that the real IP can be obtained. If the undefended CDN has a large volume, it will fail, and the high-defense CDN will increase the traffic.

2.8. Global ping

Most CDN manufacturers only provide domestic lines for various reasons, and there may be almost no foreign lines. At this time, if we use foreign DNS queries, we are likely to get the real IP:

https://www.wepcc.com
…

2.9. Historical IP and DNS resolution records

Check the historical records of IP and domain name binding. There may be records before using CDN. Related query websites are

• https://dnsdb.io/zh-cn/
• https://x.threatbook.cn/
• http://toolbar.netcraft.com/site_report?url=
• http://viewdns.info/
• https://tools.ipip.net/cdn.php
• https://securitytrails.com/#search

2.10. F5 LTM decoding method

When the server uses F5 LTM for load balancing, set-cookiethe real IP can also be obtained by decoding the keyword, for example: Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000First, 487098378take out the decimal number in the first section, then convert it into a hexadecimal number 1d08880a, and then From back to front, take the four digits, that is 0a.88.08.1d, finally convert them into decimal numbers 10.136.8.29, which is the final IP.

2.11. Use SSL certificate to find the real original IP

Certificate authorities (CAs) must publish to a public log every SSL/TLS certificate they issue. SSL/TLS certificates typically contain domain names, subdomains, and email addresses. Therefore, SSL/TLS certificates become an entry point for attackers.

Currently, the Censys tool can scan the entire Internet. Censys is a new search engine used to search for information about networked devices. Security experts can use it to evaluate the security of their implementation solutions, and hackers can use it as early detection. A powerful tool for attacking targets and collecting target information. The Censys search engine is capable of scanning the entire Internet. Censys scans the IPv4 address space every day to search all networked devices and collect related information, and returns an overall report on the configuration and deployment information of resources (such as devices, websites, and certificates).

The search query parameters for the xxx.com certificate are: parsed.names: xxx.com
The query parameters for displaying only valid certificates are: tags.raw: trusted
An attacker can achieve a combination of multiple parameters on Censys, which can be achieved by using a simple Boolean logic is done.
The combined search parameters are: parsed.names: xxx.com and tags.raw: trusted
Censys will show you all standard certificates that match the above search conditions. View these search results one by one. The attacker can click on the " Explore" to open a drop-down menu containing several tools. What's using this certificate? > IPv4 Hosts, at this point, the attacker will see a list of IPv4 hosts using a specific certificate, and the real original IP is hidden in it

2.12. Social Worker CDN Account

You can contact the customer service lady and find a way to get the CDN account of the target website administrator, so as to find the real IP of the website from the CDN configuration.

2.13. Scan the entire network (it’s too time-consuming and not recommended, I haven’t used it anyway)

First, apnicget the IP segment from , then use Zmap banner-grabto scan out the hosts with port 80 open for banner capture, and finally http-reqwrite xxx.com in the Host.

3. Verify whether the found IP is a real IP

• After finding the real IP, bind it to the hosts file to enable direct access to the target real server using IP or domain name.
• You can directly https://ip to view the domain name bound to the certificate