This post will show you how to find the real IP of websites that are sitting behind the Cloudflare web proxy. Keep in mind that this will not work on all sites, and I assume no responsibility for any trouble, legal or not, you get into. This post is meant to be for educational purposes, and not for illegal purposes! With that said, let the tutorial begin:
I made a script in my Scripts repository that attempts to find the IP of a website behind firewall. Simply clone:
git clone https://github.com/NerdOfLinux/Scripts.git
and use the
ipcrack.sh shell script.
I will be using my own website as an example. Simply run the script with the domain you’d like to find the IP of:
bash ipcrack.sh ofthenerds.com
and it will return the following:
Welcome to ipcrack.sh This script will (try to) reveal ip addresses of websites using Cloudflare Probing MX records... ____________________ Trying: hi.dd.en.n ____________________ hi.dd.en.n seems to host a website, but we're not sure if it's ofthenerds.com
It basically just gets the IP address of the MX record, runs
curl, and if it finds the URL in the HTML somewhere, it assumes that it found a match(i.e. navigation menus have the site URL). If
curl works, but can’t find the URL in the HTML, it returns the message:
hi.dd.en.n seems to host a website, but we're not sure if it's ofthenerds.com
For me, this is because I use Authenticated Origin Pulls, which only allows Cloudflare servers to access my site.
This method requires a bit more work, but is quite easy once you learn how. First, get the MX record of the domain you want:
dig +short mx ofthenerds.com
So, now we get the IP of the MX record:
dig +short mail.ofthenerds.com
and we get:
Next, use curl:
curl -ks https://hi.dd.en.n --header "Host: ofthenerds.com"
and if you get output, you’ve probably found the IP :) . Remember to use the
--header option, or else the server will likely return an error because it is not configured to respond to IP addresses. The
-k option tells curl to continue even with an invalid SSL certificate, which is likely the case since most SSL certificates are only for the domain and not the IP.
Note: “hi.dd.en.n” is what I replaced my IP address with. If you want to take down this site, do it the proper way and get the IP yourself :) (and know that is a violation of the terms of service and is likely illegal)