Join to Get Free Linux Server Hacks & cPanel Tips

Reveal Real IP address of Website Powered by CloudFlare

Reveal Real IP address of Website Powered by CloudFlare
5 (100%) 3 votes

CloudFlare is one of my favourite Internet services for webmasters and developers. I use it as DNS server, we recommend it to our customers and to everybody who need free CDN and security services. It’s the company that changed forever the concept of a fast & secure website.

The team at Cloudflare has built an amazing service that helps millions of people to accelerate, secure and optimize their websites for free (altough they also have premium plans).

Today there are more than 5,000,000 websites using Cloudflare services, for web proxy, ssl certificates or as dns only servers.

If you are using Cloudflare, then you already know that activating their orange cloud on your DNS records means that your domain record will be powered and going trough Cloudflare proxy servers.

Let’s see this in a practical way running a simple DNS lookup using dig to get the response reflected by CloudFlare proxy servers:

webiste.com uses Cloudflare, and this is the dig response:

www.website.com. 300 IN A 198.41.208.133

That is a Cloudflare IP range, which can be confirmed fast using whois command:

[webtech@localhost ~]$ whois 198.41.208.133 | grep Cloudflare -i
NetName: CLOUDFLARENET
Organization: Cloudflare, Inc. (CLOUD14)

As you see, we don’t have a way to know where this website is hosted really, we only get Cloudflare IP address, this is good if you want to protect your website.

However, if you are on the other side, making a security research, an legal investigation or something that forces you to find out the real IP behind Cloudflare, then let me tell you that you are not alone.

3 methods to Reveal the Real IP address of Website Powered by CloudFlare

While proxy services like Cloudflare can help to hide the real IP address of a website, there are still some handy tricks to reveal the origin IP address behind Cloudflare Nginx Proxy servers.

How can I know if a website uses Cloudflare or not?

Take a look at their headers using curl command, for example:

[webtech@nixcp.com ~]$ curl -I https://www.cloudflare.com
HTTP/2 200 
date: Tue, 18 Jul 2017 13:13:13 GMT
content-type: text/html; charset=utf-8
last-modified: Thu, 13 Jul 2017 22:36:06 GMT
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
served-in-seconds: 0.002
cf-cache-status: HIT
expires: Tue, 18 Jul 2017 17:13:13 GMT
cache-control: public, max-age=14400
server: cloudflare-nginx
[webtech@nixcp.com ~]$

If it is powered by Cloudflare you will notice “cloudflare-nginx” in the server line from the headers.

Now let’s see how to reveal the IP address behind Cloudflare services.

1. Online tools

  • Crimeflare is a website that is dedicated to reveal Cloudflare powered websites.
  • IPHostInfo is another website that can reveal Cloudflare websites IPs, they scan the DNS records and it may be useful sometimes.
  • Censys can also help with useful information to find IP address of website powered by Cloudflare proxy servers.
Censys often reveals critical information that can help you to find the original IP address behind Cloudflare
Screenshot of Censys, an online service that often reveals critical information that can help you to find the original IP address behind Cloudflare

2. Website History

Whoisrequest website includes a website history that can help you to find previous DNS servers they’ve been using, while this is not actually the real actual IP address, there are chances they are still hosted there, by having their DNS servers you know the nameservers prior to use the Cloudflare DNS servers.

3. Brute forcing DNS records with Nmap

Nmap security sca n can help you to reveal origin IP address information. Install nmap on your server or localhost, an drun this command:

nmap -sV -sS -F XX.XX.XX.XX

Replace “XX.XX.XX.XX” with the real IP address of the website.
Expected output from Cloudflare powered servers:

[root@nixcp.com ~]# nmap -sV -sS -F 198.41.208.133

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-18 02:10 -03
Nmap scan report for 198.41.208.133
Host is up (0.029s latency).
Not shown: 96 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Cloudflare nginx
443/tcp open ssl/http Cloudflare nginx
8080/tcp open http Cloudflare nginx
8443/tcp open ssl/http Cloudflare nginx

That will confirm if website if protected by Cloudflare or not.

This other handy command will brute force the DNS records to see if we can get additional information. DNS servers can offer lot of useful information, for example the “mail” DNS record usually points that you are targeting a mail server, or in this case, the entry “direct”, widely used by Cloudflare may point to the real IP address of the website.

Let’s see some examples:

nmap --script dns-brute www.website.com

Output:

Nmap scan report for website.com (154.210.69.18)
Host is up (0.085s latency).
rDNS record for 154.210.69.18: ec2-154-210-69-18.us-west-1.compute.amazonaws.com.

Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| mail.website.com - 154.210.69.18
| ftp.website.com - 154.210.69.18
| cpanel.website.com - 154.210.69.18 
| whm.website.com - 154.210.69.18
| webmail.website.com - 154.210.69.18  
|_ www.website.com - 154.210.69.18

This may expose you the real server’s origin IP address behind Cloudflare.

Conclusion

In my experience, the most useful tools are the online ones, as nmap and other command line based tools most of the time will fail due to firewall and network restrictions on the networks.

While Cloudflare idea of hiding IP addresses behind the proxy for their web acceleration and CDN is really good, sometimes it is widely used and abused by warez, phising and other sources of malicious type websites that are often investigated, in this cases finding Cloudflare websites IP address is a little bit more tricky than normal websites that do not use any Cloud Proxy services.

Do you know other ways to get bypass and get origin IP address behind Cloudflare?