Search the Community

Through Old DNS records indicate the last owner’s services. Sites that use its nameservers must have used basic nameservers being provided by their domain registrar or hosting provider. These are used to tell the original IP address of the site hosting provider. This ethod sometimes not works, but for me chances were 50%

Try a service named Censys. It shall help users discover technologies used by the host. Just put in name of the domain and it shall provide all the services used by the site. You need to go to “Censys Search” Once there enter the name of the domain you wish to find details about. You shall now see the trusted host with the site’s real IP address.

[hide][Hidden Content]]

Check a Host is Owned by Cloudflare. Changelog v2.0.2 0294f02 db: Update DB (#15) 94219b3 db: Update DB (#14) [hide][Hidden Content]]

Check a Host is Owned by Cloudflare. Changelog v2.0.1 c70510a db: Update DB (#12) aec3b29 scripts: Parse all instead (proxied possibility) (fix #8) [hide][Hidden Content]]

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases. Disclaimer This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup Cloudflare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool. [hide][Hidden Content]]

cf-check Check a Host is Owned by Cloudflare. Changelog v1.0.4 1052d71 chore: Words d4f35d0 fix: Nil pointer derefer 6933a71 Add Go modules [hide][Hidden Content]]

cf-check Check a Host is Owned by Cloudflare. Changelog v1.0.3 e9917ec Merge pull request #5 from six2dez/patch-1 6807cd3 Updated CF Ip list [hide][Hidden Content]]

Cloudmare is a simple tool to find origin servers of websites protected by Cloudflare, Sucuri, or Incapsula with a misconfiguration DNS. [hide][Hidden Content]]

[Hidden Content]

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases. Misconfigured DNS scan using DNSDumpster.com. Scan the Crimeflare.com database. Bruteforce scan over 2500 subdomains. Disclaimer This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup Cloudflare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool. [hide][Hidden Content]]

Ante todo, buenos días, tardes o noches..........me llamo ZeroDay, no suelo postear mucho y me gustaría que esto cambiara un poco y poder así compartir conocimientos y experiencias, ya que en los años que llevo como Hacker, o aprendiz de Hacker (ya que no me considero ningún pro) donde más he aprendido ha sido en comunidad, o mejor dicho, investigando por mi cuenta compartiendo en comunidad y volviendo investigar por mi cuenta, ya que este trabajo es 80% investigacion propia. Como auditor creo que es un tema con el que todos nos hemos topado alguna vez, el WAF de Claudflare. En mi primera auditoria me encontré con este problema, los que son auditores saben que no son CFTs, que hay un tiempo establecido para realizar esa auditoria, unas normas, y que tu trabajo depende de esto, con lo cual hay muchos factores que entran en juego, los nervios y la presión suelen jugar malas pasadas. Todos en nuestra primera auditoria hemos intentado hacer una CTF en vez de una auditoria, por lo menos en mi caso y en los muuuchos que conozco, la costumbre de hackearlo todo, o por lo menos intentarlo. Mi intención aquí no es enseñar a Bypassear el WAF de Claudflare, (se que la mayoría saben hacerlo en este foro) quiero compartir una herramienta que os ayudara a realizar esta tarea de forma automatizada. Como ya seguramente sepan para este Bypass es necesario utilizar los siguientes buscadores. [Hidden Content] [Hidden Content] y el muy conocido [Hidden Content] Esta es la herramienta: [Hidden Content] En este enlace hay otro donde te explica como se hace de forma manual, ahora hay muchos, si quieren compartir alguna otra forma que yo no conozca seria muy bueno para todos, por lo que veo el tema de Pentesting no esta muy abordado en este foro. En este caso se trata de una auditoria que realice hace ya tiempo, y lo que quiero es ir abordando temas que he sufrido yo en las que he realizado y que cada uno comparta sus experiencias. Quiero dejar claro, por motivos personales, que yo no estoy enseñando a saltarse el WAF a nadie, solo estoy proporcionando información para que investiguen y pueden saber por donde empezar. Si que me gustaría que la gente que trabaja en el sector, quieren trabajar o que ya lo esta haciendo, aportaran sus experiencias en este tema, vamos a ver cuantos Pentesters hay por aquí, ya que como he comentado no hay mucha participación en la parte de Pententing, vamos a intentar potenciar esto, ya que considero que hay muchísima gente con un nivel muy bueno para poder debatir los temas que iremos abordando, la gran mayoría mejores que yo mil veces, así que aporten si lo ven conveniente. Un saludo a toda la comunidad.

cf-check Check a Host is Owned by Cloudflare. [hide][Hidden Content]]

Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network. Flan Scan is a wrapper over Nmap and the vulners script which turns Nmap into a full-fledged network vulnerability scanner. Flan Scan makes it easy to deploy Nmap locally within a container, push results to the cloud, and deploy the scanner on Kubernetes. Getting Started Clone this repository Make sure you have docker setup: $ docker --version Add the list of IP addresses or CIDRS you wish to scan to shared/ips.txt. Build the container: $ make build Start scanning! $ make start When the scan finishes you will find a Latex report of the summarizing the scan in shared/reports. You can also see the raw XML output from Nmap in shared/xml_files. Custom Nmap Configuration By default Flan Scan runs the following Nmap command: $ nmap -sV -oX /shared/xml_files -oN - -v1 $@ --script=vulners/vulners.nse <ip-address> The -oX flag adds an XML version of the scan results to the /shared/xml_files directory and the -oN - flag outputs "normal" Nmap results to the console. The -v1 flag increases the verbosity to 1 and the -sV flag runs a service detection scan (aside from Nmap's default port and SYN scans). The --script=vulners/vulners.nse is the script that matches the services detected with relevant CVEs. Nmap also allows you to run UDP scans and to scan IPv6 addresses. To add these and other flags to Scan Flan's Nmap command after running make build run the container and pass in you Nmap flags like so: $ docker run -v $(shell pwd)/shared:/shared flan_scan <Nmap-flags> Pushing Results to the Cloud Flan Scan currently supports pushing Latex reports and raw XML Nmap output files to a GCS Bucket or to an AWS S3 Bucket. Flan Scan requires 2 environment variables to push results to the cloud. The first is upload which takes one of two values gcp or aws. The second is bucket and the value is the name of the S3 or GCS Bucket to upload the results to. To set the environment variables, after running make build run the container setting the environment variables like so: $ docker run --name <container-name> \ -v $(pwd)/shared:/shared \ -e upload=<gcp or aws> \ -e bucket=<bucket-name> \ flan_scan Below are some examples for adding the necessary AWS or GCP authentication keys as environment variables in container. However, this can also be accomplished with a secret in Kubernetes that exposes the necessary environment variables or with other secrets management tools. Example GCS Bucket Configuration Copy your GCS private key for a service account to the /shared file $ cp <path-to-local-gcs-key>/key.json shared/ Run the container setting the GOOGLE_APPLICATION_CREDENTIALS environment variable as the path to the GCS Key $ docker run --name <container-name> \ -v $(pwd)/shared:/shared \ -e upload=gcp \ -e bucket=<bucket-name> \ -e GOOGLE_APPLICATION_CREDENTIALS=/shared/key.json flan_scan Example AWS S3 Bucket Configuration Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables to the corresponding variables for your S3 service account. docker run --name <container-name> \ -v $(pwd)/shared:/shared \ -e upload=aws \ -e bucket=<s3-bucket-name> \ -e AWS_ACCESS_KEY_ID=<your-aws-access-key-id> \ -e AWS_SECRET_ACCESS_KEY=<your-aws-secret-access-key> \ flan_scan Deploying on Kubernetes When deploying Flan Scan to a container orchestration system, such as Kubernetes, you must ensure that the container has access to a file called ips.txt at the directory /. In Kubernetes, this can be done with a ConfigMap which will mount a file on your local filesystem as a volume that the container can access once deployed. The kustomization.yaml file has an example of how to create a ConfigMap called shared-files. This ConfigMap is then mounted as a volume in the deployment.yaml file. Here are some easy steps to deploy Flan Scan on Kubernetes: To create the ConfigMap add a path to a local ips.txt file in kustomization.yaml and then run kubectl apply -k .. Now run kubectl get configmap to make sure the ConfigMap was created properly. Set the necessary environment variables and secrets for your cloud provider within deployment.yaml. Now run kubectl apply -f deployment.yaml to launch a deployment running Flan Scan. Flan Scan should be running on Kubernetes successfully! Download: [HIDE][Hidden Content]]

[Hidden Content]

Cloudmare is a simple tool to find origin servers of websites protected by Cloudflare with a misconfiguration DNS. [HIDE][Hidden Content]]

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases. Misconfigured DNS scan using DNSDumpster.com. Scan the Crimeflare.com database. Bruteforce scan over 2500 subdomains. Disclaimer This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup Cloudflare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool. [HIDE][Hidden Content]]

Tutorial regarding ways of bypassing Cloudflare security [HIDE][Hidden Content]]