Shulou(Shulou.com)06/01 Report--

This article focuses on "how to bypass CDN to find the real IP", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to find the real IP around CDN.

Normally, you can quickly find the domain name corresponding to IP through the cmd command, with the most common commands such as ping and nslookup. However, for the sake of user experience and security, many sites use CDN acceleration to resolve domain names to CDN, so you need to bypass CDN to find the real IP.

I. Historical Analysis record of DNS

If you query the historical resolution records of domain names, you may find the resolution records of websites before using CDN, so as to obtain the real ip. Related queries are as follows:

Iphistory: https://viewdns.info/iphistory/ DNS query: (https://dnsdb.io/zh-cn/) Microstep online: (https://x.threatbook.cn/) Domain name query: (https://site.ip138.com/) DNS History query: (https://securitytrails.com/) Netcraft: https://sitereport.netcraft.com/?url=github.com

IP History query record:

Second, look for sub-domain names

In many cases, some important sites will do CDN, while some sub-domain sites do not join the CDN and stand in the same C segment as the master. At this time, you can find the real IP of the site by looking up the sub-domain name.

Commonly used subdomain name search methods and tools:

1. Search engine query: traditional search engines such as Google, baidu, Bing, site:baidu.com inurl:baidu.com, search target.com | Company name.

2. Some online query tools, such as:

Http://tool.chinaz.com/subdomain/http://i.links.cn/subdomain/ http://subdomain.chaxun.la/http://searchdns.netcraft.com/https://www.virustotal.com/

3. Subdomain name blasting tool

Layer subdomain excavator wydomain: https://github.com/ring04h/wydomain subDomainsBrute: https://github.com/lijiejie/Sublist3r:https://github.com/aboul3la/Sublist3r

Third, website mail header information

For example, mailbox registration, mailbox password recovery, RSS email subscription and other functional scenarios, send email to yourself through the website, so that the target can actively expose their real IP, check the email header information, and get the real IP of the website.

Fourth, cyberspace security engine search

Through keywords or website domain name, you can find out the included IP, and often get the real IP of the website.

Eye of Zhong Kui: https://www.zoomeye.orgShodan: https://www.shodan.ioFofa: https://fofa.so

ZoomEy search:

Fifth, use SSL certificate to find real IP

Certification authorities (CA) must publish each SSL/TLS certificate they issue to a public log, and SSL/TLS certificates typically contain domain names, subdomains, and e-mail addresses. Therefore, the SSL/TLS certificate becomes the entry point for the attacker.

SSL Certificate search engine:

Https://censys.io/ipv4?q=github.comCensys Certificate search:

VI. Foreign hosts resolve domain names

Most CDN manufacturers only do domestic lines for various reasons, but there may be almost no foreign lines. When we use foreign DNS queries, we are likely to get the real IP.

Foreign multi-PING testing tools:

Https://asm.ca.com/zh_cn/ping.phphttp://host-tracker.com/http://www.webpagetest.org/https://dnscheck.pingdom.com/

Foreign multi-ping website test:

7. Scan the whole network

Scan the whole Internet through Zmap, masscan and other tools, search for keywords according to the scanning results, and obtain the real IP of the website.

1. ZMap claims to be the fastest Internet scanning tool, which can scan the whole network in 45 minutes.

Https://github.com/zmap/zmap

2. Masscan claims to be the fastest Internet port scanner, which can sweep the Internet in six minutes at the earliest.

Https://github.com/robertdavidgraham/masscan

8. Improper configuration leads to bypass

When configuring CDN, you need to specify domain name, port and other information. Sometimes small configuration details can easily cause CDN protection to be bypassed.

Case 1: in order to facilitate user access, we often parse www.test.com and test.com to the same site, while CDN is only configured with www.test.com, and by accessing test.com, we can bypass CDN.

Case 2: the site supports both http and https access, and CDN only configures the https protocol, so accessing http can be easily bypassed.

At this point, I believe you have a deeper understanding of "how to bypass CDN to find the real IP". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.