How To Bypass That Goddamn CloudFlare

0x0elliot (Elliot)
9 min readAug 9, 2020

--

This is going to be my first blog lol. Let’s give it a go then.

Picked this up from google images lol Ignore the arrow.

Hi, I am 0x0elliot, You can call me Elliot. And today, I will explain how you can bypass that goddamn cloudflare. What is CloudFlare you say? CloudFlare is a web service that protects a website’s web server from different kinds of attacks, Most famous for protecting it from getting DDoSed the living fuck out of it by some skid who has access to a botnet. It acts as a ‘Reverse-Proxy’ and hides the real IP address of the web server the website is hosted on.

But keep in mind that a web server being protected by CloudFlare is not always the same thing as that very web server not being exposed to the internet. This is the very property of the beautiful internet that we are going to use to bypass those goddamn CloudFlares. (Alright saying this sentence is kind of fun lol don’t mind me.)

CloudFlare in itself doesn’t really have a mysterious Zero Day that we will be exploiting. It’s just that Devs are people too, And they often make mistakes while configuring their CloudFlare with their server which leads to certain leaks.

There are also many projects such as Shodan and Censys, Which are constantly scanning the internet for devices and servers which are exposed to the internet. Using some simple ways we can easily bypass these.

Now that you have some context, We can start with some hands on practice.

Method #1: Subdomain BruteForce

Again, Devs are people too. So at times they might just forget to enable CloudFlare for all the Subdomains of a website. I, myself always too use this method to bypass CloudFlare.

Now, What in the fuck are subdomains you might say? Subdomains are domains which are a part of a larger domain. So let’s say you have google.com as the main domain. Then accounts.google.com and mail.google.com etc are It’s subdomains.

As previously said before, Often webdevs/people managing these websites forget to enable CloudFlare for these specific subdomains. We are going to BruteForce each subdomain and check if it’s IP address is not that of a CloudFlare server.

Disclaimer: These tools might just scan your target faster than their policies might be allowing you to. Many private programs ask you to not scan their websites with tools which scan at a rate faster than a certain number of requests per minute. So be careful about it.

Tools:

Easy Recon

There are many subdomain scanners you can use. The best one I have come across so far has been implemented as a discord bot. It’s fast and efficient and can even check if a server belongs to CloudFlare or not, With some false positives at times but trust me, Whatever it is, If you apply some of that thick skull of yours (thick like in a chunky good way. Like having a lot of brain mass idk), You might just be able to bypass CloudFlare easily. Now don’t be a skid. Put effort into confirming things yourself. I will tell you later on in this blog how you can confirm if a server belongs to CloudFlare or not. (Spoiler alert, It’s as simple as a whois lookup)

It’s easy to learn. I believe that you can give it a shot yourself.

This is the invite link to the discord server where you can access it: https://discord.gg/tSYcg3s

Speaking of discord servers, feel free to join mine here: https://discord.gg/X5QQrGB73v

You will find like minded cybersecurity and coding enthusiasts here!

You can also request the owner to allow you to access the bot directly from your DMs which is good if you are doing private bug bounties. It has a plethora of features which are really simple for you to learn. Just go to the “all-commands” section under “BOT”

How the output often looks. I used the option “cf” to show you how to use it.

The discord bot DMs you the output as a text file which you can download and use. As you can see from the example I took, blog.discord.com is not a CloudFlare IP address. Does that mean that I have bypassed discord’s CloudFlare? No lol. I am pretty sure that discord is well aware of this and that this is an intentional step. You can host different subdomains of the same domain on separate servers. So this is most probably the case here as well.

Sidenote, Yes discord uses CloudFlare. Even I didn’t know until the recent CloudFlare fuck up.

You can use other subdomain scanners too. Or heck, You can make your own. I can make a blog post about it later on if requested. I have made subdomain checkers in the past (https://github.com/kiddocoder/subdomain_checker)

Method #2: SMTP Check

Don’t let the term SMTP scare you. SMTP stands for Simple Mail Transfer Protocol. You can use SMTP servers to Send or Receive emails. So let’s say, When you sign up for a hypothetical service called weareskids.com, It would ask you to enter your email address and then it would send a confirmation email to that email address to confirm that it is indeed the owner of the email who signed into weareskids.com. To send that confirmatory email address the site would have to use an SMTP server somehow.

I mean, You can hypothetically use a gmail account itself but I guess it’s a much safer and better option to for companies to use their own SMTP server. There is a chance that these SMTP servers are hosted on the same server where the website is hosted on.

So, If there is an option for you to receive an email from them somehow, By signing up to a newsletter or trying out a forgot password option if there is any, You can try to receive an email from them. If things have not been configured properly by the devs of your target website or by the devs of our hypothetical website, weareskids.com, Then you might just receive their server’s actual IP address in your email headers.

Also heads up, If you are a Gmail user or any other big boy email service user then when you email someone, Your original IP address won’t be leaked. It would instead show the IP address of the gmail SMTP server which relayed your email.

Trying this method:

Alright so for this method, You have to be creative. So find a way for the website to send you an email. Either by subscribing to it’s NewsLetter or by clicking on forgot password or something else.

I will select a random email in my inbox and parse through it’s email header for this example.

So I have an email by reddit. Let’s examine it’s header.

Click on the three dots
Click on ‘Show original’

Then you will see a screen like this.

The IP address under SPF is the IP address of the SMTP server

Method #3: Using censys.io

Okay so I will be honest. When the first time I tried to read up on how to bypass CloudFlare, The mention of censys came up. But when the author of the blog which I was reading searched something on the censys text bar, It gave me a heart attack. The shit looked so damn complicated. What in the fucking world was he typing there? Maybe it was some different hacker shit.

The formatting really scared me. But then a couple months later when I came across another YouTube video which explained the same thing using a different approach, I understood what in the fuck was happening.

So I will try my best to explain it to you.

Go to https://censys.io/domain

Simply enter the name of your website in the search bar.

I chose discord.com, For example.

And then click on the blue button with “Websites” written on it and change it to IPv4 Hosts like I did.

You will be presented with a list of hosts.

One of these IPv4 Hosts belong to the actual IP address of the website. Just verify it by doing an actual whois lookup.

You can also check the SSL Certificate used by that website, And see which other IPv4 Host machines are using it.

Click on “Certificates”

Then,

Click on the result which has the name of the website somewhere.

And then a page like this would pop up.

Click on “Explore”

Then,

Click on IPv4 Hosts

Now this will bring up a list of those IPv4 Hosts which share the same SSL certificate as the website you are browsing. SSL is used to prevent eavesdropping. Basically the communication between you and the website is encrypted through SSL. Though the newer and more improved version of SSL is called TLS. You will find that every website which starts with ‘https’ or has that recognisable padlock in the search bar is encrypted with SSL. But here, We are using a safety mechanism against the website. Nice thought to have lol.

P.S Many times no search will be resulted. Just keep looking and try different approaches. The search I tried gave no results.

Also the weird searching thing I was talking about in the beginning of this method. You can integrate it in your search if you want to.

This is the voodoo

443 → Port

https → Protocol

Get → Method used? I guess. I have seen TLS also used here so I guess you would have to play around a bit

body → body of the website

So it would return a list of those IPv4 Hosts (Since we have selected IPv4 Hosts) which might give us a page which has ‘discord.com’ in it’s body. Now, We know that many other websites might have discord.com in it’s body. So I encourage you to play around with these search terms.

Also side note, Try replacing title with body. It often results a faster and more accurate result.

Now,

How to verify if you have found the right server’s IP Address yet?

Just paste that IP address and see what it gives you. If it is configured wrongly then you might just get the webpage belonging to the website who’s Original IP you are trying to find out. Or just perform a whois lookup using your terminal by doing whois {IP Address} or finding a website which can perform a whois lookup for you. If it has “CloudFlare” written anywhere in the results, It belongs to CloudFlare and you still need to keep looking. Also please use your logic here. Many times people use different servers for different purposes. So maybe the SMTP method might fail. You never know.

Now if you are a site operator, How would you want to prevent someone from Bypassing your CloudFlare?

  1. Configure your CloudFlare properly so only CloudFlare servers (DNS and else) can communicate. White list them or projects like censys or shodan which are scanning the internet for open servers like yours might just catch yours and record it in their database. Also it will make it easier for someone who is bypassing your CloudFlare to confirm if the webpage belongs to your website and he might be able to even perform those web attacks which were stopped by CloudFlare earlier and the impact can vary in severity.
  2. Make sure to setup and configure your SMTP services in such a way that they don’t give out their IP addresses lol. Maybe use another server for it or use another service which can handle the email part? Depends on you. Whatever solution you find nice.
  3. Make sure that all your subdomains have been configured properly for CloudFlare and aren’t leaking your original IP Address. Make sure to configure your cpanel for CloudFlare as well as people many times forget it, From whatever I have read. And if you need to for some weird reason host a subdomain without enabling CloudFlare on it then just use a separate server for that to prevent leaking your original IP address.

Thank you for reading this article! It was my first lol. THAT’S WHAT SHE SAI- okay nah lol. Let me know if I need to edit something out or if I got anything wrong or If I forgot to give someone credit somehow. I am open to criticism and I appreciate any which I would get :)

--

--

0x0elliot (Elliot)
0x0elliot (Elliot)

Written by 0x0elliot (Elliot)

People simp for girls, I simp for information.

Responses (1)