CF-Hero : Find Real IP Behind Cloudflare

Discover the real IP addresses of web applications protected by Cloudflare
Admin

Real IP behind Cloudflare

CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It gathers multi-source intelligence through various methods.

DNS Reconnaissance

  • Current DNS records (A, TXT)
  • Historical DNS data analysis
  • Associated domain discovery

Intelligence Sources

  • Active DNS enumeration
  • Censys search engine
  • Shodan search engine
  • SecurityTrails historical records
  • Related domain correlation

The tool analyzes data from these sources to identify potential origin IP addresses of Cloudflare-protected targets. It validates findings through response analysis to minimize false positives.

Features

DNS Reconnaissance

  • Checks current DNS records (A, TXT)
  • Extracts domains behind Cloudflare
  • Extracts domains not behind Cloudflare

Third-party Intelligence

  • Censys integration
  • Shodan integration
  • SecurityTrails integration
  • Reverse IP lookup for associated domains

Advanced Features

  • Custom JA3 fingerprint support
  • Concurrent scanning capabilities
  • Standard input support (piping)
  • HTML title comparison for validation
  • Proxy support
  • Custom User-Agent configuration

OSINT

OSINT is another technique to find the real IP of any domain that is behind CloudFlare. There are lots of unique search engines for special purposes. Shodan and Censys are two of these. They provide more detail and technical information. 

These search engines continuously scan the whole internet and discover new assets or monitor and log asset changes. When a domain not behind Cloudflare gets up, both engines can log the domain's real IP. After a while, if the domain takes behind Cloudflare, their IP can be found using these search engines.

CF-Hero checks censys and shodan too. (Note that when you use these services, you have some limits due to API quotas.)

(Sub)Domains

The other trick is the (sub)domain technique. Actually, It doesn't have to be a subdomain.n It can be domain as well. The key point is here; domains should belong to the same company.

Let's say we have 2 domains. One of them is behind Cloudflare, but the other is not. In this case, you connect to the domain, not the one behind Cloudflare, and then change the host header to the domain behind Cloudflare. If you get a response from applications behind Cloudflare, congratulations, you bypassed Cloudflare. You cannot access web applications from IP directly anymore. (and of course,e that also depends on the configuration)

Flowchart of CF-Hero

Installation Instructions

cf-hero requires go1.18 to install successfully. Run the following command to install.

go install -v github.com/musana/cf-hero/cmd/cf-hero@latest

Usage:

 cf-hero [flags]

Check CF-Hero