• Stars
    star
    1,880
  • Rank 24,660 (Top 0.5 %)
  • Language
    Python
  • Created almost 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔎 Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.

CloudFlair

CloudFlair is a tool to find origin servers of websites protected by CloudFlare (or CloudFront) which are publicly exposed and don't appropriately restrict network access to the relevant CDN IP ranges.

The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name. API keys are required and can be retrieved from your Censys account.

For more detail about this common misconfiguration and how CloudFlair works, refer to the companion blog post at https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/.

Here's what CloudFlair looks like in action.

$ python cloudflair.py myvulnerable.site

[*] The target appears to be behind CloudFlare.
[*] Looking for certificates matching "myvulnerable.site" using Censys
[*] 75 certificates matching "myvulnerable.site" found.
[*] Looking for IPv4 hosts presenting these certificates...
[*] 10 IPv4 hosts presenting a certificate issued to "myvulnerable.site" were found.
  - 51.194.77.1
  - 223.172.21.75
  - 18.136.111.24
  - 127.200.220.231
  - 177.67.208.72
  - 137.67.239.174
  - 182.102.141.194
  - 8.154.231.164
  - 37.184.84.44
  - 78.25.205.83

[*] Retrieving target homepage at https://myvulnerable.site

[*] Testing candidate origin servers
  - 51.194.77.1
  - 223.172.21.75
  - 18.136.111.24
        responded with an unexpected HTTP status code 404
  - 127.200.220.231
        timed out after 3 seconds
  - 177.67.208.72
  - 137.67.239.174
  - 182.102.141.194
  - 8.154.231.164
  - 37.184.84.44
  - 78.25.205.83

[*] Found 2 likely origin servers of myvulnerable.site!
  - 177.67.208.72 (HTML content identical to myvulnerable.site)
  - 182.102.141.194 (HTML content identical to myvulnerable.site)

(The IP addresses in this example have been obfuscated and replaced by randomly generated IPs)

Setup

  1. Register an account (free) on https://search.censys.io/register
  2. Browse to https://search.censys.io/account/api, and set two environment variables with your API ID and API secret
$ export CENSYS_API_ID=...
$ export CENSYS_API_SECRET=...
  1. Clone the repository
$ git clone https://github.com/christophetd/CloudFlair.git
  1. Create a virtual env and install the dependencies
cd CloudFlair
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
  1. Run CloudFlair (see Usage below for more detail)
python cloudflair.py myvulnerable.site

or for CloudFront

python cloudflair.py myvulnerable.site --cloudfront

Usage

$ python cloudflair.py --help

usage: cloudflair.py [-h] [-o OUTPUT_FILE] [--censys-api-id CENSYS_API_ID] [--censys-api-secret CENSYS_API_SECRET] [--cloudfront] domain

positional arguments:
  domain                The domain to scan

options:
  -h, --help            show this help message and exit
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        A file to output likely origin servers to (default: None)
  --censys-api-id CENSYS_API_ID
                        Censys API ID. Can also be defined using the CENSYS_API_ID environment variable (default: None)
  --censys-api-secret CENSYS_API_SECRET
                        Censys API secret. Can also be defined using the CENSYS_API_SECRET environment variable (default: None)
  --cloudfront          Check Cloudfront instead of CloudFlare. (default: False)

Docker image

A lightweight Docker image of CloudFlair (christophetd/cloudflair) is provided. A scan can easily be instantiated using the following command.

$ docker run --rm -e CENSYS_API_ID=your-id -e CENSYS_API_SECRET=your-secret christophetd/cloudflair myvulnerable.site

You can also create a file containing the definition of the environment variables, and use the Docker--env-file option.

$ cat censys.env
CENSYS_API_ID=your-id
CENSYS_API_SECRET=your-secret

$ docker run --rm --env-file=censys.env christophetd/cloudflair myvulnerable.site

Compatibility

Tested on Python 3.6. Feel free to open an issue if you have bug reports or questions.

More Repositories

1

log4shell-vulnerable-app

Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).
Java
1,055
star
2

censys-subdomain-finder

⚡ Perform subdomain enumeration using the certificate transparency logs from Censys.
Python
579
star
3

Adaz

🔧 Deploy customizable Active Directory labs in Azure - automatically.
HCL
368
star
4

spoofing-office-macro

🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.
VBA
364
star
5

duplicacy-autobackup

💾 Painless automated backups to multiple storage providers with Docker and duplicacy.
Shell
246
star
6

mindmaps

🔍 Mindmaps for threat hunting - work in progress.
148
star
7

IPv6teal

👋 Stealthy data exfiltration via IPv6 covert channel
Python
91
star
8

firepwned

🙏 Checks Firefox saved passwords against known data leaks using the Have I Been Pwned API.
Python
81
star
9

nextcloud-docker-compose

☁️ Spin up a Nextcloud instance with automatied backups and SSL certificate issuance.
75
star
10

docker-python-sandbox

A Docker-powered NodeJS sandbox to execute untrusted python code.
JavaScript
62
star
11

nmap-nse-info

Browse and search through nmap's NSE scripts.
Lua
58
star
12

code-execution-api-demo

JavaScript
17
star
13

aws-sso-device-code-authentication

Python
16
star
14

fun-with-vpc-endpoints

HCL
14
star
15

geolocate-ips

Batch IP geolocation script.
Python
12
star
16

abusing-cloudflare-workers

Abusing Cloudflare Workers to establish persistence and exfiltrate sensitive data at the edge.
JavaScript
10
star
17

telegram-downbot

A Telegram bot to monitor websites
CoffeeScript
6
star
18

polybot

CoffeeScript
5
star
19

unix-commands

Some useful UNIX commands
4
star
20

falias

Shell
2
star
21

powercoders-docker

Repository for Powercoders Docker presentation and workshop
Python
2
star
22

filezilla-passwords-revealer

JavaScript
1
star
23

hackathon

JavaScript
1
star
24

flame-maker

Java
1
star
25

fos2015.github.io

Website for the Foundations of Software course at EPFL in the Fall 2015 semester
CSS
1
star
26

Rails-app

Ruby
1
star