This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Safe offense and defense Simply get the real IP of the website behind the CDN
View: 13446|Reply: 2

[Safety Tutorial] Simply get the real IP of the website behind the CDN

[Copy link]
Posted on 10/5/2015 2:02:40 PM | | | |
Prior Disclaimer: There may be underreporting of the method (well, in the case of poor character)

Well, we use www.wooyun.org as an example.

First of all, from the page where the www.wooyun.org service has been hung multiple times, it can be seen that Wooyun uses Baidu's CDN service, and from Wooyun's vulnerability case, we can also know that Wooyun uses Ucloud's service, and we can boldly assume that the IP of Wooyun's server is in China.

0x1. Get a CN IP
Get the IP assigned to the Asian region from apnic and filter out the IP of CN.
wget ftp://ftp.apnic.net/public/apnic/stats/apnic/delegated-apnic-latest
http://eric-zhang.googlecode.com/svn/trunk/code/bash/iproute2/ip/cnip.txt

0x2. Port scanning
Use zmap to scan 80 ports of IP for all CNs.

Well, it takes about 20 minutes on my VPS, so go out for a coffee first :)

0x3. Get a banner
Use zmap's banner-grab to banner scrape hosts with 80 open ports

Well, in http-req Host writes www.wooyun.org, and uses ulimit to modify the maximum number of file descriptors to a larger value,
Direct scanning:

Well, here, considering that the www.wooyun.org opens quite slowly, so set the connection timeout and read timeout to 30s, during which time you can go out to watch a movie.

0x4. Data Processing
Use the keyword "80sec" to simply filter the acquired data


These 400+ servers can generally be divided into three types:
* baidu cdn server
* http proxy server
* www.wooyun.com server

You can do another banner on these 400+ servers, don't set Host, filter out baidu cdn error pages, empty pages, timeouts and other messy pages, and then you can get the result, I went to ask the relevant person in charge www.wooyun.org the real IP, and sure enough, :)

The total time was about two hours.

0x5. Conjecture
Some companies' test servers are placed on the public network, and generally only the host can be accessed, so...

0x6. Thanks
Hmm, this theme is a conjecture from seeing someone setting up some inexplicable host on my vps honeypot. thx




Previous:A girl in Lianyungang, Jiangsu Province, was stripped of her shirt in the toilet and beaten francily
Next:Use the new version of Baidu Cloud to accelerate the protection of websites and block non-CDN IP addresses from accessing websites

Related Posts
 Landlord| Posted on 10/5/2015 2:23:28 PM |
http://toolbar.netcraft.com/site_report?url=www.xxx.com   会记录网站的ip变化情况,通过目标网站的历史ip地址就可以找到真实ip
Posted on 1/6/2017 3:32:52 AM |
The landlord has worked hard! Hard work, hard work
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com