![Cloudflare IP resolver [python] | Juno_okyo's Blog](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s4_4Ga5gvcShSkbDbC1V7OdIMku8zkuSL_-whKbi0QHnjHb2h1eTxqAZmV8N36k-97k2XgvoJhSLudr9vsJKtO-tUk_CTU1BeW1MIKeOc1wJqtbgB7OlifHITmbpl2lBUHkxIw84Zj-LW2NCpY6A=s0-d "Cloudflare IP resolver [python] | Juno_okyo's Blog")
- Tests common subdomains for misconfiguration
- Tests common tlds
- Checks for php info files
- Checks dns history
- Uses dnsmap to bruteforce subdomains
The script can then confirm the results using a keyword
Download it from :http://www.multiupload.nl/K1L4Q3EVRV
dnsmap is included in the download
#!/usr/bin/python
#-------------------------------------|------------------------------------------#
# _______ _______ __ _______
#_______ \ _ \ \ _ \_/ |___ _ _\ _ \_______ _____
#\_ __ \/ /_\ \/ /_\ \ __\ \/ \/ / /_\ \_ __ \/ \
# | | \/\ \_/ \ \_/ \ | \ /\ \_/ \ | \/ Y Y \
# |__| \_____ /\_____ /__| \/\_/ \_____ /__| |__|_| /
# \/ \/ \/ \/
#
#
# This was written for educational purposes only.
# Use it at your own risk. Author will be not responsible for any damage!
# Coder : Smith
# Description: Bypasses clouflare to find the real server ip
# For r00tw0rm members only! No Leechers!!
#-------------------------------------|------------------------------------------#
import urllib2
import socket
import string
import re
import subprocess
from BeautifulSoup import BeautifulSoup
socket.setdefaulttimeout(3)
dnsmapdir = 'dnsmap' # Edit to change dnsmap directory
# Used to escape >1 loops at once
class End( Exception ):
pass
class Bruteforce(object):
def __init__(self, domain):
if domain.startswith('www.'):
domain = re.sub('www.', '', domain)
self.domain = domain
self.ips = {}
self.subs = ['direct', 'direct-connect', 'cpanel', 'admin', 'ftp', 'pop', 'imap', 'mail', 'webmail', 'forum', 'admin', 'portal', 'beta']
self.tlds = ['.com', '.net', '.info', '.org', '.biz', '.cc', '.ru', '.co.uk', '.us', '.su']
# Tests for common subdomains which haven't been conigured with CloudFlare
def fast(self):
print("\n-- Testing common subdomains for misconfiguration --")
for sub in self.subs:
subdomain = sub + '.' + self.domain
response = dns.nslookup(subdomain)
if response: # If subdomain exists
# Prevent errors if >1 ip returned for domain
if type(response) == list:
for ip in response:
self.ips[subdomain] = ip
else:
self.ips.append(response)
# Checks if the discovered domains are behind cloudflare
for domain, ip in self.ips.iteritems():
if dns.check(ip):
print(output("%s is hosted at %s" % (domain,ip)))
if ip not in iplist:
iplist.append(ip)
# Checks common tlds which may have been registered for domain
def tld(self):
print("\n-- Testing common tlds --")
tmp = re.split('\..*', self.domain) # Removes current tld
for i in self.tlds:
testDomain = tmp[0] + i
response = dns.nslookup(testDomain)
if response:
if type(response) == list: # If >1 ips returned
for ip in response:
if dns.check(ip):
print(output("%s is hosted at %s" % (testDomain, ip)))
if ip not in iplist:
iplist.append(ip)
else:
if dns.check(ip):
print(output("%s is hosted at %s" % (testDomain,ip)))
if ip not in iplist:
iplist.append(ip)
def dnsmap(self):
result = subprocess.check_output([dnsmapdir + '/dnsmap', self.domain]) # Executes dnsmap
# Formats output
out = re.split('IP address #.: ', result)
domain = re.split('\n', out)
domain = domain[5] # Stores first domain found
store = '' # Stores previous domain name if >1 ip returned
for i in out:
if i.startswith('\n'):
pass
else:
ip = re.split('\n', i)
if ip[0].startswith('dnsmap'): # Filters out dnsmap messages
pass
else:
if dns.check(ip[0]):
if ip[0] in iplist:
pass
else:
iplist.append(ip[0])
print(output("%s is hosted at %s" % (domain,ip[0])))
# Fixes errors when >1 ip returned for 1 subdomain
try:
if ip[0] == '127.0.0.1': # prevents errors by dnsmap warning
domain = ip[3]
else:
domain = ip[2]
except:
domain = ''
if domain == '':
domain = store
else:
store = ip[2]
class DnsMisc():
def __init__(self, domain):
self.cfip = []
self.cfip = self.nslookup(domain)
# Returns ip(s) of a domain
def nslookup(self, domain):
try:
ipaddr = socket.getaddrinfo(domain, 80)
except:
ipaddr = ''
ip = []
for i in range(0, len(ipaddr)):
a = ipaddr[i][4][0] # Extracts ip from returned info
if a not in ip:
ip.append(a)
return ip # Returns a list with ips
# Checks ip is not cloudflare ip
def check(self, ip):
if ip not in self.cfip and ip != '127.0.0.1':
return ip
def info(domain):
print("\n-- Checking for php info() files --")
# Common php info files
files = ['info.php', 'php.php', 'phpinfo.php', 'php-info.php', '/']
for infofile in files:
url = 'http://%s/%s' % (domain,infofile)
try:
response = urllib2.urlopen(url)
save = response.readlines()
if "PHP Version" in string.join(save): # Check if php info file
for line in save:
if "SERVER_ADDR" in line: # SERVER_ADDR == server ip variable
# Extracting server ip :)
tmp = re.split('class="v">', line)
tmp = re.split('<', tmp[1])
ip = tmp[0]
print(output("Found ip: %s in phpinfo file: %s" % (ip,infofile)))
if ip not in iplist:
iplist.append(ip)
except:
pass
# Checks dns history of domain
def dnsHistory(domain):
print("\n-- Checking dns history --")
url = 'http://toolbar.netcraft.com/site_report?url=' + domain
try:
request = urllib2.urlopen(url)
html = request.read()
except:
html = ''
soup = BeautifulSoup(''.join(html))
tables = soup.findAll(attrs={'class': 'TBtable'})
try:
table = tables[1]
except:
table = '' # Prevents errors if no history returned
rows = ''
if table:
rows = table.findAll('tr') # Need to edit out agaun
x = -1
try:
for tr in rows:
columns = tr.findAll('td')
for td in columns:
text = ''.join(td.find(text=True))
if x%5 == 0: # Only ip addresses are checked
if dns.check(text): # Finds last ip thats not CloudFlare
print(output("The last known ip address is: %s" % text))
if text not in iplist:
iplist.append(text)
raise End # Breaks from multiple loops
x+=1
except End:
pass
print("\n#" + "-"*77 + "#")
def verify(ip, directory, keyword):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 80))
request = "GET " + directory + " HTTP/1.1\r\nHost: " + domain + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: None\r\nConnection: keep-alive\nDNT: 1\r\n\r\n"
s.sendall(request)
data = s.recv(4096)
s.close
except socket.error:
data = ''
try:
server = re.split('Server: ', data)
server = re.split('\r\n', server[1])
server = server[0]
except:
server = ''
if 'cloudflare' in server: # Cloudflare always returns cloudflare in server meta tag
pass
else:
if keyword.lower() in data.lower():
print(output(domain + " is confirmed at " + ip))
def banner():
banner = '''
#-------------------------------------|---------------------------------------#
# _______ _______ __ _______ #
# _______ \ _ \ \ _ \_/ |___ _ _\ _ \_______ _____ #
# \_ __ \/ /_\ \/ /_\ \ __\ \/ \/ / /_\ \_ __ \/ \ #
# | | \/\ \_/ \ \_/ \ | \ /\ \_/ \ | \/ Y Y \ #
# |__| \_____ /\_____ /__| \/\_/ \_____ /__| |__|_| / #
# \/ \/ \/ \/ #
#-------------------------------------|---------------------------------------#
# CloudFlare IP Resolver #
# Created by Smith@r00tw0rm #
#-------------------------------------|---------------------------------------#
'''
print(banner)
banner()
iplist = [] # Stores all retrieved ip addresses
output = lambda out: "[x] " + out # Makes the output look nice
domain = raw_input("Enter target domain: ")
dns = DnsMisc(domain) # Saves cloudflare ips for later checking
brute = Bruteforce(domain) # Prepares domain for bruteforcing
# Attempt to find possible ips
brute.fast()
brute.tld()
info(domain)
dnsHistory(domain)
extra = raw_input("\nWould you like to use dnsmap to find subdomains Y/N: ")
if extra.lower() == 'y':
print("This may take a while, please be patient")
brute.dnsmap()
extra = raw_input("\nWould you like to confirm the results Y/N: ")
if extra.lower() == 'y':
directory = raw_input("Enter a file known to exist (eg /index.php): ")
if directory.startswith('/'):
pass
else:
directory = '/' + directory
keyword = raw_input("Enter a keyword only found on the target page: ")
print("\n-- Confirming results --")
for ip in iplist:
verify(ip, directory, keyword)
print("\nFinished! All results must be verified manually")
print("If this script has been unsuccessful find a way to get the target to email you")
print("The server ip will be in the mail header")