I was curious as to how it’s done unfortunately that repo won’t answer. All it’s doing is calling a separate http api that returns the IP. I looked quickly and didn’t find a repo for that other API.
I agree unless the backend server is including it in the response/response headers for some reason, which wouldn’t make a tool like this work in the general case. I thought maybe there was a Cloudflare API that would inadvertently leak the origin IP in an error response in some special case or something of that nature, but I’d assume they would have patched that rather quickly. I’m very curious if this tool ever worked and if so, how.
If you had a single specific host you were trying to find the origin server for, you could basically scan their ASN and well known data center, particularly the big cloud provider, IPs by sending requests to them with the desired host header to try to find an entry point (load balancer, reverse proxy, web server), but I don’t think that’s practical, particularly with a free API that (presumably) responded in a reasonable amount of time. The underlying API used by the linked script is no longer available, so I don’t know if it worked or response times.
Furthermore, a well configured system should ignore requests not originating from Cloudflare’s IPs (or use a tunnel) to prevent bypassing Cloudflare, although I’ve seen plenty not do this. Cloudflare even publishes the subnets you should allow. Easy to integrate that in to a cron type job, terraform, or other way to keep rules updated even though they’ve very rarely changed.
What is(was?) Crimeflare? It’s a great name.
https://github.com/HackerSiber/Crimeflare
Looks like a hacking tool to identify websites behind cloudflare
Interesting. I wonder how that’s possible.
I’ll read through the repo when I’m back on my computer
I was curious as to how it’s done unfortunately that repo won’t answer. All it’s doing is calling a separate http api that returns the IP. I looked quickly and didn’t find a repo for that other API.
Theoretically it really shouldn’t be possible
I agree unless the backend server is including it in the response/response headers for some reason, which wouldn’t make a tool like this work in the general case. I thought maybe there was a Cloudflare API that would inadvertently leak the origin IP in an error response in some special case or something of that nature, but I’d assume they would have patched that rather quickly. I’m very curious if this tool ever worked and if so, how.
If you had a single specific host you were trying to find the origin server for, you could basically scan their ASN and well known data center, particularly the big cloud provider, IPs by sending requests to them with the desired host header to try to find an entry point (load balancer, reverse proxy, web server), but I don’t think that’s practical, particularly with a free API that (presumably) responded in a reasonable amount of time. The underlying API used by the linked script is no longer available, so I don’t know if it worked or response times.
Furthermore, a well configured system should ignore requests not originating from Cloudflare’s IPs (or use a tunnel) to prevent bypassing Cloudflare, although I’ve seen plenty not do this. Cloudflare even publishes the subnets you should allow. Easy to integrate that in to a cron type job, terraform, or other way to keep rules updated even though they’ve very rarely changed.