How to identify real IP address of server to bypass Sucuri, Cloudflare or other WAF
Several websites are using Web Application Firewalls (WAF) solutions like Sucuri, Cloudflare, Incapsula in order to protect their websites from hackers, however not all of these website owners have perfectly implemented the WAF solution.
At the time of implementing WAF, website owner changes DNS A record of the website to WAF IP so that all traffic (that hits domain name) is directly sent to WAF and filtered before reaching actual website. But they fail to protect traffic from hackers coming via actual server IP address.
Before I proceed with options to trace real IP address of websites protected by WAF, here is a nice security article that explains how to securely deploy WAF for your website or server.
Download and Install ‘Bypass Firewalls by DNS History’ from github
This tool retrieves you the real IP address of server behind WAF. Refer to github repository for bypass firewalls by DNS history
Scan for real IP address of server
The script retrieves DNS ‘A’ record history for a specific domain and checks if the server replies for that domain. The beauty here is the tool provides you with the confidence level of each identified IP address. The confidence level is basically comparing the similarity of response received from IP addresses and WAF.
# bash bypass-firewall-by-DNS-history.sh -d <domain_name>
Scan for real IP address of subdomains
# bash bypass-firewall-by-DNS-history.sh -d <domain_name> -a
Save results in a text file
There are few more options available. to save the results (IP address) in a text file, results.txt.
# bash bypass-firewall-by-DNS-history.sh -d <domain_name> -a -o results.txt
Scan our own list of subdomains
So in addition to the subdomains detected by the tool, you can also specify your own list of additional subdomains.
# bash bypass-firewall-by-DNS-history.sh -d <domain_name> -a -o results.txt -l subdomainlist.txt