Unmasking Cloudflare Hosted Sites: Unveiling the Real IP Address

MUNSIRADO Group
3 min readAug 5, 2023

--

Cloudflare, a popular content delivery network and DDoS protection service, is widely used to enhance the security and performance of websites. One of its key features is hiding the actual IP address of the origin server, making it challenging for attackers to directly target the server. However, in some instances, it may be necessary to identify the real IP address of a Cloudflare-hosted site for legitimate reasons, such as security assessments or debugging. In this blog post, we will explore some tools and techniques that can be used to unmask the real IP address of a Cloudflare-protected website.

Cloudflare

Understanding Cloudflare’s Protection

Before we dive into the methods of finding the real IP address of a Cloudflare-hosted site, let’s briefly review how Cloudflare’s protection works. When a website is protected by Cloudflare, all incoming traffic is routed through their network. Cloudflare acts as a reverse proxy, shielding the origin server’s real IP address from public view. Instead, visitors interact with Cloudflare’s servers, which then forward the requests to the origin server and relay the responses back to the users.

Fierce and DataSploit: Powerful Tools for Unmasking IPs

Fierce and DataSploit are powerful tools that can help identify the real IP address of a Cloudflare-protected site. Here’s a brief overview of these tools:

Fierce: Fierce is a reconnaissance tool designed to locate non-contiguous IP space and identify the real IP address of a domain. It accomplishes this by conducting a DNS brute-force attack to discover hidden subdomains and their corresponding IP addresses.

DataSploit: DataSploit is an OSINT (Open Source Intelligence) tool that can be used for reconnaissance and information gathering. It leverages various public data sources to extract valuable information about a target, including subdomains and IP addresses.

Using SaaS Providers for Convenience

Installing and configuring tools like Fierce and DataSploit can be a daunting task for some users. If you encounter difficulties during the setup process, you can opt for Software as a Service (SaaS) providers like PENTESTON, which offer a user-friendly interface to perform security assessments. PENTESTON conveniently includes Fierce in the Reconnaissance type and DataSploit in the OSINT type scans, making it easier to find the real IP address of a Cloudflare-protected site.

Manage Assessments (PENTESTON)

Step-by-Step Guide to Unmasking Cloudflare’s Real IP Address

Identify the target domain: Begin by determining the domain name of the website you want to investigate.

Choose your tool: Decide whether you want to use Fierce, DataSploit, or a SaaS provider like PENTESTON for the task.

Launch the scan: Input the target domain into the chosen tool and initiate the scan. The tool will perform a series of queries and scans to find potential IP addresses associated with the domain.

Analyze the results: Once the scan is complete, review the results to identify the IP addresses that correspond to the target domain. Keep in mind that Cloudflare often uses a range of IP addresses, so multiple IPs might be listed.

Verify the real IP address: Test the identified IP addresses to confirm the real IP address of the Cloudflare-protected website. You can use various methods like traceroute or direct HTTP requests to determine which IP connects directly to the origin server.

Conclusion

While Cloudflare offers essential protection for websites, there are times when it’s necessary to discover the real IP address of a Cloudflare-hosted site for legitimate purposes. Tools like Fierce and DataSploit, along with the convenience of SaaS providers like PENTESTON, make it relatively straightforward to unveil the hidden IP addresses. However, it’s crucial to use these methods responsibly and ethically, ensuring they are employed only for authorized security assessments and not for malicious purposes. Always obtain proper permission before conducting any reconnaissance or penetration testing activities.

--

--