Cloudflair

A tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don’t restrict network access to the CloudFlare IP ranges as they should.

Installation

Register a free account at Censys.io and save your API keys.

git clone https://github.com/christophetd/CloudFlair
pip2 install -r requirements.txt

Usage

cloudflair.py [-h] [-o OUTPUT_FILE] [--censys-api-id CENSYS_API_ID]
                     [--censys-api-secret CENSYS_API_SECRET]
                     domain

Flags

positional arguments:
  domain                The domain to scan

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        A file to output likely origin servers to (default:
                        None)
  --censys-api-id CENSYS_API_ID
                        Censys API ID. Can also be defined using the
                        CENSYS_API_ID environment variable (default: None)
  --censys-api-secret CENSYS_API_SECRET
                        Censys API secret. Can also be defined using the
                        CENSYS_API_SECRET environment variable (default: None)

Examples

Set environment variables or use inline instead.

export CENSYS_API_ID=<ID-KEY>
export CENSYS_API_SECRET=<SECRET-KEY>
$ python cloudflair.py kb.offsec.nl                        
[*] Retrieving Cloudflare IP ranges from https://www.cloudflare.com/ips-v4
[*] The target appears to be behind CloudFlare.
[*] Looking for certificates matching "kb.offsec.nl" using Censys
[*] 2 certificates matching "kb.offsec.nl" found.
[*] Looking for IPv4 hosts presenting these certificates...
[*] 0 IPv4 hosts presenting a certificate issued to "kb.offsec.nl" were found.
[-] The target is most likely not vulnerable.

URL list