Defeating web Anonymity and Obfuscation

Written By Steve Bell

Often when running engagements, we come across web services protected by obfuscation tools and CDNs like Cloudflare. This makes enumerating the platform tricky, not to mention legally more complex and limits the techniques we can use. So, there are generally 3 approaches we have regular success in defeating anonymity and obfuscation technologies to get the “true” IP of the web server.

A quick disclaimer… Nothing I talk about in this post is about exploiting the CDN directly. I am not going into weaknesses in the CDN platforms like Cloudflare itself. This is all about exploiting configuration weaknesses by the web admin that undermines their use of CDNs… (Cloudflare please don’t sue me).

Historic and Passive DNS

First and foremost by far the most simple and easiest way to defeat a CDN is just to check Historic DNS. We love the Passive DNS tool Security Trails for this: https://securitytrails.com/

Just put in your domain click on the “Historical Data” tab it will show all the previous IP address that domain has been registered to.

Fairly regularly when the site admin created the site it would have been hosted and built before migrating the domain to a CDN like Cloudflare if the domain was purchased via the CDN directly and has always been hosted behind the CDN from its very start then this is less likely to work. Or if the admin has done what they are supposed to do and migrate it to a different IP once protected by a CDN, this also won’t work.

SSL Cert Signaturing

Going to be honest, this one is the least likely to work now-a-days, but still worth mentioning. If the admin hosts the site both behind a CDN and directly accessible, then you can use web scanning tools like Shodan to look for multiple instances of the same SSL certificate (or other headers for that matter). I have only had success with this a couple of times while Red Teaming, and most recently it wasn’t even with a web server. The target had protected their entire server including SSH behind Cloudflare’s Zero Trust platform. But SSH fingerprints are pretty unique, so using Shodan’s Hash Search feature I found 2 IPs with the same fingerprint, one was a Cloudflare IP, the other was their VPS. In the example below I am looking for SSL Cert Subject Common names for Wikipedia.org and you can see I got two different IPs.

Site Exection

Okay now we are into the fun stuff. This is by far the most common method that we successfully deanonymise a site. SSRF (Server-Side Request Forgery) or straight up execution in a constrained format is often not too difficult to gain. Obviously there are countless methods for gaining site execution, so I am going to show two pretty common examples:

xml-rpc Ping Back

This is super common on (older) WordPress sites. If they have the xml-rpc.php endpoint available, the pingback.ping() function allows you to force the webserver to send out a ICMP request to your own server. It’s very easy to do.

SSRF

Even with the most constrained and limited forms of execution you can usually perform Server-Side Request Forgery, where you get the server to initiate some form of request to your own server. We did this recently with an out of date and vulnerable WordPress Theme which allowed us to execute local Shortcode functions. Using the WordPress core Shorcode function [Embed] I forced the server to initiate out a request to my own instance.

Conclusion

That pretty much sums up the 3 most successful and common methods we defeat CDNs and other obfuscation methods to gain the true IP of the web server. Yes there are more, but these are quick and very easy to do.

Steve Bell
Next

Using 3D Printers for network persistance