How to Find origin servers of websites behind by CloudFlare using Internet-wide scan data from Censys

How to Find origin servers of websites behind by CloudFlare using Internet-wide scan data from Censys

CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should.

The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name.

1) Register an account (free) on https://censys.io/register

2) Browse to https://censys.io/account/api, and set two environment variables with your API ID and API secret

3)  export CENSYS_API_ID=...

4)  export CENSYS_API_SECRET=...

5) Clone the repository
git clone https://github.com/christophetd/cloudflair.git

cd cloudflair

pip install -r requirements.txt

Run CloudFlair (see Usage below for more detail)

python cloudflair.py myvulnerable.site

Then 

python cloudflair.py --help

usage: cloudflair.py [-h] [-o OUTPUT_FILE] [--censys-api-id CENSYS_API_ID]
                     [--censys-api-secret CENSYS_API_SECRET]
                     domain

Docker image

A lightweight Docker image of CloudFlair (christophetd/cloudflair) is provided. A scan can easily be instantiated using the following command.

1) docker run --rm -e CENSYS_API_ID=your-id -e CENSYS_API_SECRET=your-secret christophetd/cloudflair myvulnerable.site 

2) You can also create a file containing the definition of the environment variables, and use the Docker--env-file option.

cat censys.env 
CENSYS_API_ID=your-id
CENSYS_API_SECRET=your-secret

docker run --rm --env-file=censys.env christophetd/cloudflair myvulnerable.site







Follow us for more...