How to find a website IP behind CloudFlare

Posted on 2020-12-26 Edited on 2023-04-01 In Security

CloudFlare provides high security for the target website to hide their real server IP address. Make it harder for the hacker to attack the website real server. But it doesn't mean it is impossible. Let's find it out on one website - https://www.g2.com - use CloudFlare to hide it IP address.

1. Find DNS history records

I use SecurityTrails to find the domain DNS history.

2. Digging deeper

Now use the dig command to reveal the DNS history on ns4.ogilvy.com

 dig @ns4.ogilvy.com www.g2.com

; <<>> DiG 9.16.1-Ubuntu <<>> @ns4.ogilvy.com www.g2.com                                                                
; (1 server found)                                                                                                      
;; global options: +cmd                                                                                                 
;; Got answer:                                                                                                          
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24883                                                               
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1                                                    
;; WARNING: recursion requested but not available                                                                                                                                                                                               
;; OPT PSEUDOSECTION:                                                                                                   
; EDNS: version: 0, flags:; udp: 1220                                                                                   
; COOKIE: a7c6382d3646792f30fe538c5fe6e580eb39a7455513923d (good)                                                       
;; QUESTION SECTION:                                                                                                    
;www.g2.com.                    IN      A                                                                                                                                                                                                       
;; ANSWER SECTION:                                                                                                      
www.g2.com.             3600    IN      CNAME   www.geometry.com.                                                       
www.geometry.com.       600     IN      CNAME   awseb-AWSEB-PZBDPV2T34UN-1188684902.eu-west-1.elb.amazonaws.com.                                                                                                                                
;; Query time: 254 msec                                                                                                 
;; SERVER: 199.20.46.10#53(199.20.46.10)                                                                                
;; WHEN: Sat Dec 26 14:25:53 +07 2020                                                                                   
;; MSG SIZE  rcvd: 168

Look like their website is hosting on awseb-AWSEB-PZBDPV2T34UN-1188684902.eu-west-1.elb.amazonaws.com domain.

nslookup awseb-AWSEB-PZBDPV2T34UN-1188684902.eu-west-1.elb.amazonaws.com

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   awseb-AWSEB-PZBDPV2T34UN-1188684902.eu-west-1.elb.amazonaws.com
Address: 34.xxx.xxx.xx
Name:   awseb-AWSEB-PZBDPV2T34UN-1188684902.eu-west-1.elb.amazonaws.com
Address: 18.xxx.xxx.xx
Name:   awseb-AWSEB-PZBDPV2T34UN-1188684902.eu-west-1.elb.amazonaws.com
Address: 54.xxx.xx.xxx

Let's check the ip 34.xxx.xxx.xx

Using curl

 curl -i -H "Host: www.g2.com" 34.xxx.xxx.xx

Server: awselb/2.0
Date: Sat, 26 Dec 2020 08:40:34 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://www.g2.com:443/

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
</body>
</html>

Using Postman

Hmm, look like we found the correct website IP address 34.x.x.x. The host force all requests to redirect to www.g2.com which is through CloudFlare. Or maybe we need some special headers to be able to bypass it security checking.