Web Application Firewalls (WAFs) are often deployed to protect websites from malicious traffic by filtering requests and masking the origin server’s IP address. However, uncovering the origin IP can be crucial for security researchers, penetration testers, and bug bounty hunters. This write-up will detail effective techniques for discovering the origin IPs of websites behind WAFs using various tools and methods.
Note: Always ensure that you have proper authorization before testing websites. Unauthorized testing is illegal and unethical.
1. Understanding the Role of WAFs
WAFs protect websites by filtering HTTP requests, typically blocking malicious traffic based on predefined rules. By doing so, they can prevent direct access to the origin server’s IP. However, understanding the WAF’s behavior and identifying its IP can be an essential step in penetration testing or bug bounty hunting.
2. Tools and Methods for Discovering Origin IPs
A. Using Walizer
Walizer is a popular tool that helps discover the origin IP behind a WAF. It works by performing DNS lookups and analyzing various configurations that could expose the IP. You can run it on the target website to gather relevant details.
Example usage:
walizer -u https://example.com
B. Using Shodan for IP Analysis
Shodan is a search engine that indexes internet-connected devices, making it an excellent tool for uncovering the IP addresses of websites. By querying the target domain, you can find potential origin IPs associated with a site.
Steps:
1. Go to Shodan.io
2. Search for the target domain.
3. Analyze the results for IP addresses and WAF configurations.
C. Verifying IP with wwoof
The wwoof tool can be used to verify IP addresses by inspecting SSL certificates and other metadata. When querying the IP, you can analyze the returned results to confirm whether it matches the origin server.
Example command
wwoof https://example.com
D. Favicon Hash Generation
Sometimes, websites host their favicon (small site icon) on a different server, which may not be protected by the WAF. By obtaining the hash of the favicon and performing a reverse lookup, you can identify the origin IP. This method can be especially useful when dealing with WAFs that filter requests to the main website but not to static assets like images or icons.
Steps:
1. Fetch the favicon URL from the target website.
2. Generate the favicon hash.
3. Use tools like dnsdumpster.com or reverse image search to identify the hosting IP.
E. Using DNS History and SPF Records
DNS history can provide a treasure trove of historical IP addresses for a domain. By examining DNS history records or SPF (Sender Policy Framework) records, you can uncover potential origin IPs, especially for subdomains.
- SecurityTrails provides access to historical DNS data that includes past IPs.
- DNSdumpster and similar services offer insights into past server configurations.
Example of querying a historical DNS database:
dnsdumpster.com
F. Fula and Zumi for IPv4 Filtering
Fula and Zumi are useful for filtering and accessing IPv4 addresses. These tools allow you to access less filtered or hidden IP addresses that might not be visible through a traditional DNS lookup.
Steps:
1. Run Fula on the domain to gather potential origin IPs.
2. Filter the results to find IPv4 addresses that could be linked to the origin server.
G. Exploring VirusTotal for Subdomains
VirusTotal is a powerful tool that aggregates information from multiple sources, including subdomains and their associated IPs. Searching for subdomains can help uncover other parts of the website or servers related to the origin.
- Go to VirusTotal.com
- Search for your domain.
- Review subdomains and linked IP addresses.
H. Terminal Commands for Quick IP Fetching
Using tools like httpx, you can instantly fetch IP addresses associated with a domain. This approach helps you collect and verify origin IPs quickly.
Example:
httpx -l domains.txt -ip
I. Alien Vault for IP Information
Alien Vault provides a robust set of tools for discovering IP addresses associated with websites. It is highly valuable for uncovering the origin IP through historical records and IP reputation databases.
Steps:
1. Search for your target domain on Alien Vault.
2. Analyze the results to gather relevant IPs.
J. Using Grawscan to Detect Status Codes
Grawscan is another tool that helps identify origin IPs by analyzing HTTP status codes and titles. This tool can give insights into the underlying web server, helping bypass WAF restrictions.
Example
grawscan https://example.com
3. Verifying Origin IP Accessibility
Once you have identified potential origin IPs, it’s crucial to verify that these IPs are accessible and not blocked by the WAF. There are several ways to verify their accessibility:
A. Modifying the /etc/hosts File
On Linux-based systems, you can modify the /etc/hosts file to associate the discovered IP with the target domain. This method ensures you are accessing the website through the origin IP instead of going through the WAF.
Steps:
1. Modify /etc/hosts with the discovered IP.
2. Test connectivity using the ping command to verify accessibility.
B. Using Burp Suite
Burp Suite is a versatile tool for intercepting and analyzing HTTP/S traffic. After modifying your /etc/hosts file, use Burp Suite to test the IP directly, bypassing the WAF. You can analyze the responses to confirm if the IP is the origin server.
4. Custom Bash Script for Automation
For efficiency, especially in large-scale engagements, a custom bash script can automate the process of fetching and analyzing IPs from multiple sources like VirusTotal and Alien Vault. This can streamline the process of uncovering origin IPs.
Example script:
#!/bin/bash
# Simple script to query multiple sources for IPs
domains=(“example.com” “anotherexample.com”)
for domain in “${domains[@]}”; do
echo “Fetching IPs for $domain…”
httpx -l $domain -ip
grawscan $domain
# Add more tools as necessary
done
5. Conclusion
Uncovering the origin IPs of websites behind WAFs can be challenging, but using a combination of manual techniques and automated tools, penetration testers and bug bounty hunters can effectively bypass these protections. Techniques like analyzing DNS history, using SSL certificate information, querying VirusTotal for subdomains, and exploring IPs through platforms like Alien Vault and Shodan are all highly effective.
By mastering these techniques and tools, you can uncover hidden vulnerabilities, better understand the architecture of a web application, and improve your security posture. However, always ensure you have proper authorization before conducting any tests to adhere to ethical standards.
Article Contributed By Alwin Joshy
[…] by /u/thisispranavsv [link] […]
its nice