Skip to content

Latest commit

 

History

History
90 lines (64 loc) · 4.31 KB

FindOrigin.md

File metadata and controls

90 lines (64 loc) · 4.31 KB

Identifying a WAF

dig +short example.com
curl -s https://ipinfo.io/IP | jq -r '.org'
  • With AWS, you can often identify a load balancer with the presence of "AWSLB" and "AWSLBCORS" cookies

Identifying the source

  • Use https://dnsdumpster.com to generate a map.

  • Next, make a search using Censys and save the IP's that look to match your target in a text file. Example: https://censys.io/ipv4?q=0x00sec.org

  • Another way you can find IP's tied to a domain is by viewing their historical IPs. You can do this with SecurityTrails DNS trails. https://securitytrails.com/domain/0x00sec.org/dns

    • Here we can see what A records existed and for how long. It is so common for an administrator to switch to a WAF solution after X amount of years of using it bare-metal, and do you think they configure whitelisting? No of course not, it works fine!

    • you can just copy the entire table(Select full table and copy paste it in a txt file) body and use awk to filter the IP's out.

      grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" tails.txt | sort -u | tee -a ips.txt

DNS Enumeration

If you enumerate your targets DNS, you may find that they have something resembling a dev.example.com or staging.example.com subdomain, and it may be pointing to the source host with no WAF. 
	
- Get all the subdomains.
	`subfinder -silent -d 0x00sec.org | dnsprobe -silent | awk  '{ print $2 }'  | sort -u | tee -a ips.txt`

Checking IP's for hosts

for ip in $(cat ips.txt) # iterate through each line in file
do 
	org=$(curl -s <https://ipinfo.io/$ip> | jq -r '.org') #  Get Org from IPInfo
  title=$(timeout 2 curl -s -k -H "Host: 0x00sec.org" <https://$ip/> | pup 'title text{}') # Get title
	echo "IP: $ip Title: $title Org: $org" # Print results
done 

in one line, same command: for ip in $(cat ips.txt); do org=$(curl -s <https://ipinfo.io/$ip> | jq -r '.org'); title=$(timeout 2 curl --tlsv1.1 -s -k -H "Host: 0x00sec.org" <https://$ip/> | pup 'title text{}'); echo "IP: $ip Title: $title Org: $org"; done

  • What we have now is a quick overview of which IP's respond to which Host header, and we can view the title
  • We went through each host, requested the IP directly with the host header, and we have our source IP!

Setting the Host Header manually curl -s -k -H "Host: 0x00sec.org" https://<ip address>/

or set Host Header in burp.

CloudFail

git clone <https://github.com/m0rtem/CloudFail.git>
cd CloudFail
pip install -r requirements.txt
python3 cloudfail.py -t 0x00sec.org

But first, Recon!

  • The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges…), then check which of those servers have a web server enabled (netcat, nmap, masscan).
  • Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host.

Censys

  • Choose “Certificates” in the select input, provide the domain of your target, then hit <enter>
  • You should see a list of certificates that fit to your target
  • Click on every result to display the details and, in the “Explore” menu at the very right, choose “IPv4 Hosts”.
  • You should be able to see the IP addresses of the servers that use the certificate
  • From here, grab all IP you can and, back to the previous chapter, try to access your target through all of them. example: curl -s -k -H "Host: 0x00sec.org" https://<ip address>/

Mail headers

  • The next step is to retrieve the headers in the mails issued by your target: Subscribe the newsletter, create an account, use the function “forgotten password”, order something… in a nutshell do whatever you can to get an email from the website you’re testing
  • Once you get an email, check the source, and especially the headers. Record all IPs you can find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to access your target through all of them.

The value of header Return-Path worked pretty well

Tool: https://github.com/christophetd/CloudFlair This tools works on censys data.

References: https://delta.navisec.io/a-pentesters-guide-part-5-unmasking-wafs-and-finding-the-source/ https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin-server-ip-address/

Authors