How to find the Origin IP

வணக்கம் மக்களே!!! I’m Boopathi. In this blog, what you need to know is How to find the Origin IP…

How to Find with automation Tools:

Here, I’ve used Censys, Shodan, Securitytrails, GitHub tools, etc.,

Censys:

First of all, you should create your account, it’s free on censys and you will get an API & Secret Key.

To download Censys on the CLI terminal and add your API ID and Secret key to the Censys configuration, please follow these steps:

pip install censys

censys config

censys

How to run Censys on Terminal:

censys search hackerone.com

See the above Image it will reveals unwanted pieces of data other than IPs. We need to remove this data, by entering the following command

censys search hackerone.com | grep "ip" | egrep -v "description" | cut -d ":" -f2 | tr -d \"\,

censys search hackerone.com | grep "ip" | egrep -v "description" | cut -d ":" -f2 | tr -d \"\, | tee ips.txt

cat ips.txt | httpx

• Use httpx to check whether the IP is alive or not

You will get tons of IP addresses, use a Multi URL addon instead of wasting your time copying and pasting multiple IP addresses, or
If you are a programmer you can write a simple script and check it out, I don’t know programming so I’m using this addon 🙂

Shodan:

Same what you did previously for censys, create an account in shodan but it’s not free, once you log in to your account you will get an API Key.

• Once you purchase it, you will get the membership API KEY. Add your API KEY on your shodan CLI following the command,

shodan init <YOUR_API_KEY>

You can’t run the command without adding the API Key

shodan search Ssl.cert.subject.CN:"hackerone.com" 200 - fields ip_str | httpx

Uncover:

uncover is a go wrapper using APIs of well known search engines to quickly discover exposed hosts on the internet. It is built with automation in mind, so you can query it and utilize the results with your current pipeline tools. Currently, it supports shodan,shodan-internetdb, censys, and fofa search API

uncover -q "hackerone.com" -e censys,fofa,shodan,shodan-idb | httpx

• You can run censys, shodan, and fofa on this uncover tool, I would prefer this one.

SecurityTrails:

• SecurityTrails enables you to explore complete current and historical data for any internet assets. IP & DNS history, domain, SSL and Open Port intelligence

How to Manually Verify that the IP belongs to that domain or not?

1st scenario:

whois <IP>

• Check the Org-Name belongs to that domain

2nd scenario:

Wappalyzer

Check the CDN for both, e.g, The Origin IP has no CDN, and the main domain has CDN for anything like (Amazon CloudFront, Akamai, Cloudflare, Fastly, Cloudinary, etc)

The above Image Illustrates that the main domain has CDN (Cloudflare)

The above Image Illustrates that the Origin IP has no CDN

3rd scenario:

Let’s take GitHub.com

ping github.com

The above video Illustrates the pinged IP redirects to the main domain

• In the above video, the pinged IP redirects to the main Github domain. Therefore, do not conclude that this is the actual Origin IP.
• eg: <IP> redirects to <domain> | this is not the Origin IP, it has already been mitigated. Let’s try an alternate method.
• Next, You can use the shodan addon it’s free you can download it here

• In the above video, the Shodan IP redirects to the main domain. Therefore, this IP is also not the Origin IP

Note: The pinged IP and the Shodan (addon) IPs are different. However, none of these are the actual Origin IP for GitHub.

• The above Image Illustrates that the Origin IP has direct access to the GitHub domain so, this is an Origin IP.

Note: Therefore, if the IP has direct access to the origin server and renders the same page as the website with all data, then it may be the Origin IP. However, there may be additional methods to validate the Origin IP. If you know of any alternate methods, please let me know.

You have an Origin IP but it does not render the webpage, next what to do? for e.g.,

If you get the default page, don’t lose hope, proceed with the port scan.

Check for open ports on all ports (65535) using TCP, UDP, and SCTP protocols. You can use any of the following example tools: naabu, nmap, etc.,

The above Image Illustrates that the Port 9000 has been open and it will render the webpage

Tip: If you get an Origin IP, don’t report it blindly, try to relate with some other vulnerability. E.g: Check for open ports and then try to exploit it, or run a Nuclei scan, etc., If you didn’t get anything then make a report.

Impact:

An attacker can bypass Cloudflare protection and perform malicious actions. Cloudflare bypasses can have a significant impact, as any adversary is now able to communicate directly with the origin server, enabling them to execute unfiltered attacks (such as Denial-Of-Service, SQLi, etc.) and retrieve other sensitive data.

Mitigation:

Don’t expose the origin IP on the internet, restrict the access to the Origin IP with 404 Not Found, or 403 Forbidden error.

Additional Tip:

• Once you signup or any email received from the targeted website then endeavor the below method

more > Show Original > search (Ctrl + f ) “Received”

• It may reveal Origin IP, sometime it will use for 403 bypasses.

Gmail

I have explained as far as I can. I hope you learned here something. Still, if you have any queries reach me on LinkedIn ✌️

நன்றி, வணக்கம்…