The content of the article
There are various services that hide the site address behind another IP – in order to protect against DoS, DDoS or other attacks. It can be well-known cloud services like Cloudflare, web application firewalls (WAF) and other security solutions. The task of circumventing them is to find out the real IP, and there are ready-made utilities for this. Let's see how to use them in practice.
To get started, I’ll talk a little more about what WAF is and how it works. For example, the familiar Apache web server has a mod_security module that can act as a web application firewall and help protect your service from some trivial DoS attack. One such attack is an HTTP (S) GET flood, when the server is sent countless requests for information. The server is unable to process so many requests in a very short period of time and simply crashes.
A cloud provider may provide a similar function – for simplicity, various services of this type will be referred to simply as WAF. The principle of their work can be described as follows.
- The web server to be protected works as usual without filtering dangerous requests, and the WAF service is configured on a separate server of the company providing such services.
- In a certain DNS record, the IP address of the desired site is indicated not by its real address, but by the IP address of the WAF server.
- After this setup, all requests to the domain name of the site will be sent not to the site itself, but to the WAF server.
- This server accepts the request, processes it and, if the request meets the configured rules, sends it to the protected server. WAF receives the requested information from this server (web page, file) and redirects it to the client (user).
How to outwit the system
Since modern WAFs block a lot of malicious requests, you cannot use utilities like sqlmap or WPScan. Attacks like DoS or DDoS are also not possible.
Therefore, we have two options.
- Design the request in such a way as to bypass the rules prescribed in WAF (see the article "How to search for bypasses in modern Web Application Firewalls").
- Send the request directly to the web server, bypassing the WAF check.
Further we will concentrate on the second point. To implement it, we need to know the real IP address of the server and be sure that this server is able to receive requests directly from the network from anyone. The server’s direct IP address is often referred to as bypass. Sometimes direct access to it is specially kept so that the server can continue to work in case of problems on the side of WAF services.
For this purpose, we will use a script with a long but telling name: Bypass firewalls by abusing DNS history.
This utility tries to find out the real IP address of the server we need with two methods at once.
- Analysis of the history of DNS records.
- Search for subdomains and subsequent analysis of their IP addresses.
The script makes requests to all IP addresses found for verification.
The script is publicly available on Github. I ran it on Kali Linux, but it can work on other distributions as well.
The commands to install on Kali look like this:
$ sudo apt install jq$ git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history
The command to install on the BlackArch distribution:
$ sudo pacman -S bypass-firewall-dns-history jq
We return to Kali. The first line we put the necessary module for the script, and the second download the script from GitHub. To get help on using tulza, just go to its directory and run the following command:
$ bash bypass-firewalls-by-DNS-history.sh --help
As you can see, the script developer has provided several parameters:
-d– required key to use the script. With it, we indicate the domain name of the site for which we want to find bypass;
-a– with this parameter, the found IPs will be checked not only for the main domain, but also for subdomains;
-l– this parameter allows you to load your list of subdomains into the script in order to perform a more detailed and accurate check;
-o– this parameter allows you to save the result of the script to a file, the path to which is indicated after the parameter.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru