This guide provides various methods to discover the original IP address of a website behind a Web Application Firewall (WAF). Each method includes tools and techniques to identify potential IPs while ensuring WAF is bypassed.
- I summarize it from: Mastering Origin IP Discovery Behind WAF | 11+ method
- And his website: LostSec | Coffinxp
- Github: coffinxp
This guide is designed to assist penetration testers and cybersecurity professionals in identifying the original IP address of a website protected by a WAF. With the original IP address, testers can:
- Conduct direct vulnerability assessments on the server without WAF interference.
- Map the network to better understand the target's infrastructure.
- Detect any misconfigurations or policy errors on the main server.
These methods must be used ethically and only on systems you have permission to test.
- Clone and use this tool: Origin-IP-Finder.
- The originip tool helps in finding the origin IP using various services such as dig, censys (optional), securitytrails, viewdns, hunter.how, fofa, and zoomeye.
- Command:
python3 dnsrecon.py -d target.com
- Check if the original IP of the target website is revealed.
- Verify no WAF is detected on the identified IP using:
- Wappalyzer extension.
- wafw00f
- Login to shodan.io
- Query
ssl.cert.subject.CN:'example.com' 200 - Inspect results for possible original IPs pointing to the website without errors.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
- Visit favicons.teamtailor-cdn.com.
- Input the target website URL to locate its
favicon.ico. - Verify if the favicon link redirects to the target website. Then copy the URL.
- Paste the URL to favicon-hash.kmsec.uk to generate a hash of the favicon.
- Use the "Search Sensys" link to find possible original IPs.
- Check results one by one.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
- Visit viewdns.info.
- Enter the target website URL in the IP History section.
- Examine the IP history for potential original IPs.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
- Visit mxtoolbox.com.
- Search for the SPF record of the target website.
- Inspect the results for any original IPs.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
- Visit securitytrails.com.
- Search the target website and navigate to the Historical Data section.
- Identify any potential original IPs.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f.
- Visit search.censys.io.
- Search the target website and filter results using Product Version.
- Check for potential original IPs.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
- Visit fofa.info.
- Search the target website, filtering results with Favicon.
- Examine the results for possible original IPs.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
- Visit zoomeye.hk.
- Search the target website and filter results using Favicon or IPv4.
- Check for potential original IPs.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
- Use the following command in a terminal:
Replace
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?domain=<DOMAIN>&apikey=982680b1787fa59701919aa22515a025e00df1e3bb2bc4f186b8e919558d576c" | jq -r '.. | .ip_address? // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'
<DOMAIN>with the target website URL (without brackets). - Filter results using:
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?domain=<DOMAIN>&apikey=982680b1787fa59701919aa22515a025e00df1e3bb2bc4f186b8e919558d576c" | jq -r '.. | .ip_address? // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | httpx-toolkit -sc -td -title -server
- Check all active IPs to identify the original IP.
- Verify no WAF is detected using:
- Wappalyzer extension.
- wafw00f
Note: This guide is intended for ethical hacking and penetration testing purposes. Always ensure you have the necessary permissions before performing any tests.