A tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don’t restrict network access to the CloudFlare IP ranges as they should.
Register a free account at Censys.io and save your API keys.
git clone https://github.com/christophetd/CloudFlair
pip2 install -r requirements.txt
cloudflair.py [-h] [-o OUTPUT_FILE] [--censys-api-id CENSYS_API_ID]
[--censys-api-secret CENSYS_API_SECRET]
domain
positional arguments:
domain The domain to scan
optional arguments:
-h, --help show this help message and exit
-o OUTPUT_FILE, --output OUTPUT_FILE
A file to output likely origin servers to (default:
None)
--censys-api-id CENSYS_API_ID
Censys API ID. Can also be defined using the
CENSYS_API_ID environment variable (default: None)
--censys-api-secret CENSYS_API_SECRET
Censys API secret. Can also be defined using the
CENSYS_API_SECRET environment variable (default: None)
Set environment variables or use inline instead.
export CENSYS_API_ID=<ID-KEY>
export CENSYS_API_SECRET=<SECRET-KEY>
$ python cloudflair.py kb.offsec.nl
[*] Retrieving Cloudflare IP ranges from https://www.cloudflare.com/ips-v4
[*] The target appears to be behind CloudFlare.
[*] Looking for certificates matching "kb.offsec.nl" using Censys
[*] 2 certificates matching "kb.offsec.nl" found.
[*] Looking for IPv4 hosts presenting these certificates...
[*] 0 IPv4 hosts presenting a certificate issued to "kb.offsec.nl" were found.
[-] The target is most likely not vulnerable.