Using OSINT to break through Cloudflare

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Code:
ping cracked.to
Pinging cracked.to [104.27.10.92] with 32 bytes of data:

This is showing Cloudflare, Inc. as the IPv4 address owner.

Time to try Censys and Shodan on our host of interest:

Shodan
We are already seeing an IP of 82.118.242.102
Code:
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Thu, 14 Nov 2019 10:14:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Set-Cookie: mybb[lastvisit]=1573726498; expires=Fri, 13-Nov-2020 10:14:58 GMT; path=/; domain=.cracked.to; Secure
Set-Cookie: mybb[lastactive]=157372649...

We can also see the IP 51.38.181.201
Code:
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Thu, 21 Nov 2019 18:23:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: mybb[lastvisit]=1574360606; expires=Fri, 20-Nov-2020 18:23:26 GMT; path=/; domain=.cracked.to; Secure
Set-Cookie: my...

Now we can cross-reference Censys:
Code:
51.38.181.201
82.118.242.102
23.95.120.193
52.143.170.157 #only mentions using cracked.to theme at bottom right
217.61.3.184 #https host claiming to be 'nulled.one' and appears to use cracked.to theme
167.86.104.214 #spotify-upgrades.co. An official service by Cracked.to
https://51.75.149.202/ #RSocks is a VPN service that links to cracked.to
https://138.197.54.96/ #mentions cracked.to about selling of Disney Plus accounts

https://23.95.120.193/ links to a "cracking.tools" website.
https://82.118.242.102/ loads the "cracked.to" website.
https://51.38.181.201/ loads the "cracked.to" website.


Now we know the two IP addresses likely behind the cracked.to website are
  1. 82.118.242.102
  2. 51.38.181.201
I wonder what a port scan looks like on the cracked.to side of the Internet?

We can use masscan to scan all ports:
Code:
masscan 82.118.242.10 -p0-65535

We can use Nmap to scan a single host somewhat quickly:
Code:
nmap -p0-65535 51.38.181.201 -T5

The results I got from this are:
Code:
Nmap scan report for ns3133517.ip-51-38-181.eu (51.38.181.201)
Host is up (0.075s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
25/tcp    filtered smtp
443/tcp   open     https
445/tcp   filtered microsoft-ds
9292/tcp  open     armtechdaemon
14071/tcp open     unknown

At this point I am somewhat curious what things may look like over on cracked.to with a T4 scan, slowing scans down can sometimes yield more results like this:
Code:
xxx:~# nmap -p0-65535 51.38.181.201 -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 19:24 UTC
Nmap scan report for ns3133517.ip-51-38-181.eu (51.38.181.201)
Host is up (0.075s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
25/tcp    filtered smtp
443/tcp   open     https
445/tcp   filtered microsoft-ds
9292/tcp  open     armtechdaemon
14071/tcp open     unknown

So... here is what we have:
1574366480140.png
1574366495249.png

The T4 Nmap scan seems fast while also accurate, the Nmap scans complete in about ~4 minutes whereas the Masscan takes about ~10 minutes.

Nmap is more of a sniper rifle, whereas ZMap is a machine gun at least in my opinion.

nmap -p0-65535 82.118.242.10 -T4
Code:
Nmap scan report for 82.118.242.10
Host is up (0.11s latency).
Not shown: 65531 filtered ports
PORT      STATE  SERVICE
22/tcp    closed ssh
80/tcp    open   http
443/tcp   open   https
1194/tcp  open   openvpn
56930/tcp open   unknown

nmap -p0-65535 51.38.181.201 -T4
Code:
Nmap scan report for ns3133517.ip-51-38-181.eu (51.38.181.201)
Host is up (0.075s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
25/tcp    filtered smtp
443/tcp   open     https
445/tcp   filtered microsoft-ds
9292/tcp  open     armtechdaemon
14071/tcp open     unknown

So now what?
Host 82.118.242.10 switched their SSH port to 56930.
http://51.38.181.201:9292/ loads "hwhat"

IP 51.38.181.201 has port 14071 reply..
1574367383546.png
1574367398629.png

Other than this information, we could attempt gathering version intel to see if anything is unpatched.

The port 14071 appears to use keys (likely wants a .pem/.ppk file for key pair auth):
1574367613071.png
Reference:

That is the beginning, that was all very easy and makes a good example.
 
Last edited:

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
For CentOS:

Code:
yum remove firewalld
yum install iptables
yum install ipset
sudo ipset create cloudflare hash:net
sudo ipset --add cloudflare 173.245.48.0/20
sudo ipset --add cloudflare 103.21.244.0/22
sudo ipset --add cloudflare 103.22.200.0/22
sudo ipset --add cloudflare 103.31.4.0/22
sudo ipset --add cloudflare 141.101.64.0/18
sudo ipset --add cloudflare 108.162.192.0/18
sudo ipset --add cloudflare 190.93.240.0/20
sudo ipset --add cloudflare 188.114.96.0/20
sudo ipset --add cloudflare 197.234.240.0/22
sudo ipset --add cloudflare 198.41.128.0/17
sudo ipset --add cloudflare 162.158.0.0/15
sudo ipset --add cloudflare 104.16.0.0/12
sudo ipset --add cloudflare 172.64.0.0/13
sudo ipset --add cloudflare 131.0.72.0/22
sudo ipset save
iptables -N R4P3 -t raw
iptables -A PREROUTING -t raw -j R4P3
iptables -A R4P3 -t raw -p tcp -m multiport --dports 80,443 -m set ! --match-set cloudflare src -j DROP

For Ubuntu/Debian:

Code:
apt-get install iptables
apt-get install ipset
sudo ipset create cloudflare hash:net
sudo ipset --add cloudflare 173.245.48.0/20
sudo ipset --add cloudflare 103.21.244.0/22
sudo ipset --add cloudflare 103.22.200.0/22
sudo ipset --add cloudflare 103.31.4.0/22
sudo ipset --add cloudflare 141.101.64.0/18
sudo ipset --add cloudflare 108.162.192.0/18
sudo ipset --add cloudflare 190.93.240.0/20
sudo ipset --add cloudflare 188.114.96.0/20
sudo ipset --add cloudflare 197.234.240.0/22
sudo ipset --add cloudflare 198.41.128.0/17
sudo ipset --add cloudflare 162.158.0.0/15
sudo ipset --add cloudflare 104.16.0.0/12
sudo ipset --add cloudflare 172.64.0.0/13
sudo ipset --add cloudflare 131.0.72.0/22
sudo ipset save
iptables -N R4P3 -t raw
iptables -A PREROUTING -t raw -j R4P3
iptables -A R4P3 -t raw -p tcp -m multiport --dports 80,443 -m set ! --match-set cloudflare src -j DROP

If you say, this works, the people interested in this can use the rules above to protect their web servers from TCP Attacks especially SYN/ACK. This rule must be used by the web servers using CloudFlare proxy. If you web server doesn't use CloudFlare, please do not use the command lines above.
 
Top