{"id":13473737,"url":"https://github.com/christophetd/CloudFlair","last_synced_at":"2025-03-26T19:34:37.622Z","repository":{"id":37580281,"uuid":"117250625","full_name":"christophetd/CloudFlair","owner":"christophetd","description":"🔎 Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.","archived":false,"fork":false,"pushed_at":"2024-06-18T01:28:58.000Z","size":42,"stargazers_count":2696,"open_issues_count":9,"forks_count":366,"subscribers_count":59,"default_branch":"master","last_synced_at":"2025-03-20T06:08:57.024Z","etag":null,"topics":["censys","cloudflare","pentest","pentest-tool"],"latest_commit_sha":null,"homepage":"https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/christophetd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"christophetd"}},"created_at":"2018-01-12T14:30:21.000Z","updated_at":"2025-03-14T18:49:01.000Z","dependencies_parsed_at":"2025-01-15T21:09:21.733Z","dependency_job_id":"da9d7d44-a6fc-470d-8fef-032e670a52e6","html_url":"https://github.com/christophetd/CloudFlair","commit_stats":{"total_commits":36,"total_committers":12,"mean_commits":3.0,"dds":"0.36111111111111116","last_synced_commit":"8629b397c457cb4f9723453d047c166fb027afd5"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FCloudFlair","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FCloudFlair/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FCloudFlair/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FCloudFlair/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/christophetd","download_url":"https://codeload.github.com/christophetd/CloudFlair/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245722905,"owners_count":20661849,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["censys","cloudflare","pentest","pentest-tool"],"created_at":"2024-07-31T16:01:06.362Z","updated_at":"2025-03-26T19:34:36.585Z","avatar_url":"https://github.com/christophetd.png","language":"Python","funding_links":["https://github.com/sponsors/christophetd"],"categories":["Python","Python (1887)","WAF","Mobile","DNS"],"sub_categories":["Cloud"],"readme":"# CloudFlair\n\nCloudFlair is a tool to find origin servers of websites protected by CloudFlare (or CloudFront) which are publicly exposed and don't appropriately restrict network access to the relevant CDN IP ranges.\n\nThe tool uses Internet-wide scan data from [Censys](https://censys.io) to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name. API keys are required and can be retrieved from your [Censys account](https://search.censys.io/account/api).\n\nFor more detail about this common misconfiguration and how CloudFlair works, refer to the companion blog post at \u003chttps://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/\u003e.\n\nHere's what CloudFlair looks like in action.\n\n```bash\n$ python cloudflair.py myvulnerable.site\n\n[*] The target appears to be behind CloudFlare.\n[*] Looking for certificates matching \"myvulnerable.site\" using Censys\n[*] 75 certificates matching \"myvulnerable.site\" found.\n[*] Looking for IPv4 hosts presenting these certificates...\n[*] 10 IPv4 hosts presenting a certificate issued to \"myvulnerable.site\" were found.\n  - 51.194.77.1\n  - 223.172.21.75\n  - 18.136.111.24\n  - 127.200.220.231\n  - 177.67.208.72\n  - 137.67.239.174\n  - 182.102.141.194\n  - 8.154.231.164\n  - 37.184.84.44\n  - 78.25.205.83\n\n[*] Retrieving target homepage at https://myvulnerable.site\n\n[*] Testing candidate origin servers\n  - 51.194.77.1\n  - 223.172.21.75\n  - 18.136.111.24\n        responded with an unexpected HTTP status code 404\n  - 127.200.220.231\n        timed out after 3 seconds\n  - 177.67.208.72\n  - 137.67.239.174\n  - 182.102.141.194\n  - 8.154.231.164\n  - 37.184.84.44\n  - 78.25.205.83\n\n[*] Found 2 likely origin servers of myvulnerable.site!\n  - 177.67.208.72 (HTML content identical to myvulnerable.site)\n  - 182.102.141.194 (HTML content identical to myvulnerable.site)\n```\n\n(_The IP addresses in this example have been obfuscated and replaced by randomly generated IPs_)\n\n## Setup\n\n1. Register an account (free) on \u003chttps://search.censys.io/register\u003e\n2. Browse to \u003chttps://search.censys.io/account/api\u003e, and set two environment variables with your API ID and API secret\n\n```bash\n$ export CENSYS_API_ID=...\n$ export CENSYS_API_SECRET=...\n```\n\n3. Clone the repository\n\n```bash\n$ git clone https://github.com/christophetd/CloudFlair.git\n```\n\n4. Create a virtual env and install the dependencies\n\n```bash\ncd CloudFlair\npython3 -m venv venv\nsource venv/bin/activate\npip install -r requirements.txt\n```\n\n5. Run CloudFlair (see [Usage](#usage) below for more detail)\n\n```bash\npython cloudflair.py myvulnerable.site\n```\n\nor for CloudFront \n```bash\npython cloudflair.py myvulnerable.site --cloudfront\n```\n\n## Usage\n\n```bash\n$ python cloudflair.py --help\n\nusage: cloudflair.py [-h] [-o OUTPUT_FILE] [--censys-api-id CENSYS_API_ID] [--censys-api-secret CENSYS_API_SECRET] [--cloudfront] domain\n\npositional arguments:\n  domain                The domain to scan\n\noptions:\n  -h, --help            show this help message and exit\n  -o OUTPUT_FILE, --output OUTPUT_FILE\n                        A file to output likely origin servers to (default: None)\n  --censys-api-id CENSYS_API_ID\n                        Censys API ID. Can also be defined using the CENSYS_API_ID environment variable (default: None)\n  --censys-api-secret CENSYS_API_SECRET\n                        Censys API secret. Can also be defined using the CENSYS_API_SECRET environment variable (default: None)\n  --cloudfront          Check Cloudfront instead of CloudFlare. (default: False)\n```\n\n## Docker image\n\nA lightweight Docker image of CloudFlair ([`christophetd/cloudflair`](https://hub.docker.com/r/christophetd/cloudflair/)) is provided. A scan can easily be instantiated using the following command.\n\n```bash\n$ docker run --rm -e CENSYS_API_ID=your-id -e CENSYS_API_SECRET=your-secret christophetd/cloudflair myvulnerable.site\n```\n\nYou can also create a file containing the definition of the environment variables, and use the Docker`--env-file` option.\n\n```bash\n$ cat censys.env\nCENSYS_API_ID=your-id\nCENSYS_API_SECRET=your-secret\n\n$ docker run --rm --env-file=censys.env christophetd/cloudflair myvulnerable.site\n```\n\n## Compatibility\n\nTested on Python 3.6. Feel free to [open an issue](https://github.com/christophetd/cloudflair/issues/new) if you have bug reports or questions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristophetd%2FCloudFlair","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchristophetd%2FCloudFlair","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristophetd%2FCloudFlair/lists"}