A feature of Cloudflare is its strong and best Firewall and protection system. As we all know , they do have both passive and active bot detection techniques. So is it possible to Bypass the Cloudflare ?
Yes, it is possible to bypass the cloudflare protection but it depends and varies with the time.
Well there was a time when there was no protection from DDOS attacks, Crawling bots, Spamming etc.
A guy was tired of getting DDOSed and he had only one thing in mind “I have to avoid direct contact from visitors to handle spam requests”.
That wise guy got an idea!
He managed to setup a more powerful server to act as a proxy (not really), he copied all his static files (files of his site that he didn’t used to change) to that ‘new server’.
Now he made all the traffic for his website (server) to come through the new server first.
So every time when a visitor tried to access the site, the new server will serve the visitor (Provide resources)
And after a week his new server got DDOSed.
He thought WTF?
Why I didn’t think about it?
My new server has no protection at all so it won’t work. I am so stupid!
But he was determined! He thought I must find a way to block multiple requests from a visitor.
He coded a program that could block an IP address (visitor) if it tries to send multiple requests in short time.
He deployed that program in his new server.
A DDOSer tried to DDOS his site and his new program and server came into play. That program blocked the requests and prevented DDOS attack.
He was really happy and satisfied.
Then he added features like caching and blocking on the basis of IP reputation etc. He named this setup “Cloudflare”
They help to accelerate the website response, for example
Whenever a user from Russia tries to access the site, Cloudflare contacts the nearest server (i.e. in Russia) and tells it to serve him and hence the user gets a faster response.
Why do we need to bypass cloudflare?
First of all we should keep in mind that Cloudflare was mainly designed to prevent DDOS so it is clearly a problem for a hacker who is trying to DDOS the website using Cloudflare.
Secondly, when you try to connect to the website, you connect to the cloudflare servers.
So if you need IP Address of a website, you enter ping facebook.com and you get the IP Address like:
Thats simple right?
But when we ping a website which is using Cloudflare then we get response from Cloudflare and we got the IP address of cloudflare not the actual server where the website is hosted.
Similarly you can’t perform a port scan because you don’t have the IP Address of the real server. In short, you can’t do anything to the server as long as that Cloudflare is there.
So we have to bypass it in order to perform security assessment or penetration testing on real server.
How To Bypass Cloudflare ?
Bypass Pinging other subdomains
The easiest method which works most of the time is Pinging the subdomains of the target website.
For example I want know IP Address of a website example.com which is protected by Clouflare then I will enter the following in terminal
ping mail.example.com
ping ftp.example.com
ping direct.example.com
ping admin.example.com
ping direct-connect.example.com
And one of these “arguments” should give you the real IP Address of the website. If you use Linux, you may install a program called DNSMap that has a good list of subdomains and tries to ping them to us the underlying IP address.
Bypass using Domain DNS History
If you want to bypass cloudflare protection and find the target’s origin ip. Use : https://whoisrequest.com/history/ to find targets domain’s DNS history. Alternatively we can use viewdns.info and securitytrails.com as well.
Getting the Real IP of Server
Sometimes we can bypass the cloud flare protection by finding the real IP address of a server. The Cloud flare protection always puts it’s IP address as a shield in front to provide WAF (Web Application Firewall) protection. If we are able to get the real IP which is behind the cloudflare IP then we can bypass the cloudflare protection. For this purpose we can search in censys or shodan search engines for the target websites old or expired SSL certificate using their search filters from where we can get the real IP address of server. Our tutorial on search engines for penetration testers.
Searching on Google Cached Data
Sometimes Google crawlers are allowed to interact with real IP of a server by cloudflare. In such cases we can look for old records of website in cached data to find underlying IP address of our target server.
To check for google cached data you can use the following example, replace hacknopedia.com with your targeted URL.
https://webcache.googleusercontent.com/search?q=cache:hacknopedia.com
Cloudflare bypass using Github Tools
There are different scripts and tools available in github and different forums, which are capable of bypassing cloudflare security and give us server original IP. Some of the such tools are: cloudscraper, cloudflaresolver, etc.
Cloudflare Bypass Extensions
There are few tools that claim they can bypass cloudlfare captcha restriction.
Bypasser: https://github.com/cowlicks/bypasser
Another one is browser extension for purging out cloudflare cache data from browser.
Google Chrome Extension: https://chrome.google.com/webstore/detail/cloudflare-purge-plugin/nbpecchpcfacahhekolpaofpmogkmmok
As we discussed few of the methods for bypass, these bypass or tricks may not works with the time. If you do have any new methods of bypassing cloudflare, please do let us know in the comment section of this blog.
