Bypass Firewalls By Abusing DNS Historical past
Firewall bypass script primarily based on DNS historical past data. This script will seek for DNS A historical past data and examine if the server replies for that area. Useful for bugbounty hunters.
This script will attempt to discover:
- The direct IP handle of a server behind a firewall like Cloudflare, Incapsula, SUCURI
- An previous server which nonetheless operating the identical (inactive and unmaintained) web site, not receiving energetic visitors as a result of the A DNS report just isn’t pointing in direction of it. As a result of it is an outdated and unmaintained web site model of the present energetic one, it’s doubtless weak for varied exploits. It could be simpler to seek out SQL injections and entry the database of the previous web site and abuse this info to make use of on the present and energetic web site.
This script (ab)makes use of DNS historical past data. This script will seek for previous DNS A data and examine if the server replies for that area. It additionally outputs a confidence stage, primarily based on the similarity in HTML response of the potential origin server and the firewall.
The script additionally fetches the IP’s of subdomains as a result of my very own expertise discovered me that subdomain IP’s generally level to the origin of the principle area.
Utilization
Use the script like this-
bash bypass-firewalls-by-DNS-history.sh -d instance.com
-d –domain: area to bypass
-o –outputfile: output file with IP’s
-l –listsubdomains: checklist with subdomains for additional protection
-a –checkall: Verify all subdomains for a WAF bypass
Necessities (optionally available)
jq is required to parse output to collect mechanically subdomains. Set up with apt set up jq.
WAF Bypass clarification
As an example what we outline as WAF bypass, take a look at the scheme beneath.
A standard customer connects to a Web site. The preliminary request is a DNS request to ask the IP of the web site, so the browser of the shopper is aware of the place to ship the HTTP request to. For websites behind cloudflare or another public WAF, the reply incorporates an IP handle of the WAF itself. Your HTTP visitors flows mainly by means of the WAF to the origin internet server.
The WAF blocks malicious requests and protects in opposition to (D)DoS assaults. Nonetheless, if an attacker is aware of the IP of the origin webserver and the origin webserver accepts HTTP visitors from the complete web, the attacker can carry out a WAF bypass: let the HTTP visitors go on to the origin webserver as an alternative of passing by means of the WAF.
This script tries to seek out that origin IP, so you’ll be able to join on to the origin webserver. Assaults like SQL injections or SSRF’s aren’t filtered and may be efficiently, in opposite when there’s a WAF in between which stops these sort of assaults.
For who is that this script?
This script is helpful for:
- Safety auditors
- Internet directors
- Bug bounty hunters
- Blackhatters I suppose
Methods to shield in opposition to this script?
The next companies are used:
- SecurityTrails
- CrimeFlare
- certspotter
- DNSDumpster
- IPinfo
FAQ
Why in Bash and never in Python?
It began out as a couple of CURL one-liners, grew to become a bash script, prolonged the code increasingly, and the remorse of not utilizing Python prolonged accordingly.
I discover extra subdomains with my instruments?
I do know. I can’t count on everybody to put in all these DNS brute-force and enumeration instruments. As well as, I do not know beforehand wherein folder these instruments are positioned or beneath which alias these instruments are referred to as. You’ll be able to nonetheless present your individual checklist with -l so you’ll be able to feed output of those subdomain instruments into this software. Anticipated enter is a full subdomain on every line.
The Creator of this software –
Vincent Cox– He’s an Safety Engineer and Bug Bounty Hunter
