Around the CDN Find reality IP

CDN The full name is Content Delivery Network, The content distribution network .CDN It is an intelligent virtual network based on the existing network , Rely on edge servers deployed everywhere , Load balancing through the central platform 、 content distribution 、 Scheduling and other functional modules , Let users get the content they need nearby , Reduce network congestion , Improve user access response speed and hit rate .CDN The key technologies are content storage and distribution technology . But during the safety test , If the target exists CDN service , It will affect the subsequent safety test process

Depending on the region of the visitor , Allocate the fastest accessible IP

1、 How to judge the existence of the target CDN service ？

• Using multi node technology to judge the return of request

​ Use super ping Website

• Win Next use nslookup Command to query , If the returned domain name resolution result is multiple ip, Mostly used CDN, It's not true ip
• Wappalyzer Plug in judgment

Return multiple IP Possible CDN

2、 The website is real IP

2.1、 Different IP Access query

Super ping、 The national ping

2.2、 Use the subdomain name request to get the real IP

• Some enterprises have many lines of business , Some sites use CDN, Or some domain names use CDN, Some subdomains may not be used . because CDN The function can only be opened after paying , To save money , Only open a website with large traffic CDN function （ Usually the main station ）, Subdomains with low traffic are not enabled CDN function （ General substation ）. Sub stations and main stations may IP The address is in the same network segment , There's a connection , You can go through the sub station IP Address inference master station IP Address or enter the intranet

· Subdomain explosion ·

Most of the （99.99%） Do you want to add www. There is no difference between , The access page is the same , The browser automatically adds www., But in parsing , Add do not add www. It's different , Some websites do not add www. Your address is real ip

Generally, mobile phones will add m, The two sites are actually the same , Just show different

So you can find the main server by finding the mobile site server

2.3、 Third party website inspection

https://get-site-ip.com/

2.4、 Use the foreign address request to get the truth IP

• The main user groups of general websites are domestic users , Few foreign users , Save costs and don't do it abroad CDN, What foreign countries request is true IP Address （CDN Selective opening , Global or regional , The cost is different ）. Get some unpopular through abroad DNS or IP Ask the target , Through foreign agent visits, you can view the real IP 了 , Or through foreign DNS analysis , Maybe you can get the real IP Check the website .

Super ping There will be foreign nodes

Subdomain tips / collection / Foreign request （ Same type access ）

2.5、 Use the mail server interface to obtain the real information IP

You can use a disposable mailbox

https://anonymousemail.me/、https://temp-mail.org/zh/ etc.

• Many sites have the function of sending mail , Like forgetting your password , subscribe , wait . And most of the general mail systems are internal , Not through CDN Parsing . The email source code will contain the truth of the server IP.

E-mail source code test and third-party query （ Regional analysis ）

With www.mozhe.cn For example

Usually the first one IP It is a mail forwarding server

The following is the real server IP

For the time being, this is the truth IP

Third party query validation

It can be found that the two results are different

verification ：

• Check the website filing number

chongqing , Chongqing

Search for ip Find the email server IP Closer to the

View company details

Chongqing

So it's true IP More inclined to 219.153.49.169

2.6、 Sensitive document

Legacy documents phpinfo.php

probe

/tz.php、/jc.php、/p.php etc.

2.7、 Use the dark engine to get the truth IP

• The dark engine searches for specific content

  shodan、 Zhong Kui's eyes 、fofa, Adopt collection and crawling technology , Regularly crawl the deep-seated things of the network into the database . According to the requested information, it may be true IP The address is inside , Low success , Not very reliable , If it opens today CDN technology , Search engines do not necessarily include , So it's true IP It may not be found , But compared with Baidu , Google , The time of crawling to something is closer

  Crawl through these public security search engines to get a historical snapshot , Some of the main features are summarized as follows ：

 Peculiar http Head （ Such as server type 、 edition 、cookie Etc )、
 given keyword（ Such as title、css、js、url etc. ）、
 specific IP Segment search （ Such as fofa Support C Segment search ）,
 Sometimes crawling does not necessarily include the above features , But we still need to check carefully .

shodan Search assignment hash file

python2 Script get hash Value and search

Find the page icon ico file

Copy the address to the script to run , obtain hash value

Dark engine search results ip

2.8、dns Historical record , Look at

Some websites are not linked CDN When Cache left

https://dnsdb.io/zh-cn/
https://x.threatbook.cn/ A little step
http://toolbar.netcraft.com/site_report?url=
http://viewdns.info/
https://tools.ipip.net/cdn.php

https://securitytrails.com/

 utilize SecurityTrails platform （https://securitytrails.com/）, The attacker can accurately find the real original IP, Just enter the website domain name in the search field , Then press Enter Press the key , At this time “ The historical data ” You can find it in the menu on the left .
SecurityTrails Platform except for the past DNS Record , Even the current record may disclose the original server IP. for example ,MX Records are a common search IP The way . If the website is with web Same server and IP Host your own mail server on , So the original server IP Will be in MX On record .

Look at , Namely DDOS, because CDN Pay according to the traffic when opening , There are flow limits ,DDOS Keep attacking , The traffic takes up the bandwidth , real IP The address came out . It is illegal to

2.9、 Sweep the whole net

Scan the whole network , Last resort , Borrow the global address and request this website at the same time , Some areas of this website have not done CDN, Discover the truth IP, Scanning the whole network is usually run on the server
Sweep out ip And the websites you need to visit Contrast If you open the same Then it may be true ip

It is said to scan the whole network , as long as 44 minute ？

fuckcdn,w8fuckcdn,zmap,BIND etc.

Find the truth IP Modify local host File and revisit the page

notes ： There are some CDN The address cannot be opened , Will jump to cdn Service page