KALYPTO (IN)SECURITY

Research, demonstrations, and popcorn

Finding an IP Behind a Reverse Proxy: How to look like a fool and influence people…

I have posted before about checking a specific IP for a website.  I wanted to go a little more into detail on how to use it and how to know when you are getting a false positive.

There are a few ways you can query a specific IP for a website.  You can use DNS walking, IP scanning, or my favorite… targeted checks.  With a targeted check, you do your research ahead of time and find what you think the IP is, then query against it for the web address.  This was the method I used for LizzardStresser here.

The code is very basic and very direct:

Source

This code will check an IP for the given hostname.  The part that people usually fail at, is looking at the return data.  Just because the status code is 200, it does not mean you have the correct site.

In the following example, you see that I got a status 200 return, but this site is actually a BlueHost page showing that the site was not actually found there:

FalseFlag

Lesson:  Be aware of the return data you get.  It is not as simple as checking a return code.  Unfortunately, there are some “hackers” that have not figured this out yet.  I have seen a LOT of false host addresses related to Anonymous and their OpCloudflare reports.

Lesson 2:  If you are going to publish something to the world.  Read it.  Re-read it.  Read it again.  Then make sure you are correct.  False information is the quickest way to lose credibility and make yourself look like a fool.

cloudflareipproxyresearchreversewebsite

Kalypto • December 1, 2015


Previous Post

Next Post