GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → vincentcox → Bypass Firewalls By Dns History

vincentcox / Bypass Firewalls By Dns History

Licence: mit
Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.

Programming Languages

shell
77523 projects

Labels

securitysecurity-toolsbugbountynetwork-security

Projects that are alternatives of or similar to Bypass Firewalls By Dns History

Watchdog
Watchdog - A Comprehensive Security Scanning and a Vulnerability Management Tool.
Stars: ✭ 345 (-53.32%)
Mutual labels:  security-tools, network-security, bugbounty
Hosthunter
HostHunter a recon tool for discovering hostnames using OSINT techniques.
Stars: ✭ 427 (-42.22%)
Mutual labels:  security-tools, network-security, bugbounty
SuperLibrary
Information Security Library
Stars: ✭ 60 (-91.88%)
Mutual labels:  bugbounty, network-security
Recon My Way
This repository created for personal use and added tools from my latest blog post.
Stars: ✭ 271 (-63.33%)
Mutual labels:  security-tools, bugbounty
Whatweb
Next generation web scanner
Stars: ✭ 3,503 (+374.02%)
Mutual labels:  security-tools, network-security
Zbang
zBang is a risk assessment tool that detects potential privileged account threats
Stars: ✭ 224 (-69.69%)
Mutual labels:  security-tools, network-security
Rengine
reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with…
Stars: ✭ 3,439 (+365.36%)
Mutual labels:  security-tools, bugbounty
Osmedeus
Fully automated offensive security framework for reconnaissance and vulnerability scanning
Stars: ✭ 3,391 (+358.86%)
Mutual labels:  security-tools, bugbounty
Tools Tbhm
Tools of "The Bug Hunters Methodology V2 by @jhaddix"
Stars: ✭ 171 (-76.86%)
Mutual labels:  security-tools, bugbounty
Stacoan
StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.
Stars: ✭ 707 (-4.33%)
Mutual labels:  security-tools, bugbounty
Appinfoscanner
一款适用于以HW行动/红队/渗透测试团队为场景的移动端(Android、iOS、WEB、H5、静态网站)信息收集扫描工具,可以帮助渗透测试工程师、攻击队成员、红队成员快速收集到移动端或者静态WEB站点中关键的资产信息并提供基本的信息输出,如:Title、Domain、CDN、指纹信息、状态信息等。
Stars: ✭ 424 (-42.63%)
Mutual labels:  security-tools, network-security
Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✭ 190 (-74.29%)
Mutual labels:  security-tools, bugbounty
Knary
A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support
Stars: ✭ 187 (-74.7%)
Mutual labels:  security-tools, bugbounty
flydns
Related subdomains finder
Stars: ✭ 29 (-96.08%)
Mutual labels:  bugbounty, network-security
Crithit
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✭ 182 (-75.37%)
Mutual labels:  security-tools, bugbounty
Recon Pipeline
An automated target reconnaissance pipeline.
Stars: ✭ 278 (-62.38%)
Mutual labels:  security-tools, bugbounty
Rescope
Rescope is a tool geared towards pentesters and bugbounty researchers, that aims to make life easier when defining scopes for Burp Suite and OWASP ZAP.
Stars: ✭ 156 (-78.89%)
Mutual labels:  security-tools, bugbounty
Minesweeper
A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
Stars: ✭ 162 (-78.08%)
Mutual labels:  security-tools, bugbounty
H2csmuggler
HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
Stars: ✭ 292 (-60.49%)
Mutual labels:  security-tools, bugbounty
Security Tools
Collection of small security tools, mostly in Bash and Python. CTFs, Bug Bounty and other stuff.
Stars: ✭ 509 (-31.12%)
Mutual labels:  security-tools, bugbounty
View All Similar Projects ➔

Bypass firewalls by abusing DNS history

Tool overview

This script will try to find:

  • the direct IP address of a server behind a firewall like Cloudflare, Incapsula, SUCURI ...
  • an old server which still running the same (inactive and unmaintained) website, not receiving active traffic because the A DNS record is not pointing towards it. Because it's an outdated and unmaintained website version of the current active one, it is likely vulnerable for various exploits. It might be easier to find SQL injections and access the database of the old website and abuse this information to use on the current and active website.

This script (ab)uses DNS history records. This script will search for old DNS A records and check if the server replies for that domain. It also outputs a confidence level, based on the similarity in HTML response of the possible origin server and the firewall.

The script also fetches the IP's of subdomains because my own experience learned me that subdomain IP's sometimes point to the origin of the main domain.

Usage

Use the script like this:

bash bypass-firewalls-by-DNS-history.sh -d example.com

  • -d --domain: domain to bypass
  • -o --outputfile: output file with IP's
  • -l --listsubdomains: list with subdomains for extra coverage
  • -a --checkall: Check all subdomains for a WAF bypass

Requirements (optional)

jq is needed to parse output to gather automatically subdomains. Install with apt install jq.

Background information

WAF Bypass explanation

To illustrate what we define as WAF bypass, look at the scheme below.

Scheme WAF Bypass

A normal visitor connects to a Website. The initial request is a DNS request to ask the IP of the website, so the browser of the client knows where to send the HTTP request to. For sites behind cloudflare or some other public WAF, the reply contains an IP address of the WAF itself. Your HTTP traffic flows basically through the WAF to the origin web server. The WAF blocks malicious requests and protects against (D)DoS attacks. However, if an attacker knows the IP of the origin webserver and the origin webserver accepts HTTP traffic from the entire internet, the attacker can perform a WAF bypass: let the HTTP traffic go directly to the origin webserver instead of passing through the WAF.

This script tries to find that origin IP, so you can connect directly to the origin webserver. Attacks like SQL injections or SSRF's are not filtered and can be successfully, in contrary when there is a WAF in between which stops these kind of attacks.

Further exploitation

When you find a bypass, you have two options:

  • Edit your host-file, which is a system-wide solution. You can find your host-file at /etc/hosts(Linux/Mac) or c:\Windows\System32\Drivers\etc\hosts (Windows). Add an entry like this: 80.40.10.22 vincentcox.com.
  • Burp Suite: Burp Suite Settings

From this moment, your HTTP traffic goes directly to the origin webserver. You can perform a penetration test as usual, without your requests being blocked by the WAF.

How to protect against this script?

  • If you use a firewall, make sure to accept only traffic coming through the firewall. Deny all traffic coming directly from the internet. For example: Cloudflare has a list of IP's which you can whitelist with iptables or UFW. Deny all other traffic.
  • Make sure that no old servers are still accepting connections and not accessible in the first place

For who is this script?

This script is handy for:

  • Security auditors
  • Web administrators
  • Bug bounty hunters
  • Blackhatters I guess ¯\_(ツ)_/¯

Web services used in this script

The following services are used:

FAQ

Why in Bash and not in Python?

It started out as a few CURL one-liners, became a bash script, extended the code more and more, and the regret of not using Python extended accordingly.

I find more subdomains with my tools?

I know. I cannot expect everyone to install all these DNS brute-force and enumeration tools. In addition, I don't know beforehand in which folder these tools are placed or under which alias these tools are called. You can still provide your own list with -l so you can feed output of these subdomain tools into this tool. Expected input is a full subdomain on each line.

Author

Project Creator

Vincent Cox

Tags

WAF bypass
Web Application Firewall bypass
DNS History
find direct/origin IP website

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].