Nmaping hosts behind Cloudflare’s service

Lately I’ve noticed a lot of hosts jumping into Cloudflare’s service and I don’t blame them, I’ve tried it and loved it, but what happens when you scan one of these hosts?

# nmap -sV -sS -F <target>
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-03 00:15 PDT
Nmap scan report for <target> (<target's ip>)
Host is up (0.0069s latency).
Other addresses for <target> (not scanned): <another ip>
rDNS record for <target's ip>: <host>.cloudflare.com
Not shown: 98 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open   http?
443/tcp closed https
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

[FINGERPRINT POSTED IN PASTEBIN FOR CLARITY:

http://pastebin.com/632RV8TA  ]

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.17 seconds

 

Not much information there. From the fingerprint we can see that Cloudflare actually blocked and sent us to the challenge page where we failed miserably.

Let’s use dns-brute to check if the system administrator left Cloudflare’s default dns name “direct” pointing to his real IP address.

# nmap --script dns-brute -sn <target>

Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-03 00:32 PDT
Nmap scan report for <target> (<ipA>)
Host is up (0.0069s latency).
Other addresses for <target> (not scanned): <ipB>

Host script results:
| dns-brute:
|   DNS Brute-force hostnames
|     www.<target> - <ipA>
|     www.<target> - <ipB>
|     direct.<target> - XXX.XXX.XXX.XXX

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

It seems like he did. The hostname direct.<target> points to the real IP address. Usually you will see other dns entries like ‘mail’ or ‘ftp’ pointing to the same ip, a good indicator this is the IP we want. Lets scan this IP to see what services are running.

Nmap scan report for 
Host is up (0.030s latency).
Not shown: 988 closed ports
PORT     STATE    SERVICE              VERSION
21/tcp   open     ftp                  ProFTPD 1.3.1
22/tcp   open     ssh                  OpenSSH 5.1p1 Debian 5 (protocol 2.0)
25/tcp   open     smtp                 Postfix smtpd
53/tcp   open     domain               ISC BIND 9.6-ESV-R4
80/tcp   open     http                 nginx 0.7.67
110/tcp  open     pop3                 Dovecot pop3d
111/tcp  open     rpcbind (rpcbind V2) 2 (rpc #100000)
143/tcp  open     imap                 Dovecot imapd
2049/tcp open     nfs (nfs V2-4)       2-4 (rpc #100003)

Bingo.

calderpwn

Infosec consultant | Software dev | Open Source contributor | Speaker

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>