Lately I’ve noticed a lot of hosts jumping into Cloudflare’s service and I don’t blame them, I’ve tried it and loved it, but what happens when you scan one of these hosts?
# nmap -sV -sS -F <target> Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-03 00:15 PDT Nmap scan report for <target> (<target's ip>) Host is up (0.0069s latency). Other addresses for <target> (not scanned): <another ip> rDNS record for <target's ip>: <host>.cloudflare.com Not shown: 98 filtered ports PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp closed https 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[FINGERPRINT POSTED IN PASTEBIN FOR CLARITY:
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.17 seconds
Not much information there. From the fingerprint we can see that Cloudflare actually blocked and sent us to the challenge page where we failed miserably.
Let’s use dns-brute to check if the system administrator left Cloudflare’s default dns name “direct” pointing to his real IP address.
# nmap --script dns-brute -sn <target> Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-03 00:32 PDT Nmap scan report for <target> (<ipA>) Host is up (0.0069s latency). Other addresses for <target> (not scanned): <ipB> Host script results: | dns-brute: | DNS Brute-force hostnames | www.<target> - <ipA> | www.<target> - <ipB> | direct.<target> - XXX.XXX.XXX.XXX Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
It seems like he did. The hostname direct.<target> points to the real IP address. Usually you will see other dns entries like ‘mail’ or ‘ftp’ pointing to the same ip, a good indicator this is the IP we want. Lets scan this IP to see what services are running.
Nmap scan report for Host is up (0.030s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.1 22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0) 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.6-ESV-R4 80/tcp open http nginx 0.7.67 110/tcp open pop3 Dovecot pop3d 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 143/tcp open imap Dovecot imapd 2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)