INDIAN ELITE HACKERS

Today i am going to share few methods i have
using to find the Real IP behing a
Cloudflare.We are going to discuss 4 different
methods here.
1-DNS Records And Ping.
For this method we are going to use
emillionforum.com as an example.
Code:
emillionforum.com
Using Multiple
IP's:173.245.60.62,173.245.60.157
Let us scan this site on network-tools.com .
Code:
IP address: 173.245.60.157
Host name: emillionforum.com
Alias:
emillionforum.com
173.245.60.157 is from United States
(US) in region North America
TraceRoute to 173.245.60.157
[emillionforum.com]
Hop    (ms)    (ms)    (ms)
IP Address    Host name
1 35 0 0
206.123.64.42      -
2 113 124 68
64.124.196.225
xe-4-2-0.er2.dfw2.us.above.net
3 4 3 2
206.223.118.61
equinix.tge9-3.ar1.dfw1.us.nlayer.net
4 0 0 1
69.31.63.182
as13335.xe-4-0-5.ar1.dfw1.us.nlayer.net
5 1 1 2
173.245.60.157
cf-173-245-60-157.cloudflare.com
Trace complete
Retrieving DNS records for
emillionforum.com...
DNS servers
hank.ns.cloudflare.com
[173.245.59.116]
ruth.ns.cloudflare.com
[173.245.58.143]
Answer records
emillionforum.com        NS    hank.ns.cloudflare.com    86400s
emillionforum.com        TXT    v=spf1
a mx include:websitewelcome.com
~all    300s
emillionforum.com        A    173.245.60.157    300s
emillionforum.com        SOA
server:    hank.ns.cloudflare.com
email:    dns@cloudflare.com
serial:    2012031313
refresh:    10000
retry:    2400
expire:    604800
minimum ttl:    3600
86400s
emillionforum.com        NS    ruth.ns.cloudflare.com    86400s
emillionforum.com        A    173.245.60.62    300s
emillionforum.com        MX
preference:    0
exchange:    direct-
connect.emillionforum.com
    300s
Authority records
Additional records
direct-
connect.emillionforum.com        A    174.120.63.195    300s
Here through this scan we got a subdomain of
emillionforum.com.
Code:
subdomain:direct-
connect.emillionforum.com
Lets ping it and see what happens.
Code:
Pinging direct-
connect.emillionforum.com
[174.120.63.195] with 32 bytes of
data:
Reply from 174.120.63.195: bytes=32
time=367ms TTL=44
Reply from 174.120.63.195: bytes=32
time=367ms TTL=44
Reply from 174.120.63.195: bytes=32
time=365ms TTL=44
Reply from 174.120.63.195: bytes=32
time=364ms TTL=44
Ping statistics for 174.120.63.195:
Packets: Sent = 4, Received = 4,
Lost = 0 (0% loss),
Approximate round trip times in
milli-seconds:
    Minimum = 364ms, Maximum =
367ms, Average = 365ms
So we got another IP now
Quote: 174.120.63.195
Lets reverse this ip and see where it leads us
to.
Code:
Found 21 domains hosted on the same
web server as 174.120.63.195.
We can see that emillionareforum.com is
located on this IP.This is the real IP of
emillionareforum.
2-NetCraft Toolbar (Hosting History)
In Some Cases we can also use netcraft
toolbar.Here we gonna take ubers.org as an
example.
Code:
Code:
http://toolbar.netcraft.com/
site_report?url=http://www.ubers.org
It will only work if the site is old and has
recently changed to CloudFlare.It is meant to
see the "Hosting History" of the scanned site.
Code:
Hosting HistoryNetblock Owner    IP
address    OS    Web Server    Last
changed
AltusHost
Inc.    79.142.78.77    Linux    Apache/2.2.21
Unix mod_ssl/2.2.21 OpenSSL/0.9.8e-
fips-rhel5 mod_auth_passthrough/2.1
mod_bwlimited/1.4
FrontPage/5.0.2.2635    11-Feb-2012
AltusHost
Inc.    79.142.78.79    Linux    Apache    19-
Jan-2012
AltusHost
Inc.    79.142.78.79    Linux    Apache/2.2.21
Unix mod_ssl/2.2.21 OpenSSL/0.9.8e-
fips-rhel5 mod_auth_passthrough/2.1
mod_bwlimited/1.4
FrontPage/5.0.2.2635 mod_perl/2.0.5
Perl/v5.8.8    7-Jan-2012
AltusHost
Inc.    31.3.153.133    Linux    Apache/2.2.21
Unix mod_ssl/2.2.21 OpenSSL/0.9.8e-
fips-rhel5 mod_bwlimited/1.4
PHP/5.3.8    3-Jan-2012
AltusHost
Inc.    31.3.153.133    Linux    Apache/2.2.21
Unix mod_ssl/2.2.21 OpenSSL/0.9.8e-
fips-rhel5 mod_bwlimited/1.4
PHP/5.3.8    23-Dec-2011
AltusHost
Inc.    128.127.110.38    Linux    LiteSpeed    19-
Dec-2011
AltusHost
Inc.    128.127.110.38    Linux    LiteSpeed    2-
Dec-2011
3- Using Fierce v0.9.9
We can also use Fierce v0.9.9 perl script.It
wont work everytime but it is worth trying.For
more details please check this thread.
Code:
https://blackhats.net/0x0/
showthread.php?
tid=406&pid=1489#pid1489
4-Nmaping-Hosts
This method i came across while searching
but i didn't test personally.
For more details read this thread.
Code:
http://calderonpale.com/blog/
nmaping-hosts-behind-cloudflares-
service
I hope you enjoyed reading it.