Finding the Origin IP Address of Websites Behind WAFs
Hacking 101: Finding the real IP Address of Websites Behind WAFs
Knowing the origin IP address of a website can provide a significant advantage during penetration testing. . So in this article i will share a few effective methods you can add into your methodologies to find the IP addresses of websites protected by WAFs.
Finding the IP address behind WAF protection is often a trial-and-error process. Keep testing the IPs you uncover during your search ,with persistence, you may eventually hit the origin IP.
Always obtain explicit written authorization before conducting any penetration testing or hacking activities on any network or server. You are RESPONSIBLE for your actions.
Ping: Start by pinging the website to check which IP it connects to. This can also reveal if there is a WAF protecting the site.
ping example.comDig: dig(Domain Information Groper) can reveal the IP address of a domain by querying DNS records. It primarily fetches A (IPv4) or AAAA (IPv6) records, which map domain names to IP addresses.
dig example.comDNS reconnaissance: sometimes reveal the real IP address of a server, even if it is protected by a WAF. While WAFs like Cloudflare mask the origin IP, DNS misconfigurations or overlooked records can expose it.
You can use other dns recon tools too:
dnsrecon -d example.comShodan Extension : The Shodan plugin tells you where the website is hosted (country, city), who owns the IP and what other services/ ports are open. While it often reveals WAF-protected IPs, the plugin is still worth mentioning as part of the reconnaissance process.
Shodan Search : You can try searching for the ip on the Search Engine of Shodan , use this search filter.
Ssl.cert.subject.CN:'example.com' 200Using Favicon Hash: Obtain the favicon link of a website using services like The Favicon finder , then generate the hash using Favicon hash generator , now search for it on platforms like Shodan or Censys.This can reveal IP addresses associated with the same favicon, potentially leading you to the origin IP.
IP History: You can search for historical IP addresses of a domain. This can help you find the origin IP. You can use ViewDNS.info for this. This data may reveal the real IP address before the domain was protected by a WAF.
SPF Records: You can identify the IP address of a domain by checking its SPF (Sender Policy Framework) record. SPF records often list authorized mail servers, which can reveal the domain’s IP. Tools like MXToolbox allow you to look up SPF records easily.
SecurityTrails: You can use SecurityTrails to check historical data for a domain. By viewing the historical information, you may be able to find the IP address of the domain before it was protected by a WAF.
Censys Search Engine: Simply enter the domain name in the search bar, and Censys will return relevant information, including IP addresses, that may help you identify the domain’s associated IPs.
FOFA Search Engine: FOFA is another powerful search engine that can be used to find IP addresses and other information related to a domain. By entering a domain name into FOFA, you can search for associated IPs.
ZoomEye: Enter the domain name or relevant keyword in the search bar. ZoomEye will return results related to the domain, including associated IP addresses and other exposed services.
This is it for now, though there are many more ways to find IP addresses that we will discuss in upcoming articles. I hope you found this information helpful. Keep in mind that finding an IP address is often a trial-and-error game, so don’t hesitate to keep trying the IPs you discover during the process.
If you have more unique ways to find IP addresses, kindly let me know in the comments. Thank You
