Friday, December 06, 2013

HOWTO : NoCloudAllowed on Kali Linux

Cloudflare is designed to protect the websites from being Denial of Service (DoS) or Distributed Denial of Service (DDoS). It is acting a proxy and the real IP address of the websites are hidden. She also acts as a Web Application Firewall (WAF) to the websites that behind her services.

However, there is a number of ways to bypass this protection. Since FTP services cannot be protected by Cloudflare, the ftp sub-domain of the websites will be disclosed by using penetration testing tool - Fierce Domain Scan (fierce.pl). There may be some other services that cannot be protected by Cloudflare too.

Another way is using NetCraft.com to find the IP address history of the websites. Why it works? It is because some websites have been published for a while before using Cloudflare service. The IP address of the websites are being archived by NetCraft.com. However, the IP address of those websites cannot be changed or the SysAdmin overlooked it.

The captioned methods had been mentioned at my previous article.

How about there is no FTP service and no IP address history at NetCraft.com? So, we are panic? Be patient! Allison Nixon found a way to overcome this problem. She did a presentation at BlackHat 2013 in the title of Denying Service to DDoS Protection Services.

She (or with her team) developed a tool - NoCloudAllowed. How it works? The tool compare a range of IP addresses with the content of the origin website in order to find the real IP address of the origin website. The tool is written in Perl.

Now, I will show you how to install it on Kali Linux.

Step 1 :

Install of String::Compare.

perl -MCPAN -e 'shell'
install ExtUtils::MakeMaker
install String::Compare
exit


Step 2 :

Download nocloudallowed.pl.

wget http://nocloudallowed.com/nocloudallowed.pl



Type the following for “help” :

perl nocloudallowed.pl --help

Step 3 :

Refer to the BlackHat 2013 video, the website NoCloudAllowed.com is protected by Cloudflare and there is no previous IP address history at NetCraft.com.

Let’s us ping the website to see the IP address :

ping nocloudallowed.com
PING nocloudallowed.com (199.83.134.211) 56(84) bytes of data.
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=1 ttl=128 time=818 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=2 ttl=128 time=262 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=3 ttl=128 time=274 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=4 ttl=128 time=502 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=5 ttl=128 time=264 ms
^C
--- nocloudallowed.com ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 6209ms rtt min/avg/max/mdev = 262.464/424.601/818.947/217.222 ms

ping www.nocloudallowed.com
PING 2ruek.x.incapdns.net (103.28.248.171) 56(84) bytes of data.
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=1 ttl=128 time=1433 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=2 ttl=128 time=450 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=3 ttl=128 time=278 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=4 ttl=128 time=472 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=5 ttl=128 time=495 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=6 ttl=128 time=519 ms
^C
--- 2ruek.x.incapdns.net ping statistics ---
7 packets transmitted, 6 received, 14% packet loss, time 6009ms rtt min/avg/max/mdev = 278.957/608.262/1433.255/377.086 ms, pipe 2


The result is that we got 2 different IP addresses - 199.83.134.211 and 103.28.248.171.

Step 4 :

There are two ways to use the nocloudallowed.pl. By "string matching" and "page percentage matching". Since the real IP address of nocloudallowed.com is 54.226.206.170, we limited the IP range from between 54.226.206.0 and 54.226.206.255 for the demo.

For realistic cases, the IP range may be from between 1.0.0.1 to 255.255.255.255. It will take a longer time to the result as predicted.

String matching :

perl nocloudallowed.pl -u http://www.nocloudallowed.com/ -i 54.226.206.0-54.226.206.255 -s @nixonnixoff

54.226.206.170 matched string


*** We select an unique string - @nixonnixoff at the front page of www.nocloudallowed.com for the matching purpose.

Page percentage matching :

perl nocloudallowed.pl -u http://www.nocloudallowed.com/ -i 54.226.206.0-54.226.206.255

54.226.206.46 is a 4.28008963583708% match 54.226.206.8 is a 4.97538454727825% match
54.226.206.96 is a 6.4580555778227% match 54.226.206.170 is a 76.6947984574021% match
54.226.206.178 is a 2.6906293003467% match 54.226.206.153 is a 13.6152088933292% match
54.226.206.196 is a 5.90278413052861% match 54.226.206.219 is a 6.97554375390092% match
54.226.206.149 is a 1.88944750445606% match 54.226.206.254 is a 3.71636207826023% match
54.226.206.252 is a 5.23038802551876% match 54.226.206.248 is a 9.19859919167773% match


The conclusion is that Cloudflare cannot protect your website as expected.

That’s all! See you.