Sunday, September 15, 2019

Yet Another Way Of NoCloudAllowed

There are many reason to find the origin IP address of a web server. For example, to bypass cloud based DDoS protection services, to locate all the load balance servers and etc. There are a lot of methods in the net to do so as long as the cloud based serivce is misconfigured.

The most stupid way to find the origin IP address of a web server is by scanning all IP addresses in that city or service provider. It is a time consuming method and is very low efficiency. However, it is the most possible way to find the origin IP address.

In 2013, Ms Allison Nixon of Integralis gave a speech at BlackHat USA 2013 conference to introduce this method. She prepared a perl script for the PoC, namely NoCloudAllowed. The talk is at the following video.



Since her site has been down for years, the perl script is no longer available now. Her idea is presented in Python way again by Samiux in 2015 and it is modified recently (2019). It is an open source project namely Chameleon.

Chameleon simpified the idea of Allison's. It only search for a string to see if the front page in that IP address is containing or not. Chameleon scans 170,000 IP addresses in about 45 minutes with less computer resources.

However, if the site is not pointed to the root directory of the server or the site is not allowed to be accessed by IP address url, Chameleon cannot find it out. The most headache thing is that you need to guess what the origin IP address is situated in what IP range.

Reference

BlackHat 2013 - Denying Service to DDoS Protection Services
Chameleon 变色龙 - Website IP Address Seeker

That's all! See you.