324855faab7035ad2c6f36f9344607e4

Let’s fuck waf using Origin IP: My approach on censys

by
with 5 comments
Bug Bounty
Hello amazing hacker, I am Deepak Dhiman a.k.a Virdoex_hunter from India. I hope you are doing well. I am a bug bounty hunter. So many people ask me how I use censys to find origin IP behind proxy waf such as akamai,cloudflare. So don’t waste time let’s start this. If you don’t understand anything and want a detailed video on it please let me know via comments I will try to make it on my youtube. Vegeta's pride quote" Art Board Print by CasperN | Redbubble So their are two methods you can use censys for origin IP:
  •  The hardest way(but little time saver)
  •  The easiest way( like a bluff that works).
First start with the hardest way a little time saver but need to do lots of stuff. THE HARDEST WAY: 10 Awesome Dragon Ball Z Quotes • The Awesome One STEPS 1:
  •  Login to censys and go the censys search page choose certificates and in certificates search your target like this.
  •  Now open any certificate and in right you find Explore hover on it and click on hosts.
  •  Now in hosts copy every IP you found and try to open that in new tab.
Try Every certificate on and open hosts and try the same process and this is the hardest way.  
EASY WAY : You wanna play Bluff I liked it.
  Vegeta Quotes Wallpapers - Top Free Vegeta Quotes Backgrounds - WallpaperAccess
  •  Login and this time put your target in hosts.
  •  Now choose other service Autonomous System rather then Cloudflare or Akamai .
  • Try every IP in new tab and check autonomous IP but make sure cert.CN:must be target.com not anything else and also the target.com must to have in cert.CN: not in http.body or something else.
LET’s make bluff a winning game
  •  So now you have IP that works and belong to target now how to make sure which domain it pointed too and either that domain is behind any WAF.
  • grep all subdomain, resolve them using httpx or install multi url opener extension and shodan.io extension in browser.
  •  Paste all the urls and try to figure which clones or look like the ip url (front end) and if you find than on that domain tap on shodan extension to look wheather it is behind cloudflare or not like this.
  • If yes than congratulation you find IP behind waf.
  Exploitation:
  •  Dirsearch
  •  Port scan
  •  test like the domain such as rate limit,xss ,2 fa bypass , password reset poisoning etc etc.
If you like please let me know by sharing it using your social media. Thanks Regards, Deepak Dhiman Bounty I have made till now using this > $$$$    

If you like my work you can do support me by buying me a coffee.

Buy Me a Coffee
Tags: No tags

5 Responses

Add a Comment

Your email address will not be published. Required fields are marked *