What's it? • Features • Background • Installation • Usage • Running cf-hero • ZoomEye (Sponsor) • To Do

CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.
The tool analyzes data from these sources to identify potential origin IP addresses of Cloudflare-protected targets. It validates findings through response analysis to minimize false positives.
a simple flowchart of the tool
┌──────────┐
│ │ ┌─────────┐
│ Domain │───────►│ Check A │
│ │ │ Records │
└──────────┘ └────┬────┘
│
┌──────────────────┘
│
▼
┌────────────┐
│ Is it bend │ YES
│ CloudFle │─────────────────────────────────────────┐
└────────────┘ │
│ │
│ │
│ ▼
│ ┌──────────────────────────┐
│ │ Check the domain from │
│ ┌─────────────────│ various sources │───────────────────┐
│ │ └─┬────────────────────────┘ │
│ │ │ │ │
│ │ │ │ │
│ │ │ │ │
│ ▼ ▼ ▼ ▼
│ ┌────────────────┐ ┌─────────────┐ ┌───────────┐ ┌─────────────┐
│ │ Historical DNS │ │ Current DNS │ ┌─┤ OSINT │ │ Sub/domains │
│ ┌──│ Records │ ┌─│ Records │ │ └───────────┘ ┌─│ │
│ │ └────────────────┘ │ └─────────────┘ │ ┌─────────┐ │ └─────────────┘
│ │ ┌──────────────┐ │ ┌────────────┐ ├──►│ ZoomEye │ │ ┌─────────────┐
│ ├───►│SecurityTrails│ ├──►│ TXT │ │ └─────────┘ │ │ sub(domains)│
│ │ └──────────────┘ │ └────────────┘ │ ┌─────────┐ └──►│ used by the │
│ │ ┌──────────────┐ │ ┌────────────┐ ├──►│ Shodan │ │ same company│
│ │ └───►│Completedns │ └──►│ A │ │ └─────────┘ └─────────────┘ │
│ │ └──────────────┘ └────────────┘ │ ┌─────────┐ │
│ │ └──►│ Censys │ │
│ │ └─────────┘ │
│ │ │
│ │ │
│ └────────────────────────────────────────────┬────────────────────────────────────────────┘
│ │
NO │ │
│ │
│ │
│ ▼
│ ┌──────────────────────────────────────┐
│ │ Establish direct HTTP connections to │
│ │ each discovered IP address │
│ └──────────────────────────────────────┘
│ │
│ │
│ │
│ ▼
│ ┌─────────────────────────────┐
│ │ Compare the HTML title with │
│ │ the target's title │
│ └─────────────────────────────┘
│ │
│ │
│ │
│ ▼
│ ┌─────────────────────┐
│ │ │ YES
│ │ Are they the same ? │─────────────────────┐
│ │ │ │
│ └─────────────────────┘ ▼
│ │ ┌───────────────┐
│ │NO │ Real IP found │
│ │ └───────┬───────┘
│ ▼ │
│ ┌──────────┐ │
└───────────────────────────────────────────►│ FINISH │◄───────────────────────────┘
└──────────┘
Smart colouring
Third-party Intelligence
Reverse IP lookup for associated domains
Advanced Features
Let's take look at some use-case with misconfigured DNS settings.
As you can see, a regular DNS query returns the IP address of the domain. For example, musana.net is behind Cloudflare (CF), but sometimes the domain has multiple A records, and some of them may not correspond to IP addresses associated with CF. (This DNS output is merely an illustrative example and may not represent the exact DNS answer for musana.net.)
;; ANSWER SECTION:
musana.net. 300 IN A 104.16.42.102
musana.net. 300 IN A 104.16.43.102
musana.net. 300 IN A 123.45.67.89 (Real IP exposed)
musana.net. 300 IN A 123.45.76.98 (Real IP exposed)
The another case is related to TXT records. Sometimes domain is behind of CF but real IP of the domain may used in TXT records. CF-Hero check all TXT records then extract all IP address finally it try to connect IP which it found via HTTP.
Let's say we have like DNS TXT records. As seen in the TXT records, there is SPF record. Some company can host own mail server and TXT records may contain IP which points to target domain.
As you can see in the following DNS answer SPF record has some IP addresses. Cf-Hero also checks these.
;; ANSWER SECTION:
musana.net. 115 IN TXT "1password-site-verification=LROK6G5XFJG5NF76TE2FBTABUA"
musana.net. 115 IN TXT "5fG-7tA-G4V"
musana.net. 115 IN TXT "MS=ms16524910"
musana.net. 115 IN TXT "OSSRH-74956"
musana.net. 115 IN TXT "docker-verification=6910d334-a3fc-419c-89ac-57668af5bf0d"
musana.net. 115 IN TXT "docusign=4c6d27bb-572e-4fd4-896c-81bfb0af0aa1"
musana.net. 115 IN TXT "shopify-verification-code=1Ww5VsPpkIf32cJ5PdDHdguRk22K2R"
musana.net. 115 IN TXT "shopify-verification-code=NM243t2faQbaJs8SRFMSEQAc4J9UQf"
musana.net. 115 IN TXT "v=spf1 include:_spf.google.com include:cust-spf.exacttarget.com include:amazonses.com include:mail.zendesk.com include:servers.mcsv.net include:spf.mailjet.com ip4:216.74.162.13 ip4:216.74.162.14 ip4:153.95.95.86 ip4:18.197.36.5 -all"
OSINT is another technique to find real IP of any domain which is behind of CF. There are lots of special search engine for special purpose. Shodan and Censys are two of these. They provide more detail and technical information. These search engine scan whole internet continously and discover new assets or monitor and log changing in assets. When a domain which is not behind of CF get up, bot of these engine can log Real IP of the domain. After a while if the domain will take behind of cloudflare, their IP can be found using these search engine.
CF-Hero checks censys and shodan too. (Note that when you use these services you have some limit due to API quota.)
The other trick way is (sub)domain technique. Actually It doesn't have to be a subdomain It can be domain as well. The key point is here; domains should belong to same company.
Let's say we have 2 domain. One of them is behind of CF but the otner is not. In this case, you connect to the domain which is not behind of CF then you change host header with domain which is behind of CF. If you get response of application's which is behind of CF, congruculations you bypassed CF. You can access web application from IP directly anymore. (and of course that's also depends on the configuration)
Let's take look at closer
```
--> TCP --> blog.musana.net [123.45.67.89] ---> HTTPs -------------\ \ --> TCP --> api.musana.net [123.67.45.98] ----> HTTPs -----------\ \ \ \ --> TCP --> test.musana.net [123.89.44.88] ---> HTTPs -------------\ \ ___________ --> TCP --> tools.musana.net [123.44.55.66] --> HTTPs -------------> | GET / HTTP/2 | | Host: musana.net | ====> Check & Compare Responses
$ claude mcp add CF-Hero \
-- python -m otcore.mcp_server <graph>