MCPcopy
hub / github.com/musana/CF-Hero

github.com/musana/CF-Hero @v1.0.4 sqlite

repository ↗ · DeepWiki ↗ · release v1.0.4 ↗
40 symbols 110 edges 7 files 2 documented · 5%
README

CF-Hero

CF-Hero

What's it?FeaturesBackgroundInstallationUsageRunning cf-heroZoomEye (Sponsor)To Do

What's it?

CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.

DNS Reconnaissance

  • Current DNS records (A, TXT)
  • Historical DNS data analysis
  • Associated domain discovery

Intelligence Sources

  • ZoomEye search engine
  • Censys search engine
  • Shodan search engine
  • SecurityTrails historical records
  • Active DNS enumeration
  • Related domain correlation

The tool analyzes data from these sources to identify potential origin IP addresses of Cloudflare-protected targets. It validates findings through response analysis to minimize false positives.

a simple flowchart of the tool


┌──────────┐                                                                                          
│          │        ┌─────────┐                                                                       
│  Domain  │───────►│ Check A │                                                                       
│          │        │ Records │                                                                       
└──────────┘        └────┬────┘                                                                       
                         │                                                                            
      ┌──────────────────┘                                                                            
      │                                                                                               
      ▼                                                                                               
┌────────────┐                                                                                        
│ Is it bend │              YES                                                                       
│  CloudFle  │─────────────────────────────────────────┐                                              
└────────────┘                                         │                                              
      │                                                │                                              
      │                                                │                                              
      │                                                ▼                                              
      │                                   ┌──────────────────────────┐                                
      │                                   │  Check the domain from   │                                
      │                 ┌─────────────────│      various sources     │───────────────────┐            
      │                 │                 └─┬────────────────────────┘                   │            
      │                 │                   │                      │                     │            
      │                 │                   │                      │                     │            
      │                 │                   │                      │                     │            
      │                 ▼                   ▼                      ▼                     ▼            
      │         ┌────────────────┐       ┌─────────────┐        ┌───────────┐      ┌─────────────┐    
      │         │ Historical DNS │       │ Current DNS │      ┌─┤   OSINT   │      │ Sub/domains │    
      │      ┌──│    Records     │     ┌─│   Records   │      │ └───────────┘    ┌─│             │    
      │      │  └────────────────┘     │ └─────────────┘      │   ┌─────────┐    │ └─────────────┘    
      │      │    ┌──────────────┐     │   ┌────────────┐     ├──►│ ZoomEye │    │   ┌─────────────┐  
      │      ├───►│SecurityTrails│     ├──►│ TXT        │     │   └─────────┘    │   │ sub(domains)│  
      │      │    └──────────────┘     │   └────────────┘     │   ┌─────────┐    └──►│ used by the │  
      │      │    ┌──────────────┐     │   ┌────────────┐     ├──►│ Shodan  │        │ same company│  
      │    │ └───►│Completedns   │     └──►│ A          │     │   └─────────┘        └─────────────┘ │
      │    │      └──────────────┘         └────────────┘     │   ┌─────────┐                        │
      │    │                                                  └──►│ Censys  │                        │
      │    │                                                      └─────────┘                        │
      │    │                                                                                         │
      │    │                                                                                         │
      │    └────────────────────────────────────────────┬────────────────────────────────────────────┘
      │                                                 │                                             
   NO │                                                 │                                             
      │                                                 │                                             
      │                                                 │                                             
      │                                                 ▼                                             
      │                               ┌──────────────────────────────────────┐                        
      │                               │ Establish direct HTTP connections to │                        
      │                               │       each discovered IP address     │                        
      │                               └──────────────────────────────────────┘                        
      │                                                 │                                             
      │                                                 │                                             
      │                                                 │                                             
      │                                                 ▼                                             
      │                                   ┌─────────────────────────────┐                             
      │                                   │ Compare the HTML title with │                             
      │                                   │      the target's title     │                             
      │                                   └─────────────────────────────┘                             
      │                                                 │                                             
      │                                                 │                                             
      │                                                 │                                             
      │                                                 ▼                                             
      │                                       ┌─────────────────────┐                                 
      │                                       │                     │       YES                       
      │                                       │ Are they the same ? │─────────────────────┐           
      │                                       │                     │                     │           
      │                                       └─────────────────────┘                     ▼           
      │                                                 │                          ┌───────────────┐  
      │                                                 │NO                        │ Real IP found │  
      │                                                 │                          └───────┬───────┘  
      │                                                 ▼                                  │          
      │                                            ┌──────────┐                            │          
      └───────────────────────────────────────────►│  FINISH  │◄───────────────────────────┘          
                                                   └──────────┘                                       


Feautures

Features

  • DNS Reconnaissance
  • Checks current DNS records (A, TXT)
  • Extracts domains behind Cloudflare
  • Extracts domains not behind Cloudflare
  • User-provided HTML title (in case of CF blocks you)
  • Smart colouring

  • Third-party Intelligence

  • ZoomEye integration
  • Censys integration
  • Shodan integration
  • SecurityTrails integration
  • Reverse IP lookup for associated domains

  • Advanced Features

  • Custom JA3 fingerprint support
  • Concurrent scanning capabilities
  • Standard input support (piping)
  • HTML title comparison for validation
  • Proxy support
  • Custom User-Agent configuration

Background

Current DNS Records

Let's take look at some use-case with misconfigured DNS settings.

As you can see, a regular DNS query returns the IP address of the domain. For example, musana.net is behind Cloudflare (CF), but sometimes the domain has multiple A records, and some of them may not correspond to IP addresses associated with CF. (This DNS output is merely an illustrative example and may not represent the exact DNS answer for musana.net.)

;; ANSWER SECTION:
musana.net. 300 IN  A   104.16.42.102
musana.net. 300 IN  A   104.16.43.102
musana.net. 300 IN  A   123.45.67.89 (Real IP exposed)
musana.net. 300 IN  A   123.45.76.98 (Real IP exposed)

The another case is related to TXT records. Sometimes domain is behind of CF but real IP of the domain may used in TXT records. CF-Hero check all TXT records then extract all IP address finally it try to connect IP which it found via HTTP.

Let's say we have like DNS TXT records. As seen in the TXT records, there is SPF record. Some company can host own mail server and TXT records may contain IP which points to target domain.

As you can see in the following DNS answer SPF record has some IP addresses. Cf-Hero also checks these.

;; ANSWER SECTION:
musana.net. 115 IN  TXT "1password-site-verification=LROK6G5XFJG5NF76TE2FBTABUA"
musana.net. 115 IN  TXT "5fG-7tA-G4V"
musana.net. 115 IN  TXT "MS=ms16524910"
musana.net. 115 IN  TXT "OSSRH-74956"
musana.net. 115 IN  TXT "docker-verification=6910d334-a3fc-419c-89ac-57668af5bf0d"
musana.net. 115 IN  TXT "docusign=4c6d27bb-572e-4fd4-896c-81bfb0af0aa1"
musana.net. 115 IN  TXT "shopify-verification-code=1Ww5VsPpkIf32cJ5PdDHdguRk22K2R"
musana.net. 115 IN  TXT "shopify-verification-code=NM243t2faQbaJs8SRFMSEQAc4J9UQf"
musana.net. 115 IN  TXT "v=spf1 include:_spf.google.com include:cust-spf.exacttarget.com include:amazonses.com include:mail.zendesk.com include:servers.mcsv.net include:spf.mailjet.com ip4:216.74.162.13 ip4:216.74.162.14  ip4:153.95.95.86 ip4:18.197.36.5 -all"


OSINT

OSINT is another technique to find real IP of any domain which is behind of CF. There are lots of special search engine for special purpose. Shodan and Censys are two of these. They provide more detail and technical information. These search engine scan whole internet continously and discover new assets or monitor and log changing in assets. When a domain which is not behind of CF get up, bot of these engine can log Real IP of the domain. After a while if the domain will take behind of cloudflare, their IP can be found using these search engine.

CF-Hero checks censys and shodan too. (Note that when you use these services you have some limit due to API quota.)

(Sub)Domains

The other trick way is (sub)domain technique. Actually It doesn't have to be a subdomain It can be domain as well. The key point is here; domains should belong to same company.

Let's say we have 2 domain. One of them is behind of CF but the otner is not. In this case, you connect to the domain which is not behind of CF then you change host header with domain which is behind of CF. If you get response of application's which is behind of CF, congruculations you bypassed CF. You can access web application from IP directly anymore. (and of course that's also depends on the configuration)

Let's take look at closer

```

--> TCP --> blog.musana.net [123.45.67.89] ---> HTTPs -------------\ \ --> TCP --> api.musana.net [123.67.45.98] ----> HTTPs -----------\ \ \ \ --> TCP --> test.musana.net [123.89.44.88] ---> HTTPs -------------\  \ ___________ --> TCP --> tools.musana.net [123.44.55.66] --> HTTPs -------------> | GET / HTTP/2 | | Host: musana.net | ====> Check & Compare Responses

Core symbols most depended-on inside this repo

ReadAPIKeys
called by 8
internal/config/config.go
compareTitle
called by 6
internal/scanner/scanner.go
IsInCloudflareIPRange
called by 5
internal/dns/dns.go
GetHTMLTitle
called by 4
internal/http/client.go
CheckPort
called by 4
internal/http/client.go
GetARecords
called by 4
internal/dns/dns.go
createGroup
called by 4
internal/config/config.go
ReadFromFile
called by 2
internal/utils/utils.go

Shape

Function 20
Method 14
Struct 6

Languages

Go100%

Modules by API surface

internal/scanner/scanner.go16 symbols
internal/http/client.go7 symbols
pkg/models/models.go5 symbols
internal/utils/utils.go4 symbols
internal/dns/dns.go4 symbols
internal/config/config.go3 symbols
cmd/cf-hero/main.go1 symbols

Dependencies from manifests, versioned

github.com/Danny-Dasilva/CycleTLS/cycletlsv0.0.0-2022062010292 · 1×
github.com/Danny-Dasilva/fhttpv0.0.0-2022052423010 · 1×
github.com/Danny-Dasilva/utlsv0.0.0-2022060402352 · 1×
github.com/Mzack9999/go-http-digest-auth-clientv0.6.1-0.20220414142 · 1×
github.com/andybalholm/brotliv1.0.4 · 1×
github.com/asaskevich/govalidatorv0.0.0-2021030708111 · 1×
github.com/aymerick/douceurv0.2.0 · 1×
github.com/cnf/structhashv0.0.0-2020112715320 · 1×
github.com/dsnet/compressv0.0.1 · 1×
github.com/gammazero/dequev0.2.0 · 1×
github.com/gammazero/workerpoolv1.1.3 · 1×

For agents

$ claude mcp add CF-Hero \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact