hackingbutlegal/gist:4760133

## gistfile1.txt
#!/usr/bin/python
#
# Description: Bypass clouflare and find the real IP
#

import urllib2
import socket
import string
import re
import subprocess
from BeautifulSoup import BeautifulSoup

socket.setdefaulttimeout(3)
dnsmapdir = 'dnsmap'    # Edit to change dnsmap directory

# Used to escape >1 loops at once
class End( Exception ):
    pass

class Bruteforce(object):
    def __init__(self, domain):
        if domain.startswith('www.'):
            domain = re.sub('www.', '', domain)
        self.domain = domain
        self.ips = {}
        self.subs = ['direct', 'direct-connect', 'cpanel', 'admin', 'ftp', 'pop', 'imap', 'mail', 'webmail', 'forum', 'admin', 'portal', 'beta']
        self.tlds = ['.com', '.net', '.info', '.org', '.biz', '.cc', '.ru', '.co.uk', '.us', '.su']

    # Tests for common subdomains which haven't been conigured with CloudFlare
    def fast(self):
        print("\n-- Testing common subdomains for misconfiguration --")
        for sub in self.subs:
            subdomain = sub + '.' + self.domain
            response = dns.nslookup(subdomain)
            if response:    # If subdomain exists
                # Prevent  errors if >1 ip returned for domain
                if type(response) == list:
                    for ip in response:
                        self.ips[subdomain] = ip
                else:
                    self.ips.append(response)

        # Checks if the discovered domains are behind cloudflare
        for domain, ip in self.ips.iteritems():
            if dns.check(ip):
                print(output("%s is hosted at %s" % (domain,ip)))
                if ip not in iplist:
                    iplist.append(ip)

    # Checks common tlds which may have been registered for domain
    def tld(self):
        print("\n-- Testing common tlds --")
        tmp = re.split('\..*', self.domain)    # Removes current tld

        for i in self.tlds:
            testDomain = tmp[0] + i
            response = dns.nslookup(testDomain)
            if response:
                if type(response) == list:    # If >1 ips returned
                    for ip in response:
                        if dns.check(ip):
                            print(output("%s is hosted at %s" % (testDomain, ip)))
                            if ip not in iplist:
                                iplist.append(ip)
                else:
                    if dns.check(ip):
                        print(output("%s is hosted at %s" % (testDomain,ip)))
                        if ip not in iplist:
                            iplist.append(ip)


    def dnsmap(self):
        result = subprocess.check_output([dnsmapdir + '/dnsmap', self.domain])    # Executes dnsmap
        # Formats output
        out = re.split('IP address #.: ', result)
        domain = re.split('\n', out)
        domain = domain[5]    # Stores first domain found
        store = ''    # Stores previous domain name if >1 ip returned
        for i in out:
            if i.startswith('\n'):
                pass
            else:
                ip = re.split('\n', i)
                if ip[0].startswith('dnsmap'):   # Filters out dnsmap messages
                    pass
                else:
                    if dns.check(ip[0]):
                        if ip[0] in iplist:
                            pass
                        else:
                            iplist.append(ip[0])
                        print(output("%s is hosted at %s" % (domain,ip[0])))

                    # Fixes errors when >1 ip returned for 1 subdomain
                    try:
                        if ip[0] == '127.0.0.1':    # prevents errors by dnsmap warning
                            domain = ip[3]
                        else:
                            domain = ip[2]
                    except:
                        domain = ''
                    if domain == '':
                        domain = store
                    else:
                        store = ip[2]


class DnsMisc():
    def __init__(self, domain):
        self.cfip = []
        self.cfip = self.nslookup(domain)

    # Returns ip(s) of a domain
    def nslookup(self, domain):
        try:
            ipaddr = socket.getaddrinfo(domain, 80)
        except:
            ipaddr = ''
        ip = []
        for i in range(0, len(ipaddr)):
            a = ipaddr[i][4][0]    # Extracts ip from returned info
            if a not in ip:
                ip.append(a)
        return ip    # Returns a list with ips

    # Checks ip is not cloudflare ip
    def check(self, ip):
        if ip not in self.cfip and ip != '127.0.0.1':
            return ip


def info(domain):
    print("\n-- Checking for php info() files --")
    # Common php info files
    files = ['info.php', 'php.php', 'phpinfo.php', 'php-info.php', '/']
    for infofile in files:
        url = 'http://%s/%s' % (domain,infofile)
        try:
            response = urllib2.urlopen(url)
            save = response.readlines()
            if "PHP Version" in string.join(save):    # Check if php info file
                for line in save:
                    if "SERVER_ADDR" in line:    # SERVER_ADDR == server ip variable
                        # Extracting server ip :)
                        tmp = re.split('class="v">', line)
                        tmp = re.split('<', tmp[1])
                        ip = tmp[0]
                        print(output("Found ip: %s in phpinfo file: %s" % (ip,infofile)))
                        if ip not in iplist:
                            iplist.append(ip)
        except:
            pass


# Checks dns history of domain
def dnsHistory(domain):
    print("\n-- Checking dns history --")
    url = 'http://toolbar.netcraft.com/site_report?url=' + domain
    try:
  	request = urllib2.urlopen(url)
		html = request.read()
    except:
		html = ''
    soup = BeautifulSoup(''.join(html))
    tables = soup.findAll(attrs={'class': 'TBtable'})
    try:
        table = tables[1]
    except:
        table = ''    # Prevents errors if no history returned
        rows = ''
    if table:
        rows = table.findAll('tr')    # Need to edit out agaun
    x = -1
    try:
        for tr in rows:
            columns = tr.findAll('td')
            for td in columns:
                text = ''.join(td.find(text=True))
                if x%5 == 0:    # Only ip addresses are checked
                    if dns.check(text):    # Finds last ip thats not CloudFlare
                        print(output("The last known ip address is: %s" % text))
                        if text not in iplist:
                            iplist.append(text)
                        raise End    # Breaks from multiple loops
                x+=1
    except End:
        pass
    print("\n#" + "-"*77 + "#")


def verify(ip, directory, keyword):
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((ip, 80))
		request = "GET " + directory + " HTTP/1.1\r\nHost: " + domain + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: None\r\nConnection: keep-alive\nDNT: 1\r\n\r\n"
		s.sendall(request)
		data = s.recv(4096)
		s.close
	except socket.error:
		data = ''
	try:
		server = re.split('Server: ', data)
		server = re.split('\r\n', server[1])
		server = server[0]
	except:
		server = ''
	if 'cloudflare' in server:    # Cloudflare always returns cloudflare in server meta tag
		pass
	else:
		if keyword.lower() in data.lower():
			print(output(domain + " is confirmed at " + ip))


def banner():
	banner = '''

#-------------------------------------|---------------------------------------#
#                           CloudFlare IP Resolver                            #
#-------------------------------------|---------------------------------------#
'''
	print(banner)

banner()
iplist = []    # Stores all retrieved ip addresses
output = lambda out: "[x] " + out    # Makes the output look nice
domain = raw_input("Enter target domain: ")
dns = DnsMisc(domain)    # Saves cloudflare ips for later checking
brute = Bruteforce(domain)    # Prepares domain for bruteforcing

# Attempt to find possible ips
brute.fast()
brute.tld()
info(domain)
dnsHistory(domain)

extra = raw_input("\nWould you like to use dnsmap to find subdomains Y/N: ")
if extra.lower() == 'y':
    print("This may take a while, please be patient")
    brute.dnsmap()

extra = raw_input("\nWould you like to confirm the results Y/N: ")
if extra.lower() == 'y':
	directory = raw_input("Enter a file known to exist (eg /index.php): ")
	if directory.startswith('/'):
		pass
	else:
		directory = '/' + directory
	keyword = raw_input("Enter a keyword only found on the target page: ")
	print("\n-- Confirming results --")
	for ip in iplist:
		verify(ip, directory, keyword)

print("\nFinished! All results must be verified manually")
print("If this script has been unsuccessful find a way to get the target to email you")
print("The server ip will be in the mail header")
	#!/usr/bin/python
	#
	# Description: Bypass clouflare and find the real IP
	#

	import urllib2
	import socket
	import string
	import re
	import subprocess
	from BeautifulSoup import BeautifulSoup

	socket.setdefaulttimeout(3)
	dnsmapdir = 'dnsmap' # Edit to change dnsmap directory

	# Used to escape >1 loops at once
	class End( Exception ):
	pass

	class Bruteforce(object):
	def __init__(self, domain):
	if domain.startswith('www.'):
	domain = re.sub('www.', '', domain)
	self.domain = domain
	self.ips = {}
	self.subs = ['direct', 'direct-connect', 'cpanel', 'admin', 'ftp', 'pop', 'imap', 'mail', 'webmail', 'forum', 'admin', 'portal', 'beta']
	self.tlds = ['.com', '.net', '.info', '.org', '.biz', '.cc', '.ru', '.co.uk', '.us', '.su']

	# Tests for common subdomains which haven't been conigured with CloudFlare
	def fast(self):
	print("\n-- Testing common subdomains for misconfiguration --")
	for sub in self.subs:
	subdomain = sub + '.' + self.domain
	response = dns.nslookup(subdomain)
	if response: # If subdomain exists
	# Prevent errors if >1 ip returned for domain
	if type(response) == list:
	for ip in response:
	self.ips[subdomain] = ip
	else:
	self.ips.append(response)

	# Checks if the discovered domains are behind cloudflare
	for domain, ip in self.ips.iteritems():
	if dns.check(ip):
	print(output("%s is hosted at %s" % (domain,ip)))
	if ip not in iplist:
	iplist.append(ip)

	# Checks common tlds which may have been registered for domain
	def tld(self):
	print("\n-- Testing common tlds --")
	tmp = re.split('\..*', self.domain) # Removes current tld

	for i in self.tlds:
	testDomain = tmp[0] + i
	response = dns.nslookup(testDomain)
	if response:
	if type(response) == list: # If >1 ips returned
	for ip in response:
	if dns.check(ip):
	print(output("%s is hosted at %s" % (testDomain, ip)))
	if ip not in iplist:
	iplist.append(ip)
	else:
	if dns.check(ip):
	print(output("%s is hosted at %s" % (testDomain,ip)))
	if ip not in iplist:
	iplist.append(ip)


	def dnsmap(self):
	result = subprocess.check_output([dnsmapdir + '/dnsmap', self.domain]) # Executes dnsmap
	# Formats output
	out = re.split('IP address #.: ', result)
	domain = re.split('\n', out)
	domain = domain[5] # Stores first domain found
	store = '' # Stores previous domain name if >1 ip returned
	for i in out:
	if i.startswith('\n'):
	pass
	else:
	ip = re.split('\n', i)
	if ip[0].startswith('dnsmap'): # Filters out dnsmap messages
	pass
	else:
	if dns.check(ip[0]):
	if ip[0] in iplist:
	pass
	else:
	iplist.append(ip[0])
	print(output("%s is hosted at %s" % (domain,ip[0])))

	# Fixes errors when >1 ip returned for 1 subdomain
	try:
	if ip[0] == '127.0.0.1': # prevents errors by dnsmap warning
	domain = ip[3]
	else:
	domain = ip[2]
	except:
	domain = ''
	if domain == '':
	domain = store
	else:
	store = ip[2]


	class DnsMisc():
	def __init__(self, domain):
	self.cfip = []
	self.cfip = self.nslookup(domain)

	# Returns ip(s) of a domain
	def nslookup(self, domain):
	try:
	ipaddr = socket.getaddrinfo(domain, 80)
	except:
	ipaddr = ''
	ip = []
	for i in range(0, len(ipaddr)):
	a = ipaddr[i][4][0] # Extracts ip from returned info
	if a not in ip:
	ip.append(a)
	return ip # Returns a list with ips

	# Checks ip is not cloudflare ip
	def check(self, ip):
	if ip not in self.cfip and ip != '127.0.0.1':
	return ip


	def info(domain):
	print("\n-- Checking for php info() files --")
	# Common php info files
	files = ['info.php', 'php.php', 'phpinfo.php', 'php-info.php', '/']
	for infofile in files:
	url = 'http://%s/%s' % (domain,infofile)
	try:
	response = urllib2.urlopen(url)
	save = response.readlines()
	if "PHP Version" in string.join(save): # Check if php info file
	for line in save:
	if "SERVER_ADDR" in line: # SERVER_ADDR == server ip variable
	# Extracting server ip :)
	tmp = re.split('class="v">', line)
	tmp = re.split('<', tmp[1])
	ip = tmp[0]
	print(output("Found ip: %s in phpinfo file: %s" % (ip,infofile)))
	if ip not in iplist:
	iplist.append(ip)
	except:
	pass


	# Checks dns history of domain
	def dnsHistory(domain):
	print("\n-- Checking dns history --")
	url = 'http://toolbar.netcraft.com/site_report?url=' + domain
	try:
	request = urllib2.urlopen(url)
	html = request.read()
	except:
	html = ''
	soup = BeautifulSoup(''.join(html))
	tables = soup.findAll(attrs={'class': 'TBtable'})
	try:
	table = tables[1]
	except:
	table = '' # Prevents errors if no history returned
	rows = ''
	if table:
	rows = table.findAll('tr') # Need to edit out agaun
	x = -1
	try:
	for tr in rows:
	columns = tr.findAll('td')
	for td in columns:
	text = ''.join(td.find(text=True))
	if x%5 == 0: # Only ip addresses are checked
	if dns.check(text): # Finds last ip thats not CloudFlare
	print(output("The last known ip address is: %s" % text))
	if text not in iplist:
	iplist.append(text)
	raise End # Breaks from multiple loops
	x+=1
	except End:
	pass
	print("\n#" + "-"*77 + "#")


	def verify(ip, directory, keyword):
	try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((ip, 80))
	request = "GET " + directory + " HTTP/1.1\r\nHost: " + domain + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: None\r\nConnection: keep-alive\nDNT: 1\r\n\r\n"
	s.sendall(request)
	data = s.recv(4096)
	s.close
	except socket.error:
	data = ''
	try:
	server = re.split('Server: ', data)
	server = re.split('\r\n', server[1])
	server = server[0]
	except:
	server = ''
	if 'cloudflare' in server: # Cloudflare always returns cloudflare in server meta tag
	pass
	else:
	if keyword.lower() in data.lower():
	print(output(domain + " is confirmed at " + ip))


	def banner():
	banner = '''

	#-------------------------------------\|---------------------------------------#
	# CloudFlare IP Resolver #
	#-------------------------------------\|---------------------------------------#
	'''
	print(banner)

	banner()
	iplist = [] # Stores all retrieved ip addresses
	output = lambda out: "[x] " + out # Makes the output look nice
	domain = raw_input("Enter target domain: ")
	dns = DnsMisc(domain) # Saves cloudflare ips for later checking
	brute = Bruteforce(domain) # Prepares domain for bruteforcing

	# Attempt to find possible ips
	brute.fast()
	brute.tld()
	info(domain)
	dnsHistory(domain)

	extra = raw_input("\nWould you like to use dnsmap to find subdomains Y/N: ")
	if extra.lower() == 'y':
	print("This may take a while, please be patient")
	brute.dnsmap()

	extra = raw_input("\nWould you like to confirm the results Y/N: ")
	if extra.lower() == 'y':
	directory = raw_input("Enter a file known to exist (eg /index.php): ")
	if directory.startswith('/'):
	pass
	else:
	directory = '/' + directory
	keyword = raw_input("Enter a keyword only found on the target page: ")
	print("\n-- Confirming results --")
	for ip in iplist:
	verify(ip, directory, keyword)

	print("\nFinished! All results must be verified manually")
	print("If this script has been unsuccessful find a way to get the target to email you")
	print("The server ip will be in the mail header")