How Your SSL Certificate Is Helping Me Find Your Real IP address….

We all know that most people love to hide their servers behind WAFs and CDN’s like Cloudflare etc.

Clear Example of this is www.cloudstress.com

which looks like the below which when you click it you can see the shodan plugin is saying yep this is on cloudflare so you will never know it’s real ip.

Cloudflare

Now we all know if the webmaster is a muppet the MX records will reveal the server it’s hosted on this is how most cloudflare IP revealers work which may or may not work.

This does not help us in any way as it’s not 100% as you can see in this DNS lookup there are no records to show the mail server or the servers real ip address.

Now comes the fun part the server owner probably is trying to follow best practises so they’ve made a SSL cert to ensure the data between Cloudflare -> Server is secure so it’s not intercepted by law enforcement.

So normally we would go to shodan and go see if there are any results.

 

 

Ah crap no results what do we do now? well another good site bit like shodan is censys.io.

And there we have it your SSL Certificate has lead to leaking your real IP and the page title confirms the site is the one we want.

Again shodan plugin will show you the server IP to confirm you hit the right place.

I’ve no idea who is behind this site or anything it was one i’ve chosen at random.