Skip to content

Latest commit

 

History

History
69 lines (53 loc) · 2.33 KB

README.md

File metadata and controls

69 lines (53 loc) · 2.33 KB

WAF-Abuser

WAF-Abuser is a enumeration tool that uses services with history records to discover direct IP address behind WAF (CloudFlare, Incapsula, Akamai, etc)

WAF-Abuser-overview

Inspired by: https://github.com/vincentcox/bypass-firewalls-by-DNS-history/ and crimeflare

Algorithm:

  1. Discover (sub)domains related to the given domain
  2. Collect IP address history for every found (sub)domain
  3. Excludes WAF associated IP addresses
  4. Compare HTML responses for similarity to the original host
  5. Output results

Setup:

$ pip install -r requirements.txt

Usage:

$ python3 waf-abuser.py --help

usage: waf-abuser.py -d "example.com"

options:
  -h, --help    show this help message and exit
  -d "domain", --domain "domain"    Specify the FQDN/Domain for searches
  -f [FILE...], --file [FILE...]    Specify the file with domains for searches

Optional arguments:
  --similarity-rate [0-100]    Minimum passing percentage for page similarity. (Default value: 70)
  --domains-only    Find only domains and subdomains.

Services in use:

(Sub)domain Gathering:

IP Gathering

Project structure:

conf/                            - Configs for API Keys
output/                          - Final positive results are duplicated in this directory

data/PublicWAFs.txt              - WAF IP ranges in CIDR
data/cdn-ns.json                 - WAFs

modules/subdomain_gathering.py   - Find (sub)domains
modules/ip_gathering.py          - Find IPs in history
modules/utility.py               - Auxiliary functions
modules/scrapers/                - Scraper entities

tests/                           - Pytest tests

cache/                           - Directory for cached intermediate results (.json, .txt, .html)

References