Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
This script will try to find:
This script (ab)uses DNS history records. This script will search for old DNS A records and check if the server replies for that domain.
It also outputs a confidence level, based on the similarity in HTML response of the possible origin server and the firewall.
The script also fetches the IP’s of subdomains because my own experience learned me that subdomain IP’s sometimes point to the origin of the main domain.
Also Read : Pwndb : Search For Leaked Credentials
Usage
Use the script like this:
bash bypass-firewalls-by-DNS-history.sh -d example.com
-d --domain
: domain to bypass-o --outputfile
: output file with IP’s-l --listsubdomains
: list with subdomains for extra coverage-a --checkall
: Check all subdomains for a WAF bypassWAF Bypass explanation
To illustrate what we define as WAF bypass, look at the scheme below.
A normal visitor connects to a Website. The initial request is a DNS request to ask the IP of the website, so the browser of the client knows where to send the HTTP request to.
For sites behind cloudflare or some other public WAF, the reply contains an IP address of the WAF itself. Your HTTP traffic flows basically through the WAF to the origin web server.
The WAF blocks malicious requests and protects against (D)DoS attacks. However, if an attacker knows the IP of the origin webserver and the origin webserver accepts HTTP traffic from the entire internet, the attacker can perform a WAF bypass: let the HTTP traffic go directly to the origin webserver instead of passing through the WAF.
This script tries to find that origin IP, so you can connect directly to the origin webserver. Attacks like SQL injections or SSRF’s are not filtered and can be successfully, in contrary when there is a WAF in between which stops these kind of attacks.
Further exploitation
When you find a bypass, you have two options:
/etc/hosts
(Linux/Mac) or c:\Windows\System32\Drivers\etc\hosts
(Windows). Add an entry like this: 80.40.10.22 vincentcox.com
.From this moment, your HTTP traffic goes directly to the origin webserver. You can perform a penetration test as usual, without your requests being blocked by the WAF.
How to protect against this script?
For who is this script?
This script is handy for:
Credit : Vincent Cox
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…