Bypass Firewalls By Abusing DNS HistoryFirewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
This script will try to find:
- The direct IP address of a server behind a firewall like Cloudflare, Incapsula, SUCURI
- An old server which still running the same (inactive and unmaintained) website, not receiving active traffic because the A DNS record is not pointing towards it. Because it's an outdated and unmaintained website version of the current active one, it is likely vulnerable for various exploits. It might be easier to find SQL injections and access the database of the old website and abuse this information to use on the current and active website.
The script also fetches the IP's of subdomains because my own experience learned me that subdomain IP's sometimes point to the origin of the main domain.
UsageUse the script like this-
bash bypass-firewalls-by-DNS-history.sh -d example.com
-d --domain: domain to bypass
-o --outputfile: output file with IP's
-l --listsubdomains: list with subdomains for extra coverage
-a --checkall: Check all subdomains for a WAF bypass
Requirements (optional)jq is needed to parse output to gather automatically subdomains. Install with apt install jq.
WAF Bypass explanation
A normal visitor connects to a Website. The initial request is a DNS request to ask the IP of the website, so the browser of the client knows where to send the HTTP request to. For sites behind cloudflare or some other public WAF, the reply contains an IP address of the WAF itself. Your HTTP traffic flows basically through the WAF to the origin web server.
The WAF blocks malicious requests and protects against (D)DoS attacks. However, if an attacker knows the IP of the origin webserver and the origin webserver accepts HTTP traffic from the entire internet, the attacker can perform a WAF bypass: let the HTTP traffic go directly to the origin webserver instead of passing through the WAF.
This script tries to find that origin IP, so you can connect directly to the origin webserver. Attacks like SQL injections or SSRF's are not filtered and can be successfully, in contrary when there is a WAF in between which stops these kind of attacks.
For who is this script?This script is handy for:
- Security auditors
- Web administrators
- Bug bounty hunters
- Blackhatters I guess
How to protect against this script?
The following services are used:
FAQWhy in Bash and not in Python?
It started out as a few CURL one-liners, became a bash script, extended the code more and more, and the regret of not using Python extended accordingly.
I find more subdomains with my tools?
I know. I cannot expect everyone to install all these DNS brute-force and enumeration tools. In addition, I don't know beforehand in which folder these tools are placed or under which alias these tools are called. You can still provide your own list with -l so you can feed output of these subdomain tools into this tool. Expected input is a full subdomain on each line.
The Author of this tool -
Vincent Cox- He is an Security Engineer and Bug Bounty Hunter