How to find the real IP behind cloudflare?

What is cloudflare?

CloudFlare is a content delivery network (CDN). A CDN is a distributed network of servers that provides several advantages for a website such as caching the content, high availability, and increase the security. CloudFlare is also can be used for protecting your server and web applications such as from DDOS attacks.

When you put cloudflare as your server protection, it will hide your real IP address and provide a new IP which is belong to the cloudflare. So when someone try to ping your website domain, it will only show cloudflare's IP since your name server are pointed to the cloudflare. This is what we called "tunneled". It means that you are going to tunnel your traffic through cloudflare. If it is permissible it will pass otherwise it will deny the request.

Study Case

In this case we are trying to find the real IP of "pentest.id". The provided steps will be written in Linux version.

Step 1: Find the cloudflare IP

There are many ways to find the cloudflare IP that belongs to a specific server. For online tools you can use "http://www.ipfingerprints.com/". Or you can use dig or host command in terminal.

Step 2: Find server information

In this case, I use censys.io. So far, we already found out that the real IP of "pentest.id" is 87.98.172.193. Is this the real ip? so, the next step is to validate the ip.

Step 3: Adding a website to hosts file

Usually some people will just copy the IP and then try to open it in browser and will get the result not as expected. Why it does not work? I found out some articles stated that in http request header, it still uses the cloudflare IP. So we need to add a website to hosts file which is located in '/etc' folder. The command that can we use in linux is sudo nano /etc/hosts or sudo gedit /etc/hosts

Step 4: Ping the website

In terminal, we can try 'ping' command. ping 87.98.172.193. And now, we can see the differences :)