# Identify a Server’s Origin IP

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## What is an Origin IP? <a href="#de0b" id="de0b"></a>

An **Origin IP** refers to the actual IP address of a server hosting a website or application. Many websites today use **Content Delivery Networks (CDNs)** like **Cloudflare, Akamai, and Amazon CloudFront** to mask their true IP addresses for security, performance, and reliability reasons. These CDNs act as reverse proxies, handling all incoming traffic and providing:

* **DDoS Protection**: Absorbs and mitigates malicious traffic to prevent downtime.
* **Load Balancing**: Distributes traffic to multiple servers to ensure availability.
* **Content Caching**: Stores static content closer to users to improve performance (such as images, CSS, and JavaScript files).

When you make an HTTP request to a domain using a CDN, you are actually communicating with the CDN’s edge servers rather than the real server. This prevents attackers from easily discovering the actual server hosting the website.

## Why is Identifying an Origin IP Important? <a href="#id-08a9" id="id-08a9"></a>

Finding the **real server IP address** is critical for cybersecurity researchers, penetration testers, and even malicious attackers. It allows them to:

* **Map network infrastructure** and locate services operating on different IPs.
* **Bypass CDN protection** to test for vulnerabilities directly.
* **Launch targeted attacks** such as **DDoS, direct exploitation, and reconnaissance**.

<figure><img src="https://miro.medium.com/v2/resize:fit:610/0*VT2nscyBAOfzB-hI.png" alt="" height="254" width="610"><figcaption></figcaption></figure>

Compare with this next diagram, showing how a pingback will convince the Wordpress server to reach out to our “honeypot” pingback server which relays the IP address it finds back to us.

<figure><img src="https://miro.medium.com/v2/resize:fit:610/0*pUfhwAIgRMziXn4v.png" alt="" height="291" width="610"><figcaption></figcaption></figure>

## How to Find the Origin IP of a Server <a href="#id-59ad" id="id-59ad"></a>

Despite the protection offered by CDNs, several techniques can help reveal a server’s **real IP address**. Below are some of the most effective methods.

## 1. Using WHOIS and Host Lookup <a href="#a440" id="a440"></a>

First, we can use `whois` and `host` to gather more information about the target domain:

```
$ host verylazytech.com
verylazytech.com has address 172.67.XX.XX
verylazytech.com has address 162.169.XX.XX

$ whois 172.67.XX.XX
...
NetRange: 172.64.0.0 - 172.71.255.255
NetName: CLOUDFLARENET
OrgName: Cloudflare, Inc.
...
```

These results confirm that the domain is behind Cloudflare, meaning requests are routed through the CDN.

## 2. SSL Certificates Enumeration <a href="#d9c1" id="d9c1"></a>

SSL certificates can reveal the origin server’s IP by analyzing its public certificate information. Tools like **Censys** and **crt.sh** can help.

<figure><img src="https://miro.medium.com/v2/resize:fit:700/0*SQZQK8xj6jKUSrVT" alt="" height="231" width="700"><figcaption></figcaption></figure>

1. Visit [**https://search.censys.io/**](https://search.censys.io/) and enter the target domain.
2. Look for associated IP addresses.
3. Use `curl` to verify:

```
$ curl -v http://52.19.60.183/ -H 'Host: verylazytech.com'
```

Response:

```
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Location: https://verylazytech.com:443/<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
```

This method is one of the simplest and most efficient ways to identify the real IP address of a target. Keep in mind that the different IP addresses identified during our investigation won’t necessarily be the host IPs for enji.ai, but they provide valuable clues about the present subnet and expanding our attack surface.

## 3. Subdomain Enumeration <a href="#c185" id="c185"></a>

Subdomains often bypass the CDN, exposing real IP addresses. Use **Subfinder** to find them:

```
$ subfinder -d verylazytech.com
[INF] Enumerating subdomains for verylazytech.com
...
medium.verylazytech.com
...
```

Next, verify whether the subdomain is routed through the CDN:

```
$ host medium.verylazytech.com
medium.verylazytech.com has address 52.19.60.183
```

If the IP is different from the main domain, it might be the origin server.

## 4. Analyzing DNS Records <a href="#d88c" id="d88c"></a>

By examining the DNS records of a domain, an attacker could potentially discover previously exposed IP addresses of the server from times when it was not behind a CDN. DNS records provide various types of information about a domain, and by analyzing these records, penetration testers can gather valuable insights that may lead to the discovery of the origin IP.

## Types of DNS records <a href="#id-2948" id="id-2948"></a>

Different types of DNS records can reveal specific details about the domain and its infrastructure:

* **A Records:** These records map a domain name to an IPv4 address. By examining historical A records, one can find previous IP addresses that may have been used by the domain before switching to a CDN.
* **AAAA Records:** Similar to A records but for IPv6 addresses. Historical AAAA records can also provide information on previous IPv6 addresses.
* **MX Records:** Mail Exchange records specify the mail servers responsible for receiving email on behalf of the domain. Sometimes, these mail servers are not routed through the CDN, revealing the real IP address.
* **TXT Records:** Text records can contain various forms of information, including verification details for email services and other metadata. Occasionally, these records might inadvertently expose internal IP addresses or other sensitive information.
* **CNAME Records:** Canonical Name records alias one domain to another. By following the chain of CNAME records, it’s possible to uncover the origin domain that might point directly to the real server IP.

Checking past DNS records can uncover previously exposed IP addresses. Use `dig`:

```
$ dig A verylazytech.com
...
verylazytech.com. 0 IN A 162.169.140.98
verylazytech.com. 0 IN A 172.67.0.96
...
```

For subdomains:

```
$ dig A dev.verylazytech.com
a33...075.eu-west-1.elb.amazonaws.com. 0 IN A 52.19.60.183
a33...075.eu-west-1.elb.amazonaws.com. 0 IN A 52.30.79.226
```

Here, we discovered **AWS Elastic Load Balancer (ELB) IPs**, likely exposing the origin server.

## 5. Checking CDN IP Ranges <a href="#id-2d40" id="id-2d40"></a>

If a website uses AWS, Google Cloud, or another provider, you can search its CDN IP ranges. Use `grep` to match:

```
$ cat amazon-ipv4-sni.txt | grep verylazytech.com
...
52.209.176.32:443 -- [verylazytech.com *.dev.verylazytech.com *.staging.verylazytech.com]
...
```

This method helps uncover IPs that might not be fully hidden behind the CDN.

## 6. Host Header Fuzzing <a href="#id-2838" id="id-2838"></a>

Fuzzing with **custom Host headers** can sometimes bypass CDNs:

```
$ curl -H "Host: realserver.verylazytech.com" http://172.67.0.96
```

If the response differs from a CDN-protected response, it’s likely the real server.

## 7. WordPress Pingback Exploit <a href="#id-55b2" id="id-55b2"></a>

For WordPress sites, use XML-RPC pingbacks to reveal the origin IP:

```
$ curl -X POST -d "<?xml version='1.0'?>..." https://verylazytech.com/xmlrpc.php
```

If the response contains an IP address, it’s the origin server.

## 8. Using CloudFlair Tool <a href="#id-07ed" id="id-07ed"></a>

[**CloudFlair**](https://github.com/christophetd/CloudFlair) automates CDN bypassing by scanning for related IPs:

```
$ python cloudflair.py verylazytech.com
[*] Retrieving Cloudflare IP ranges from https://www.cloudflare.com/ips-v4
[*] The target appears to be behind CloudFlare.
[*] Looking for certificates matching "verylazytech.com" using Censys
[*] 72 certificates matching "verylazytech.com" found.
[*] Splitting the list of certificates into chunks of 25.
[*] Looking for IPv4 hosts presenting these certificates...
[*] 3 IPv4 hosts presenting a certificate issued to "verylazytech.com" were found.
  - 34.252.154.19
  - 34.247.206.200
  - 63.32.27.129
[*] Testing candidate origin servers
[*] Retrieving target homepage at https://verylazytech.com
[*] "https://verylazytech.com" redirected to "https://verylazytech.com/"
  - 34.252.154.19
      responded with an unexpected HTTP status code 404
  - 34.247.206.200
  - 63.32.27.129
[-] Did not find any origin server.
```

We can send a `GET` request to one of the found IP's and get this:

```
$ curl -v https://34.247.206.200 -k
<p>
    We are performing quick maintenance at the moment and will be baonline soon.
    Try to refresh the page or come back in a few minutes.
</p>
```

This tool utilizes **Censys API** to find origin IP addresses related to a domain.

## Conclusion <a href="#id-3bc1" id="id-3bc1"></a>

Identifying a server’s **real IP address** can be crucial for **penetration testing, cybersecurity research, and ethical hacking**. While **CDNs like Cloudflare** offer strong protection, there are multiple techniques — such as **SSL analysis, DNS lookups, subdomain enumeration, and CDN range checking** — that can help bypass them.<br>

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/pentesting-web/identify-a-servers-origin-ip.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.