How to Find Backend IP + Other Assets of a Domain/Company
Sometimes, websites can use proxies (developed in-house) or CDN + proxy services like Cloudflare to mask their origin IP address. This may be to prevent attacks, gain insights into their audience, or many other use cases. But what happens if you are pen-testing/performing bug bounty on a site that uses a proxy? How are you supposed to enumerate properly or determine all active services? This article explains how to use tools like Censys to determine the backend IP address(es) associated with a domain/company, allowing you to bypass firewalls, proxies, and other defensive methods for proper pen-testing.
Censys Search
Censys is an online tool that can be accessed at https://censys.io/ipv4. Censys has free plans with daily search limits and paid plans. Using Censys, you can search for a domain or company name to find all associated IP addresses based on data from their world scans. Censys even does a brief port scan and banner grab to help you understand the target better, although I’d recommend doing your own port scan to make sure the information is up to date.
As you can see, searching roblox.com returns IP addresses that are associated with roblox.com. These could be in a banner grab, reverse DNS, SSL certificate, etc. It is always best to verify that the IP addresses you are testing are associated with the target and are in scope before commencing.
You can also search for specific versions of software, vendor names, etc. Your keyword will be queried against the rDNS or any other information found in banner grabbing and basic enumeration that Censys performs.
Defending Against Censys
If you would like to remove your site from Censys, you can contact them to remove it by using their Do Not Index web form. However, the best approach is to whitelist the IP addresses of your proxy provider and deny all other traffic on your web ports. This will prevent Censys from being able to index your server in their database, and you can easily find the IP addresses of the proxies that CDN providers use, as many keep them public and maintained, such as Cloudflare’s IPv4 and IPv6 list.
Thank you for reading this post; I hope you found some useful information in this post!
