Cloud Lookup (and Bypass) - Metasploit
This page contains detailed information about how to use the auxiliary/gather/cloud_lookup metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cloud Lookup (and Bypass)
Module: auxiliary/gather/cloud_lookup
Source code: modules/auxiliary/gather/cloud_lookup.rb
Disclosure date: -
Last modification time: 2022-06-23 17:27:47 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: dns
Target network port(s): 53, 443
List of CVEs: -
This module can be useful if you need to test the security of your server and your website behind a solution Cloud based. By discovering the origin IP address of the targeted host. More precisely, this module uses multiple data sources (in order ViewDNS.info, DNS enumeration and Censys) to collect assigned (or have been assigned) IP addresses from the targeted site or domain that uses the following: * Cloudflare, Amazon CloudFront, ArvanCloud, Envoy Proxy, Fastly, Stackpath Fireblade, Stackpath MaxCDN, Imperva Incapsula, InGen Security (BinarySec EasyWAF), KeyCDN, Microsoft AzureCDN, Netlify and Sucuri.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/gather/cloud_lookup
msf auxiliary(cloud_lookup) > show targets
... a list of targets ...
msf auxiliary(cloud_lookup) > set TARGET target-id
msf auxiliary(cloud_lookup) > show options
... show and set options ...
msf auxiliary(cloud_lookup) > exploit
Required Options
- HOSTNAME: The hostname or domain name where we want to find the real IP address
Knowledge Base
This module can be useful if you need to test the security of your server and your website behind a solution Cloud based. By discovering the origin IP address of the targeted host.
More precisely, this module uses multiple data sources (in order ViewDNS.info, DNS enumeration and Censys) to collect assigned (or have been assigned) IP addresses from the targeted site or domain that uses the following: Amazon Cloudflare, Amazon CloudFront, ArvanCloud, Envoy Proxy, Fastly, Stackpath Fireblade, Stackpath MaxCDN, Imperva Incapsula, InGen Security (BinarySec EasyWAF), KeyCDN, Microsoft AzureCDN, Netlify and Sucuri.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/gather/cloud_lookup - Do:
set hostname www.zataz.com - Do:
run
Options
CENSYS_SECRET
Your Censys API SECRET.
CENSYS_UID
Your Censys API UID.
COMPSTR
You can use a custom string to perform the comparison.
HOSTNAME
This is the hostname [fqdn] on which the website responds. But this can also be a domain.
msf5 auxiliary(gather/cloud_lookup) > set hostname www.zataz.com --or-- msf5 auxiliary(gather/cloud_lookup) > set hostname discordapp.com
IPBLACKLIST_FILE
Files containing IP addresses to blacklist during the analysis process, one per line. It's optional.
THREADS
Number of concurent threads needed for DNS enumeration. Default: 8
WORDLIST
Name list required for DNS enumeration. Default: ~/metasploit-framework/data/wordlists/namelist.txt
Advanced options
ALLOW_NOWAF
Automatically switch to NoWAFBypass when detection fails with the Automatic action. Default: false
NS
Specify the nameserver to use for queries. Default: is system DNS
REPORT_LEAKS
Set to write leaked ip addresses in notes. Default: false
USERAGENT
Specify a personalized User-Agent header in HTTP requests. Default: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
TAG
Specify the HTML tag in which you want to find the fingerprint. Default: title Useful when combined with the CMPSTR option.
HTTP_TIMEOUT
HTTP(s) request timeout. Default: 8
Scenarios
For auditing purpose
If successful, you must be able to obtain the IP(s) address of the website as follows:
msf5 auxiliary(gather/cloud_lookup) > set verbose true
verbose => true
msf5 auxiliary(gather/cloud_lookup) > run
[*] Selected action: Amazon CloudFlare
[*] Passive gathering information...
[*] * ViewDNS.info: 17 IP address found(s).
[*] * DNS Enumeration: 6 IP address found(s).
[*] Clean Amazon CloudFlare server(s)...
[*] * TOTAL: 10 IP address found(s) after cleaning.
[*]
[*] Bypass Automatic is in progress...
[*] * Initial request to the original server for <title> comparison
[*] * Trying: http://XXX.XXX.XXX.XXX:80/
[+] A direct-connect IP address was found: http://XXX.XXX.XXX.XXX:80/
[*] * Trying: https://XXX.XXX.XXX.XXX:443/
--> responded with an unhandled HTTP status code: 504
[*] * Trying: http://XXX.XXX.XXX.XXX:80/
[*] * Trying: https://XXX.XXX.XXX.XXX:443/
[*] * Trying: http://XXX.XXX.XXX.XXX:80/
[+] A direct-connect IP address was found: http://XXX.XXX.XXX.XXX:80/
[*] * Trying: https://XXX.XXX.XXX.XXX:443/
--> responded with an unhandled HTTP status code: 504
[*] * Trying: http://XXX.XXX.XXX.XXX:80/
[+] A direct-connect IP address was found: http://XXX.XXX.XXX.XXX:80/
[*] * Trying: https://XXX.XXX.XXX.XXX:443/
--> responded with an unhandled HTTP status code: 403
[*] Auxiliary module execution completed
In this case 'A direct-connect IP address was found' is reported.
However, some disreputable administrators used a simple redircetion (301 and 302) to force the passage through the WAF. This makes the IP address leak in the 'location' parameter of the HTTP header.
For example:
msf5 auxiliary(gather/cloud_lookup) > set hostname www.exodata.fr
hostname => www.exodata.fr
msf5 auxiliary(gather/cloud_lookup) > run
[*] Selected action: Amazon CloudFlare
[*] Passive gathering information...
[*] * ViewDNS.info: 3 IP address found(s).
[*] * DNS Enumeration: 12 IP address found(s).
[*] Clean Amazon CloudFlare server(s)...
[*] * TOTAL: 4 IP address found(s) after cleaning.
[*]
[*] Bypass Automatic is in progress...
[*] * Initial request to the original server for <title> comparison
[*] * Trying: http://41.213.135.13:80/
[*] * Trying: https://41.213.135.13:443/
--> responded with HTTP status code: 302 to http://www.exodata.fr/
[!] A leaked IP address was found: https://41.213.135.13:443/
[*] * Trying: http://185.161.8.26:80/
--> responded with HTTP status code: 302 to https://www.exodata.fr/
[!] A leaked IP address was found: http://185.161.8.26:80/
[*] * Trying: https://185.161.8.26:443/
[-] No direct-connect IP address found :-(
[*] Auxiliary module execution completed
or
msf5 auxiliary(gather/cloud_lookup) > set verbose false
verbose => false
msf5 auxiliary(gather/cloud_lookup) > set hostname www.ingensecurity.com
hostname => www.ingensecurity.com
msf5 auxiliary(gather/cloud_lookup) > run
[*] Passive gathering information...
[*] * ViewDNS.info: 2 IP address found(s).
[*] * DNS Enumeration: 8 IP address found(s).
[*] Clean InGen Security (BinarySec EasyWAF) server(s)...
[*] * TOTAL: 4 IP address found(s) after cleaning.
[*]
[*] Bypass Automatic is in progress...
[*] * Initial request to the original server for <title> comparison
[!] A leaked IP address was found: http://188.165.33.235:80/
[-] No direct-connect IP address found :-(
[*] Auxiliary module execution completed
In this case 'A leaked IP address was found' is displayed but the bypass is NOT effective.
You can also use the REPORT_LEAKS option to write that in the notes.
For some reason you may need to change the URI path to interoperate with a page other than the index page.
For example:
msf5 > use auxiliary/gather/cloud_lookup
msf5 auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com
hostname => www.zataz.com
msf5 auxiliary(gather/cloud_lookup) > set URIPATH /contacter/
uripath => /contacter/
msf5 auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ
compstr => Contacter ZATAZ
msf5 auxiliary(gather/cloud_lookup) > run
...
or
msf5 > use auxiliary/gather/cloud_lookup
msf5 auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com
hostname => www.zataz.com
msf5 auxiliary(gather/cloud_lookup) > set URIPATH /contacter/
uripath => /contacter/
msf5 auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ
compstr => Contacter ZATAZ
msf5 auxiliary(gather/cloud_lookup) > set tag html
tag => html
msf5 auxiliary(gather/cloud_lookup) > run
...
References
Go back to menu.
Msfconsole Usage
Here is how the gather/cloud_lookup auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/cloud_lookup
msf6 auxiliary(gather/cloud_lookup) > show info
Name: Cloud Lookup (and Bypass)
Module: auxiliary/gather/cloud_lookup
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
mekhalleh (RAMELLA S��bastien)
Available actions:
Name Description
---- -----------
Amazon CloudFront Content Delivery Network services of Amazon
ArvanCloud CDN ArvanCloud CDN comprises tens of PoP sites in important locations all around the world to deliver online content to the users
Automatic
AzureCDN Microsoft Azure Content Delivery Network (CDN) is a global content distribution network solution for delivering high bandwidth content
CloudFlare Cloudflare provides SaaS based CDN, WAF, DNS and DDoS mitigation services.
Envoy Proxy An open source edge and service proxy, designed for Cloud-Native applications
Fastly Another widely used CDN/WAF solution
Imperva Incapsula Cloud based Web application firewall of Imperva
InGen Security (BinarySec EasyWAF) Cloud based Web application firewall of InGen Security and BinarySec
KeyCDN KeyCDN is a high performance content delivery network that has been built for the future
Netlifi One workflow, from local development to global deployment
NoWAFBypass Do NOT check any bypass method
Stackpath Fireblade Enterprise Website Security & DDoS Protection
Stackpath MaxCDN Speed Up your Content Delivery
Sucuri Cloud based Web application firewall of Sucuri
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CENSYS_SECRET no The Censys API SECRET
CENSYS_UID no The Censys API UID
COMPSTR no You can use a custom string to perform the comparison (read documentation)
DOMAIN no The target domain name
HOSTNAME yes The hostname or domain name where we want to find the real IP address
IPBLACKLIST_FILE no Files containing IP addresses to blacklist during the analysis process, one per line
NS no Specify the nameservers to use for queries, space separated
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RPORT 443 yes The target TCP port on which the protected website responds
SEARCHLIST no DNS domain search list, comma separated
SSL true yes Negotiate SSL/TLS for outgoing connections
THREADS 8 yes Threads for DNS enumeration
URIPATH / yes The URI path on which to perform the page comparison
WORDLIST /opt/metasploit-framework/embedded/framework/data/wordlists/namelist.txt no Wordlist of subdomains
Description:
This module can be useful if you need to test the security of your
server and your website behind a solution Cloud based. By
discovering the origin IP address of the targeted host. More
precisely, this module uses multiple data sources (in order
ViewDNS.info, DNS enumeration and Censys) to collect assigned (or
have been assigned) IP addresses from the targeted site or domain
that uses the following: * Cloudflare, Amazon CloudFront,
ArvanCloud, Envoy Proxy, Fastly, Stackpath Fireblade, Stackpath
MaxCDN, Imperva Incapsula, InGen Security (BinarySec EasyWAF),
KeyCDN, Microsoft AzureCDN, Netlify and Sucuri.
References:
https://citadelo.com/en/blog/cloudflare-how-to-do-it-right-and-do-not-reveal-your-real-ip/
Module Options
This is a complete list of options available in the gather/cloud_lookup auxiliary module:
msf6 auxiliary(gather/cloud_lookup) > show options
Module options (auxiliary/gather/cloud_lookup):
Name Current Setting Required Description
---- --------------- -------- -----------
CENSYS_SECRET no The Censys API SECRET
CENSYS_UID no The Censys API UID
COMPSTR no You can use a custom string to perform the comparison (read documentation)
DOMAIN no The target domain name
HOSTNAME yes The hostname or domain name where we want to find the real IP address
IPBLACKLIST_FILE no Files containing IP addresses to blacklist during the analysis process, one per line
NS no Specify the nameservers to use for queries, space separated
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RPORT 443 yes The target TCP port on which the protected website responds
SEARCHLIST no DNS domain search list, comma separated
SSL true yes Negotiate SSL/TLS for outgoing connections
THREADS 8 yes Threads for DNS enumeration
URIPATH / yes The URI path on which to perform the page comparison
WORDLIST /opt/metasploit-framework/embedded/framework/data/wordlists/namelist.txt no Wordlist of subdomains
Auxiliary action:
Name Description
---- -----------
Automatic
Advanced Options
Here is a complete list of advanced options supported by the gather/cloud_lookup auxiliary module:
msf6 auxiliary(gather/cloud_lookup) > show advanced
Module advanced options (auxiliary/gather/cloud_lookup):
Name Current Setting Required Description
---- --------------- -------- -----------
ALLOW_NOWAF false yes Automatically switch to NoWAFBypass when detection fails with the Automatic action
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
DnsClientDefaultNS 8.8.8.8 8.8.4.4 no Specify the default to use for queries, space separated
DnsClientRVLExistingOnly true no Only perform lookups on hosts in DB
DnsClientReportARecords true no Add hosts found via BRT and RVL to DB
DnsClientResolvconf /dev/null yes Resolvconf formatted configuration file to use for Resolver
DnsClientRetry 2 no Number of times to try to resolve a record if no response is received
DnsClientRetryInterval 2 no Number of seconds to wait before doing a retry
DnsClientTcpDns false no Run queries over TCP
DnsClientUdpTimeout 8 yes Number of seconds to wait for a response to a UDP query
DnsNote false no Save all DNS results as notes
ENUM_BRT true yes Set DNS bruteforce as optional
HTTP_TIMEOUT 8 yes HTTP(s) request timeout
REPORT_LEAKS false yes Set to write leaked ip addresses in notes
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1,
TLS1.2)
TAG title yes Specify the HTML tag in which you want to find the fingerprint (Accepted: title, html)
USERAGENT Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/5 yes Specify a personalized User-Agent header in HTTP requests
6.0
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/cloud_lookup module can do:
msf6 auxiliary(gather/cloud_lookup) > show actions
Auxiliary actions:
Name Description
---- -----------
Amazon CloudFront Content Delivery Network services of Amazon
ArvanCloud CDN ArvanCloud CDN comprises tens of PoP sites in important locations all around the world to deliver online content to the users
Automatic
AzureCDN Microsoft Azure Content Delivery Network (CDN) is a global content distribution network solution for delivering high bandwidth content
CloudFlare Cloudflare provides SaaS based CDN, WAF, DNS and DDoS mitigation services.
Envoy Proxy An open source edge and service proxy, designed for Cloud-Native applications
Fastly Another widely used CDN/WAF solution
Imperva Incapsula Cloud based Web application firewall of Imperva
InGen Security (BinarySec EasyWAF) Cloud based Web application firewall of InGen Security and BinarySec
KeyCDN KeyCDN is a high performance content delivery network that has been built for the future
Netlifi One workflow, from local development to global deployment
NoWAFBypass Do NOT check any bypass method
Stackpath Fireblade Enterprise Website Security & DDoS Protection
Stackpath MaxCDN Speed Up your Content Delivery
Sucuri Cloud based Web application firewall of Sucuri
Evasion Options
Here is the full list of possible evasion options supported by the gather/cloud_lookup auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/cloud_lookup) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- HTTP connection failed to Censys.IO website.
- Unable to retrieve any data from Censys.IO website.
- HTTP connection failed to ViewDNS.info website.
- Unable to retrieve any data from ViewDNS.info website.
- No domain IP(s) history founds.
- A leaked IP address was found: <PROTO>://<IP>:<PORT>/
- HTTP connection failed to Azurerange website.
- Unable to retrieve any data from Azurerange website.
- HTTP connection failed to Incapsula website.
- Unable to retrieve any data from Incapsula website.
- Couldn't determine the action automatically because no target signatures matched
- No IP address found :-(
- Cannot read file <IPBLACKLIST_FILE>
- No IP address found after cleaning.
- Auto-fingerprinting value is empty. Please consider the COMPSTR option
- Please consider the COMPSTR option
- No direct-connect IP address found :-(
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
HTTP connection failed to Censys.IO website.
Here is a relevant code snippet related to the "HTTP connection failed to Censys.IO website." error message:
176: },
177: 'data' => payload.to_json
178: )
179: results = cli.send_recv(response)
180: rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
181: print_error('HTTP connection failed to Censys.IO website.')
182: end
183:
184: unless results
185: print_error('Unable to retrieve any data from Censys.IO website.')
186: return []
Unable to retrieve any data from Censys.IO website.
Here is a relevant code snippet related to the "Unable to retrieve any data from Censys.IO website." error message:
180: rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
181: print_error('HTTP connection failed to Censys.IO website.')
182: end
183:
184: unless results
185: print_error('Unable to retrieve any data from Censys.IO website.')
186: return []
187: end
188:
189: records = ActiveSupport::JSON.decode(results.body)
190: results = records['results']
HTTP connection failed to ViewDNS.info website.
Here is a relevant code snippet related to the "HTTP connection failed to ViewDNS.info website." error message:
228: 'agent' => datastore['USERAGENT']
229: })
230: response = cli.send_recv(request)
231: cli.close
232: rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
233: print_error('HTTP connection failed to ViewDNS.info website.')
234: return []
235: end
236:
237: unless response
238: print_error('Unable to retrieve any data from ViewDNS.info website.')
Unable to retrieve any data from ViewDNS.info website.
Here is a relevant code snippet related to the "Unable to retrieve any data from ViewDNS.info website." error message:
233: print_error('HTTP connection failed to ViewDNS.info website.')
234: return []
235: end
236:
237: unless response
238: print_error('Unable to retrieve any data from ViewDNS.info website.')
239: return []
240: end
241:
242: html = response.get_html_document
243: table = html.css('table')[3]
No domain IP(s) history founds.
Here is a relevant code snippet related to the "No domain IP(s) history founds." error message:
253: end
254: end
255: end
256:
257: if ar_ips.nil?
258: print_bad('No domain IP(s) history founds.')
259: return []
260: end
261:
262: ar_ips
263: end
A leaked IP address was found: <PROTO>://<IP>:<PORT>/
Here is a relevant code snippet related to the "A leaked IP address was found: <PROTO>://<IP>:<PORT>/" error message:
364: rescue NoMethodError, ::Encoding::CompatibilityError
365: return false
366: end
367:
368: if found
369: print_warning("A leaked IP address was found: #{proto}://#{ip}:#{port}/")
370: save_note(datastore['HOSTNAME'], ip, port, proto, false) if datastore['REPORT_LEAKS']
371: end
372:
373: else
374: vprint_line(" --> responded with an unhandled HTTP status code: #{response.code}")
HTTP connection failed to Azurerange website.
Here is a relevant code snippet related to the "HTTP connection failed to Azurerange website." error message:
425: 'agent' => datastore['USERAGENT'],
426: 'vars_get' => params
427: )
428: results = cli.send_recv(response)
429: rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
430: print_error('HTTP connection failed to Azurerange website.')
431: end
432:
433: unless results
434: print_error('Unable to retrieve any data from Azurerange website.')
435: return []
Unable to retrieve any data from Azurerange website.
Here is a relevant code snippet related to the "Unable to retrieve any data from Azurerange website." error message:
429: rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
430: print_error('HTTP connection failed to Azurerange website.')
431: end
432:
433: unless results
434: print_error('Unable to retrieve any data from Azurerange website.')
435: return []
436: end
437:
438: results.get_html_document.css('p').text.split("\r\n")
439: end
HTTP connection failed to Incapsula website.
Here is a relevant code snippet related to the "HTTP connection failed to Incapsula website." error message:
488: 'agent' => datastore['USERAGENT'],
489: 'vars_post' => { 'resp_format' => 'json' }
490: )
491: results = cli.send_recv(response)
492: rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
493: print_error('HTTP connection failed to Incapsula website.')
494: end
495:
496: unless results
497: print_error('Unable to retrieve any data from Incapsula website.')
498: return []
Unable to retrieve any data from Incapsula website.
Here is a relevant code snippet related to the "Unable to retrieve any data from Incapsula website." error message:
492: rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
493: print_error('HTTP connection failed to Incapsula website.')
494: end
495:
496: unless results
497: print_error('Unable to retrieve any data from Incapsula website.')
498: return []
499: end
500:
501: results.get_json_document['ipRanges'].map { |ip| ip.gsub('"', '') }
502: end
Couldn't determine the action automatically because no target signatures matched
Here is a relevant code snippet related to the "Couldn't determine the action automatically because no target signatures matched" error message:
529: # If the action can be detected automatically. (Action: Automatic)
530: @my_action = pick_action
531: if @my_action.nil?
532: # If the automatic search fails, bye bye.
533: unless datastore['ALLOW_NOWAF']
534: print_error('Couldn\'t determine the action automatically because no target signatures matched')
535: return
536: end
537: # If allowed, and the automatic action fails, searches for all website occurrences without regard to filtering systems.
538: actions.each do |my_action|
539: @my_action = my_action if my_action.name == 'NoWAFBypass'
No IP address found :-(
Here is a relevant code snippet related to the "No IP address found :-(" error message:
582: end
583: print_status
584:
585: # Exit if no IP address(es) has been found.
586: if ip_list.empty?
587: print_bad('No IP address found :-(')
588: return
589: end
590:
591: # Comparison to remove address(es) that match the security solution to be tested.
592: # except:
Cannot read file <IPBLACKLIST_FILE>
Here is a relevant code snippet related to the "Cannot read file <IPBLACKLIST_FILE>" error message:
624: ips = File.new(datastore['IPBLACKLIST_FILE']).read.split
625: ips.each do |ip|
626: ip_blacklist << ip
627: end
628: else
629: raise ArgumentError, "Cannot read file #{datastore['IPBLACKLIST_FILE']}"
630: end
631: end
632:
633: # Time to clean, removing bad address(es).
634: records = []
No IP address found after cleaning.
Here is a relevant code snippet related to the "No IP address found after cleaning." error message:
650: records.concat(ip_list.uniq.map(&:to_s))
651: end
652:
653: # Exit if no IP address(es) has been found after cleaning.
654: if records.empty?
655: print_bad('No IP address found after cleaning.')
656: return
657: end
658:
659: print_status(" * Total: #{records.uniq.count} IP address(es) found after cleaning.")
660: print_status
Auto-fingerprinting value is empty. Please consider the COMPSTR option
Here is a relevant code snippet related to the "Auto-fingerprinting value is empty. Please consider the COMPSTR option" error message:
673: )
674: html = response.get_html_document
675: begin
676: fingerprint = html.at(datastore['TAG'])
677: unless fingerprint
678: print_bad('Auto-fingerprinting value is empty. Please consider the COMPSTR option')
679: return
680: end
681: rescue NoMethodError
682: print_bad('Please consider the COMPSTR option')
683: return
Please consider the COMPSTR option
Here is a relevant code snippet related to the "Please consider the COMPSTR option" error message:
677: unless fingerprint
678: print_bad('Auto-fingerprinting value is empty. Please consider the COMPSTR option')
679: return
680: end
681: rescue NoMethodError
682: print_bad('Please consider the COMPSTR option')
683: return
684: end
685:
686: vprint_status(" * Fingerprint: #{fingerprint.to_s.gsub("\n", '')}")
687: vprint_status
No direct-connect IP address found :-(
Here is a relevant code snippet related to the "No direct-connect IP address found :-(" error message:
700: )
701: ret_value = true if found
702: end
703:
704: # message indicating that nothing was found.
705: unless ret_value
706: print_bad('No direct-connect IP address found :-(')
707: end
708: end
709:
710: end
Go back to menu.
Related Pull Requests
- #14963 Merged Pull Request: Fix. cloud_lookup gather module (PublicSuffix)
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #14262 Merged Pull Request: Correct description of services provided by Cloudflare
- #12234 Merged Pull Request: add. new gather module cloud_lookup
References
- CVE: Not available
- https://citadelo.com/en/blog/cloudflare-how-to-do-it-right-and-do-not-reveal-your-real-ip/
See Also
Check also the following modules related to this module:
- auxiliary/cloud/aws/enum_ec2
- auxiliary/cloud/aws/enum_iam
- auxiliary/cloud/aws/enum_s3
- auxiliary/cloud/kubernetes/enum_kubernetes
- auxiliary/admin/http/supra_smart_cloud_tv_rfi
- auxiliary/scanner/http/springcloud_directory_traversal
- auxiliary/scanner/http/springcloud_traversal
- auxiliary/scanner/http/httpbl_lookup
- auxiliary/gather/corpwatch_lookup_id
- auxiliary/gather/corpwatch_lookup_name
- auxiliary/scanner/smb/smb_lookupsid
- post/multi/gather/dns_reverse_lookup
- post/multi/gather/dns_srv_lookup
- post/multi/recon/reverse_lookup
- post/windows/gather/reverse_lookup
- exploit/linux/http/netgear_dnslookup_cmd_exec
- exploit/linux/http/spring_cloud_gateway_rce
- exploit/linux/http/wd_mycloud_multiupload_upload
- exploit/multi/http/spring_cloud_function_spel_injection
- exploit/windows/misc/cloudme_sync
Authors
- mekhalleh (RAMELLA Sébastien)
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
