WAF-Abuser is a enumeration tool that uses services with history records to discover direct IP address behind WAF (CloudFlare, Incapsula, Akamai, etc)
Inspired by: https://github.com/vincentcox/bypass-firewalls-by-DNS-history/ and crimeflare
- Discover (sub)domains related to the given domain
- Collect IP address history for every found (sub)domain
- Excludes WAF associated IP addresses
- Compare HTML responses for similarity to the original host
- Output results
$ pip install -r requirements.txt
$ python3 waf-abuser.py --help
usage: waf-abuser.py -d "example.com"
options:
-h, --help show this help message and exit
-d "domain", --domain "domain" Specify the FQDN/Domain for searches
-f [FILE...], --file [FILE...] Specify the file with domains for searches
Optional arguments:
--similarity-rate [0-100] Minimum passing percentage for page similarity. (Default value: 70)
--domains-only Find only domains and subdomains.
- DNSdumpster
- CertSpotter (Limit of 100 API calls per hour)
- API-HackerTarget (Limit of 50 API calls per day)
- crt.sh
conf/ - Configs for API Keys
output/ - Final positive results are duplicated in this directory
data/PublicWAFs.txt - WAF IP ranges in CIDR
data/cdn-ns.json - WAFs
modules/subdomain_gathering.py - Find (sub)domains
modules/ip_gathering.py - Find IPs in history
modules/utility.py - Auxiliary functions
cache/ - Directory for cached intermediate results (.json, .txt, .html)