All you need to do is run the tool from the terminal giving the following input:
- Page to attempt (
http/https://website.com/page) - The content length of the response that you get when you are denied
- The IP range you wish the tool to attempt through
X-Forwarded-For
The tool will then simply request the given page with a range of IP addresses and then determine whether or not access to the said page is still forbidden.
python enumXFF.py -t http://sketchysite.com/admin -badcl 234 -r 192.168.0.0-192.168.255.255
The above command will attempt to request http://sketchysite.com/admin with all IP addresses in the range 192.168.0.0-192.168.255.255. The python script takes advantage of asynchronous HTTP requests via the requests-futures module and hence should be fairly quick. Note, this tool only functions on Python2.
In addition to this, the enumXFF project on Github also contains a script called generateIPs.py. This will simply generate a list of comma delimited IP addresses that can be input directly to Burp's Intruder. If the tool isn't the best way for you, Burp's Intruder is a reliable option to fall back on.
To generate the IPs for the range 192.168.0.0-192.168.255.255, you would need to use the following command:
python3 generateIPs.py -r 192.168.0.0-192.168.255.255 -o burp_xff_ips.txt
Refer to this blog post for further details: https://shubh.am/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/