Tool for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies.
How does it work?
This tool will first make a HTTP request to the hostname that you provide and store the response, then it will make a request to every IP address that you provide via HTTP (80) and HTTPS (443), with the
Host header set to the original host. Each HTTP response is then compared to the original using the Levenshtein algorithm to determine similarity. If the response is similar, it will be deemed a match.
Provide the list of IP addresses via stdin, and the original hostname via the -h option. For example:
prips 126.96.36.199/24 | hakoriginfinder -h example.com
You may set the Levenshtein distance threshold with
-l. The lower the number, the more similar the matches need to be for it to be considered a match, the default is 5.
The number of threads may be set with
-t, default is 32.
The hostname is set with
-h, there is no default.
The output is 3 columns, separated by spaces. The first column is either "MATCH" or "NOMATCH" depending on whether the Levenshtein threshold was reached or not. The second column is the URL being teseted, and the third column is the Levenshtein score.
hakluke$ prips 188.8.131.52/24 | hakoriginfinder -h one.one.one.oneNOMATCH http://184.108.40.206 54366NOMATCH http://220.127.116.11 54366NOMATCH http://18.104.22.168 54366NOMATCH http://22.214.171.124 54366NOMATCH http://126.96.36.199 54366NOMATCH http://188.8.131.52 54366NOMATCH http://184.108.40.206 54366NOMATCH http://220.127.116.11 54366NOMATCH http://18.104.22.168 54366NOMATCH http://22.214.171.124 54366NOMATCH http://126.96.36.199 54366... snipped for brevity ...NOMATCH http://188.8.131.52 54366NOMATCH http://184.108.40.206 54366MATCH http://220.127.116.11 0NOMATCH http://18.104.22.168 19567NOMATCH http://22.214.171.124 19517MATCH https://126.96.36.199 0NOMATCH https://188.8.131.52 19534NOMATCH https://184.108.40.206 19532
Install golang, then run:
go install github.com/hakluke/[email protected]