Cloudflare origin IP discovery tool β 2026 Enhanced Edition
CloudFail discovers the real origin IP address(es) behind a Cloudflare-protected domain by querying certificate transparency logs, passive DNS databases, and optional paid APIs. It never sends traffic directly to the target during passive mode.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CloudFail v2.0 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CLI (__main__.py) β
β β β
β ββ Phase 1: Target Init cloudflare.py β
β β Resolve domain β check CF membership β
β β Load/update CF CIDR ranges (JSON API + plain-text fallback)β
β β β
β ββ Phase 2: Passive Recon certificate_pivot.py β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β Free (no API key) Paid (API key) β β
β β β βββββββββββββββββ βββββββββββββββββββββ β β
β β β CertSpotter Censys Platform v3 β β
β β β crt.sh (retry+backoff) Shodan β β
β β β AnubisDB SecurityTrails β β
β β β RapidDNS β β
β β β ThreatMiner β β
β β β URLScan.io β β
β β β Wayback Machine CDX β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β + Passive DNS: HackerTarget, AlienVault OTX, β
β β ViewDNS.info, RapidDNS passive β
β β β
β ββ Phase 3: Subdomain Resolution dns_history.py β
β β CT names + wordlist β dnspython bulk resolve (threads) β
β β Wildcard detection β
β β β
β ββ Phase 4: IP Enrichment asn_filter.py β
β ASN lookup β CF/non-CF classification β confidence score β
β β
β utils/http_client.py (ALL HTTP goes through here) β
β requests.Session + Retry(total=5, backoff_factor=1) β
β Optional Tor SOCKS5 proxy β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Source | Type | API Key | Rate Limit | Notes |
|---|---|---|---|---|
| CertSpotter | CT logs | No | 100 req/hour | Most reliable free CT source |
| crt.sh | CT logs | No | None (rate limited) | Retry+backoff on 502/429 |
| AnubisDB | CT/passive | No | None | Stable JSON endpoint |
| RapidDNS | DNS records | No | None | HTML table extraction |
| ThreatMiner | Passive DNS | No | None | Free JSON API |
| URLScan.io | Page scans | No | 60/min | Free tier |
| Wayback CDX | Historical URLs | No | None | Up to 5000 rows |
| HackerTarget | Passive DNS | No | 100/day | Also used for ASN lookup |
| AlienVault OTX | Passive DNS | No | 429-aware | Backoff+retry on rate limit |
| ViewDNS.info | IP history | No | None | HTML regex extraction |
| Censys Platform API | TLS cert search | Yes | Varies | Requires Starter plan ($99+/mo) |
| Shodan | TLS cert search | Yes | Varies | REST API (free tier available) |
| SecurityTrails | Subdomain enum | Yes | Varies | REST API |
# Python 3.10β3.12 required
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -r requirements.txt# macOS
brew install tor && brew services start tor
# Debian/Ubuntu
sudo apt install tor && sudo service tor start
# Verify Tor is listening on port 9050
nc -zv 127.0.0.1 9050python -m cloudfail -t example.com --confirm-scopepython -m cloudfail -t example.com \
--censys-api-token YOUR_TOKEN \
--shodan-api YOUR_KEY \
--securitytrails-api YOUR_KEY \
--confirm-scopepython -m cloudfail -t example.com --passive-only --confirm-scopepython -m cloudfail -t example.com \
--output json --output-file results.json --confirm-scopepython -m cloudfail -t example.com --tor --confirm-scopepython -m cloudfail -t example.com --no-verify-ssl --confirm-scopepython -m cloudfail -t example.com --debug --confirm-scopepython -m cloudfail -t example.com --quiet --output json --confirm-scope
| Flag | Description |
|---|---|
-t, --target |
Target domain (required) |
--confirm-scope |
Required β confirm authorisation (required) |
--passive-only |
Skip subdomain bruteforce |
--tor |
Route via Tor SOCKS5 (127.0.0.1:9050) |
--no-tor |
Explicitly disable Tor |
--no-verify-ssl |
Disable SSL verification |
--subdomains FILE |
Custom wordlist path |
--threads N |
DNS resolver threads (default: 10) |
--update-ranges |
Re-download Cloudflare IP ranges |
--censys-api-token |
Censys Platform API Personal Access Token |
--shodan-api |
Shodan API key |
--securitytrails-api |
SecurityTrails API key |
--output text|json |
Output format (default: text) |
--output-file PATH |
Save results to file |
--debug |
Enable debug output |
--quiet |
Suppress progress messages |
{
"target": "example.com",
"resolved_ip": "104.21.5.12",
"behind_cloudflare": true,
"ct_names": [
"mail.example.com",
"api.example.com",
"staging.example.com"
],
"passive_dns_ips": ["203.0.113.42", "198.51.100.7"],
"non_cloudflare_ips": [
{
"ip": "203.0.113.42",
"asn": "AS12345",
"is_cloudflare": "no",
"confidence": "90"
}
],
"subdomain_hits": [
{ "host": "staging.example.com", "ip": "203.0.113.42", "behind_cloudflare": false },
{ "host": "www.example.com", "ip": "104.21.5.12", "behind_cloudflare": true }
]
}CloudFail is designed to never crash because a single data source fails:
| Failure | Behaviour |
|---|---|
| crt.sh returns 502 | Retry up to 5 times with exponential backoff; log warning and continue |
| crt.sh returns 429 | Backoff and retry; continue with other sources |
| AlienVault OTX 429 | Backoff 4s / 8s / skip; never crash phase |
| Censys 302 redirect | allow_redirects=True follows automatically |
| Censys 401/403 | Log descriptive message; skip gracefully |
| Any API unavailable | Warning logged; scan continues |
| DNS resolution timeout | dnspython per-resolver timeout; returns None |
| Wildcard DNS | Detected and warned; CT names still valid |
| Network unreachable | Exception caught; warning logged |
| Tor not running | Log error; continue without Tor |
| Source | Limit | Behaviour on Limit |
|---|---|---|
| CertSpotter | 100 req/hour | Warning logged |
| HackerTarget | 100 req/day | Warning with API key upgrade note |
| AlienVault OTX | Variable | 429 β backoff 4s, 8s, then skip |
| URLScan.io | 60/min free | 429 β warning + skip |
| ThreatMiner | Shared rate | 429 β warning + skip |
| Censys v2 | Quota-based | 429 β stop pagination |
| Shodan | Credit-based | 401 β invalid key warning |
When --tor is specified:
- The shared
requests.Sessionis reconfigured to usesocks5h://127.0.0.1:9050 - Connectivity is verified via
https://check.torproject.org/api/ip - All subsequent HTTP calls (including DNS-over-HTTPS style) route through Tor
- Requires:
pip install PySocksand a running Tor service
Note: DNS resolution via
dnspythonuses system resolvers, not the HTTP proxy. For fully anonymous DNS, run a local DNS-over-Tor setup or use--passive-onlywith Tor.
| Score | Meaning |
|---|---|
| 95% | IP is in a Cloudflare CIDR block (definitive CF match) |
| 90% | IP is NOT in any CF range and ASN is not AS13335 |
| 70% | IP not in CF range but ASN matches AS13335 (possible new range) |
| 0% | ASN lookup failed β treat as unknown |
# Force fresh download and disable SSL verification
python -m cloudfail -t example.com --update-ranges --no-verify-ssl --confirm-scopecrt.sh can be slow under load. CloudFail retries automatically (5 attempts, exponential backoff). Other sources (CertSpotter, AnubisDB, RapidDNS etc.) will still return data.
OTX rate limits anonymous access. CloudFail backs off and skips OTX after 3 failures. Other passive DNS sources continue. Consider registering for a free OTX API key.
Updated for 2026: Censys now uses the Platform API v3 with Personal Access Tokens (Bearer tokens). Generate your token at https://accounts.censys.io/settings/personal-access-tokens. Note: Free users can only use lookup endpoints, not search β you need a Starter or Enterprise plan to search hosts.
- Try
--debugto see full HTTP responses - Try
--no-verify-sslif behind a corporate proxy - Check your internet connection can reach external APIs
HackerTarget limits anonymous requests to 100/day. The ASN enrichment phase uses one HackerTarget call per non-CF IP. For large scans register for a free API key at hackertarget.com.
- Phase 2 passive sources run concurrently (5 threads by default)
- Phase 3 subdomain resolution runs with
--threadsworkers (default: 10) - Typical full scan of a large domain: 3β8 minutes
- Use
--passive-onlyto skip the ~11k subdomain wordlist and reduce to 1β2 minutes - Use
--threads 25to speed up subdomain resolution (watch for DNS resolver bans)
- Censys v2 free tier: limited monthly query quota β check
search.censys.io/account - Shodan free tier: host search is a paid feature; you need a paid plan or use the membership API
- SecurityTrails free tier: 50 API calls/month on free plan
- HackerTarget: 100 free queries/day across all their endpoints combined
CloudFail-main/
βββ requirements.txt
βββ README.md
βββ cloudfail/
βββ __init__.py
βββ __main__.py # CLI entry point, phase orchestration
βββ config.py # Constants, runtime state
βββ data/
β βββ subdomains.txt # Built-in ~11k subdomain wordlist
β βββ cf-subnet.txt # Cached Cloudflare CIDR ranges (auto-generated)
βββ core/
β βββ cloudflare.py # CF range management, IP detection
β βββ certificate_pivot.py # CT + passive sources + Censys/Shodan/ST
β βββ dns_history.py # DNS resolution + passive DNS aggregation
β βββ asn_filter.py # ASN lookup, IP enrichment
β βββ tor_handler.py # Tor SOCKS5 proxy configuration
βββ utils/
βββ http_client.py # Centralised HTTP session (ALL requests here)
βββ logger.py # Rich-based logger with debug/quiet modes
This tool is provided for authorized security testing and research purposes only.
- You must have explicit written permission from the asset owner before scanning
- Unauthorized scanning may violate the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, and equivalent laws in your jurisdiction
- The authors accept no liability for misuse of this tool
- Cloudflare's ToS prohibits intentional origin IP discovery against protected customers
- Use responsibly and ethically
- Fork the repository
- Create a feature branch:
git checkout -b feature/new-source - Add your data source in
certificate_pivot.pyordns_history.py - Ensure it:
- Uses
http_client.get()β neverrequests.get()directly - Has timeout handling
- Returns an empty list/set on any failure (never raises)
- Has a
logger.info/warningfor rate limits - Has a
logger.debug_exc()call in the except block
- Uses
- Add it to the concurrent source map in the aggregation function
- Update the data sources table in README.md
- Submit a PR
MIT License β see original CloudFail repository for full text.
Original CloudFail by m0rtem (2018).
v2.0 Enhanced Edition (2026).