A less suspect way to get external IP's, thanks to Cloudflare.

Firstly, I didn't come up with this trick - I also can't remember who did, its been rattling around my brainhole for a while. I figured I'd get it out of my brain and into a note in case anyone else finds it useful.

So in a lot of malware or attack playbooks, one of the first "situational awareness" things that people do after getting code execution on a host is try determine its external IP address.

In many cases, this is achieved by making a HTTP request to some well known IP checking service like ifconfig.me or similar.

For defenders, this makes for a relatively interesting, but noisy signature - if you see a host beaconing out to a known IP checking service, it might be worthwhile spending a couple of minutes seeing what else the host is doing.

In Orc, the Bash post-exploitation framework I had some hand in writing a long time ago, we used Akamai and Google services for the "get ip" function, as you can see here. We specifically chose to use Akamai and Google because they look less suspect.

Now, with all that background out of the way, here is the neat "trick".

You can use any Cloudflare protected site to retrieve your external IP address, thanks to a script offered by the CDN. By simply sending a GET request to /cdn-cgi/trace endpoint, you get returned some output about your connection, including your external IP.

Lets try.

% curl -s cloudflare.com/cdn-cgi/trace
fl=[redacted]
h=cloudflare.com
ip=[redacted]
ts=[redacted]
visit_scheme=http
uag=curl/7.87.0
colo=DUB
sliver=none
http=http/1.1
loc=IE
tls=off
sni=off
warp=off
gateway=off
rbi=off
kex=none

Bear in mind - its not JUST Cloudflare. We can run this test on ANY CF protected site. Obviously, I've replaced my external IP with a dummy one here.

% cat checkip.sh 
#!/bin/bash
my_hosts=("vimeo.com" "cdnjs.org" "cloudflare.com" "w3.org" "medium.com")
echo "doing tests"
for host in ${my_hosts[@]}; do
  curl -s https://$host/cdn-cgi/trace | grep ip | cut -d '=' -f 2
done
echo 'done tests'

% bash checkip.sh 
doing tests
1.3.3.7
1.3.3.7
1.3.3.7
1.3.3.7
1.3.3.7
done tests
% 

What is the utility of this?

Well, for situational awareness, you probably are going to want to have something in your playbook for grabbing a hosts external IP.

It is much better tradecraft though to pick an appropriate, high reputation site on CF to do this IP check by using the trace endpoint, than to call out to some random IP checker service. Much less signature.