🔐 What is a WAF (Web Application Firewall)?
A Web Application Firewall (WAF) is a security system designed to filter, monitor, and block malicious HTTP/S traffic to and from a web application. Cloud-based WAFs like Cloudflare, Akamai, Imperva, and AWS Shield act as a protective shield between a website and the internet.
One of their most important features is IP masking: hiding the real IP address of the server behind a secure CDN network. This makes direct attacks difficult — unless the attacker finds the actual origin IP.
Ethical hackers and bug bounty hunters often try to identify the real server IP for testing vulnerabilities that WAFs might block or obscure.
🔍 Why Use Metasploit's cloud_lookup?
The Metasploit module auxiliary/gather/cloud_lookup is designed to uncover real IP addresses behind WAF/CDNs by aggregating data from multiple DNS and OSINT sources like ViewDNS, Censys, and reverse IP databases.
📦 Features of cloud_lookup Module
- Supports over 15 different WAF/CDN providers
- Subdomain enumeration and brute-forcing support
- DNS history and CNAME analysis
- API key support for enhanced lookups (e.g., Censys)
- Threaded performance for faster scans
⚙️ How to Use It in Metasploit
Start your Metasploit console and load the module:
msf6 > use auxiliary/gather/cloud_lookup msf6 auxiliary(gather/cloud_lookup) > set HOSTNAME victim-site.com msf6 auxiliary(gather/cloud_lookup) > set THREADS 10 msf6 auxiliary(gather/cloud_lookup) > run
Optional Configurations
SSL: Set to true if the target uses HTTPSWORDLIST: Add a custom wordlist for subdomain discoveryCENSYS_UID&CENSYS_SECRET: Enhance output with API access
📊 Output and Interpretation
The module will return:
- Possible IP addresses used previously by the domain
- Subdomains pointing to non-CDN IPs
- DNS records not protected by Cloudflare
Any discovered IP outside known WAF/CDN ranges may indicate the real backend server.
🧪 Real-World Example
During a bug bounty engagement, a researcher discovered that the target used Cloudflare, but one of its forgotten subdomains (e.g., dev.api.example.com) still resolved to a public IP address hosted on DigitalOcean. Using cloud_lookup helped uncover this by querying ViewDNS historical data.
❓ Frequently Asked Questions
Is using cloud_lookup illegal?
Only if used on targets you don’t have permission to test. It’s designed for ethical hacking and security research.
Does it always find the real IP?
No. If the server is properly configured and all DNS records are protected, the module might return only WAF IPs.
⚠️ Disclaimer
This article is for educational purposes only. Do not use this tool or method on any system you do not own or have explicit permission to test. Unauthorized scanning or probing is illegal in most jurisdictions.
🧠 Conclusion
The cloud_lookup module is an excellent addition to your reconnaissance phase when performing ethical hacking or bug bounty hunting. While it doesn't guarantee success against all setups, it’s a valuable, automated way to look for misconfigurations that leak real IPs behind WAFs.