in Resources

How to Find the Real IP Address of a Website

Have you ever wondered what‘s the real IP address behind a website? While most sites don‘t expose their origin IP directly for security reasons, finding and protecting a website‘s real IP address is an important step to lock down its infrastructure.

In this comprehensive guide, we‘ll explore what a website‘s real IP is, why it matters, and the various techniques security researchers use to uncover it despite efforts to hide it. Stick with me as I walk you through this step-by-step!

What is a Website‘s Real IP Address?

Every website is hosted on a server identified by an IP address. This server IP that actually hosts the website is considered its "real" or "origin" IP address.

For example, if a site like example.com is hosted on the server with IP 192.0.2.1, then 192.0.2.1 is the real IP address of example.com.

Knowing a website‘s origin IP address can reveal a lot of information – like the hosting provider, server location, technologies used etc. More importantly, it exposes the actual infrastructure of the site.

If malicious actors gain access to the real IP, they can directly attack the hosting server with exploits, DDoS and more. That‘s why most websites today hide their real IP address and instead expose frontend proxy servers, CDNs or cloud hosting services to the public internet.

But finding the real IP still has legitimate uses, like for security research, audits, troubleshooting connectivity issues etc. As a cybersecurity analyst myself, I often need to find origin IPs during red team exercises and penetration tests.

Next, let me show you how sites typically try to obscure their real IP.

How Websites Hide Their Real IP Address

There are several techniques sites use to hide their backend infrastructure and avoid exposing the real IP publicly:

  • Cloud hosting services – Instead of dedicated servers, sites can use cloud platforms like AWS, GCP, Azure. The real IPs stay hidden behind the cloud provider‘s network. Cloudflare claims that around 20% of internet properties today are hosted on the major cloud providers.

  • Reverse proxies – Sites place an intermediate proxy server between end users and the origin infrastructure. All requests go through the proxy which hides backend servers. Over 35% of Alexa top 1 million sites are estimated to be behind reverse proxies.

  • CDNs – Content Delivery Networks like Cloudflare and Akamai proxy user requests to cache and deliver content efficiently. The CDN IP is seen instead of origin IP. Cloudflare has over 20% market share of the CDNs today.

  • Load balancers – Websites may use LBs to distribute traffic across multiple servers. Only the LB‘s IP is visible externally. Amazon‘s ALB alone handles over 1.3 trillion requests daily!

  • VPN/VLAN – Hosting servers can be isolated within a separate virtual network or VPN to conceal their IPs. Corporate sites often use VLANs internally.

  • Domain hosting – Hosting providers often hide infrastructure IPs behind their own DNS servers. GoDaddy serves over 20 million domain names.

But there are still ways to find the real IP address of a website, as we‘ll see next.

Techniques to Find a Website‘s Real Hidden IP Address

Despite obfuscation techniques, the real IP address of a website can still be uncovered using various tools and methods. Let‘s look at some of them – I‘ve organized them from simple to more advanced techniques:

1. DNS Lookups

One of the first things to check is public DNS records of a domain, which can reveal origin IPs:

  • dig or nslookup – Fetch A records for the domain. This may return real IPs if not sanitized.

  • Reverse DNS – Do a reverse lookup on IPs found to verify ownership. Hostmasters often misconfigure PTR records.

  • Subdomain scanning – Tools like Sublist3r enumerate subdomains which may point to origin IPs. I‘ve found many lucky breaks with this technique.

  • Zone transfers – Attempt zone transfers to get all DNS records, if enabled. Misconfigurations here are rare but can expose internal IPs.

However, DNS records are easily sanitized and not a reliable IP disclosure vector alone. But it‘s worth checking as the first basic step.

2. SSL Certificate Inspection

View SSL certificate details of the website, either using online tools or openssl s_client locally. The certificate may be linked to the real IP instead of a CDN/proxy.

This method is less useful today as domains tend to use wildcard certificates valid across multiple servers. But I‘ve still found some luck with self-signed certs.

3. Web Service Fingerprinting

Actively fingerprint the website‘s stack – HTTP headers, frameworks, web server etc. Tools like Wappalyzer and BuiltWith can identify technologies to deduce infrastructure details.

For example, if the stack is Nginx/Apache on CentOS/RHEL, it likely indicates a self-hosted origin server instead of shared hosting. The HTTP stack acts like a fingerprint for the backend.

4. Search Engines

Specialized search engines index the internet and can discover origin infrastructure:

  • Censys – Searches certificates, websites and devices. Can reveal IPs behind CDNs. One of my favorite tools.

  • Shodan – The "Google for Internet-connected devices". Finds origin servers based on banners/scans. Massive aid.

  • ZoomEye – Chinese search engine using crawlers to explore web services and build an IoT database. Impressive capabilities.

  • FOFA – Chinese passive scanner maintaining a vulnerability database by scanning internet assets. Feature-rich for security research.

These search engines really help uncover obscure infrastructure you won‘t find anywhere else. Their data sets are invaluable.

5. Virtual Host Scanning

Websites may be hosted on servers running multiple virtual hosts across different IP addresses. Tools like Altdns and Fierce scan for virtual hosts on the same IPs to uncover additional infrastructure.

I‘ve found many hidden developer and staging sites with carefully crafted subdomain list scans. Virtual host scanning remains an underrated technique.

6. Traffic Interception

Proxy the target site through an intercepting proxy like Burp Suite to analyze traffic and HTTP headers like X-Forwarded-For which can reveal origin IPs that CDNs try to obscure.

When testing internally hosted web apps, intercepting outbound requests often discloses private network IPs which lead me to the actual origin servers.

7. SecurityTrails

SecurityTrails provides historical and current WHOIS and DNS data useful for uncovering previously associated IPs and infrastructure data.

I like cross-referencing DNS changes with SecurityTrails data to spot decommissioned IPs that may have hosted the site previously in a less secure setup.

8. Common Web Vulnerabilities

Certain vulnerabilities like SSRF or XXE when identified on a website can sometimes be coerced to leak internal IPs and infrastructure details.

While finding these vulns requires lots of effort, the huge payoff of potential internal IP access makes it worth testing for.

Verifying Identified IP Addresses

Once some potential origin IP addresses have been discovered, they need to be verified before assuming they are the real hosting IPs:

  • Connect directly to the IP via HTTP, bypassing the website domain.

  • Check response headers from the IP – the Server banner, X-Powered-By etc should match the website.

  • Compare HTTP response codes like 404 pages. I like to match fuzzed invalid pages across IP and domain.

  • Test for captive portals, load balancers etc which indicate a frontend IP. Quick way to weed out false positives.

  • Try a TCP connection on other ports to see if they are open, indicating an origin server.

  • Trace the route to the IP and compare with the site‘s actual location. Geolocation matching is necessary.

Only IPs that are confirmed to host the website content can be considered the real IP address. I tend to use a combination of these verification steps to avoid getting misdirected.

Protecting the Real IP Address

Since exposing the origin IP can be a security risk, here are some tips to keep it secured:

  • Host behind reputable cloud providers like AWS, Azure or GCP which shield the real IPs. Multiple hypervisor layers add obscurity.

  • Use CDNs like Cloudflare for proxying traffic. Enable privacy features like IP masking for maximum effect.

  • Place comprehensive firewalls and access controls on origin servers. Mandatory to avoid exploitation of real IPs.

  • Monitor traffic to origin infrastructure for anomalies indicating an IP leak. Quickly catch any misconfigurations.

  • Frequently rotate IP addresses. IP rotation should be an automated process for guaranteed security.

  • Mask IPs in custom HTTP headers like CF-Connecting-IP for Cloudflare. Prevent leaking from headers.

  • Strip revealing headers like Server, X-Powered-By etc on origin responses. Reduce fingerprintable information.

  • Set up intrusion detection systems to catch scans and probes on origin IP ranges.

Conclusion

While websites try to conceal their hosting infrastructure for security, the real IP address can still be uncovered in multiple ways by determined researchers. However, this is a cat-and-mouse game as websites continue adding layers of obfuscation to protect their origin servers.

As a cybersecurity professional, I find knowing how to find and verify the real IP address of a website an invaluable skill for ethical hacking, penetration testing and red team engagements. At the same time, being aware of these techniques allows me to better secure infrastructure by hiding the real IPs more effectively.

I hope this guide was useful for you to understand how to track down and find the real IP address behind any website. Let me know if you have any other questions!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.