[Draft] behindTheCDN.sh - Bypass CDN/WAFs! 📍 📡

Red Team / OSINT reconnaissance tool that searches IP addresses behind Content Delivery Networks (CDNs) and Web Application Firewalls (WAFs).

Leverages DNS resolution history, SSL certificate analysis and HTTP response headers from VirusTotal, Censys and Shodan to determine potential CDN/WAFs protecting a domain.

Catpuccin Mocha theme, font Menlo.

Getting Started

Prerequisites

Important

The script requires API keys for the VirusTotal, Censys, and Shodan APIs.
See: VirusTotal API, Censys API, Shodan API.

To succeed, you'll need:

1. The API keys.
2. Any shell listed in Supported shells.
3. The following dependencies: curl, jq, dig, xmllint.

Online

Copy and paste the code below and press enter:

curl -fsSL https://raw.githubusercontent.com/Neved4/behindTheCDN/main/src/behindTheCDN.sh | sh -s -- --from-curl

Installation

Homebrew

If you have brew installed, run:

$ brew install Neved4/homebrew-tap/behindTheCDN

Basic Install

$ /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/Neved4/BehindTheCDN/HEAD/tools/install.sh)"

Set the APIs for VirustTotal and Censys on the API.conf file.

Manual Installation

First clone the .git repository:

$ git clone https://github.com/Loop-Man/BehindTheCDN

Then add permissions to execute:

$ chmod u+x behindTheCDN.sh

Finally, set the APIs for VirustTotal and Censys on the API.conf file.

Docker

To run the script inside a Docker image, run:

docker build .

Usage

The following options are available:

Usage (Offline)

usage: behindTheCDN.sh [-ci] [-d <domain> | -f <file>] [-o <output>] ...

Options:
  -c          search by Censys API
  -d <domain> search by DNS history on a specific domain
  -f <file>   search by DNS history on every domain in the file
  -i          search by DNS history, SSL certificate, subdomains
  -o <output> save the output to a file

Examples

The following option allows you to search for a particular domain:

$ ./behindTheCDN.sh -d example.com

Launch more queries and search by DNS history and SSL certificates:

$ ./behindTheCDN.sh -d example.com -i

Search using the Censys API:

$ ./behindTheCDN.sh -d example.com -c

Indicate a file with domains to look for a possible bypass:

$ ./behindTheCDN.sh -f domains.txt

Options can be combined and be used at the same time:

$ ./behindTheCDN.sh -d example.com -i -c

$ ./behindTheCDN.sh -ci -f domains.txt

By default behindTheCDN.sh writes its output to a timestamp file in the results/ folder.

Performance

See: Benchmarks.

Portability

Supported systems

Most versions and distributions of Linux, FreeBSD, and macOS should work. Here are the ones we've tested:

System	Supported
macOS 14	✅ Yes
FreeBSD 14	✅ Yes
Fedora 40	✅ Yes
Debian 12	✅ Yes
WSL 2	✅ Yes

Supported shells

Shell	Version	Supported
bash	5.2.26	✅ Yes
dash	0.5.12	✅ Yes
ksh93	93u+m/1.0.8	✅ Yes
mksh	59c	✅ Yes
oksh	7.5	✅ Yes
yash	2.56.1	✅ Yes
zsh	5.9	✅ Yes
osh	0.20.0	✅ Yes
posh	0.14.1	⚠️ No1

Standards

This script is compatible with ISO 9945:2009, also known as POSIX.1-2017.²

License

This repository is licensed under the terms of the MIT License.

See the LICENSE file for details.

Footnotes

1. posh won't work with curl due to missing -s specified by POSIX. ↩

2. IEEE Std 1003.1-2017: Standard for Information Technology — Portable Operating System Interface (POSIX®), ISO/IEC/IEEE 9945:2009/COR 2:2017. URL: https://pubs.opengroup.org/onlinepubs/9699919799/ ↩