A tool that helps you find the real IP addresses hiding behind Cloudflare by checking subdomains. For penetration testing, security research, and learning how Cloudflare protection works.
- What it does
- Installation
- How to use it
- Examples
- Output Formats
- Version History
- Contributors
- Contributing
- Support
- Need to avoid Rate Limits?
- Legal Notice
- License
- IPv4 & IPv6 support - Resolves both A and AAAA records
- Multiple IPs detection - Finds ALL IPs behind a domain, not just the first one
- Progress bar - Real-time progress with live stats (found/cloudflare count)
- Dynamic Cloudflare IP detection - Fetches latest IP ranges from Cloudflare's API (with fallback)
- Fast subdomain scanning - Uses multiple threads to speed things up
- Multiple wordlists - Combine several wordlists in a single scan
- Wordlist comments - Use
#to add comments in your wordlists - Multiple output formats - Export to JSON, YAML, CSV, or plain text
- Verbose & quiet modes - Control output verbosity
- Filters out Cloudflare IPs - Only shows you the real server addresses
- Bring your own wordlist - Or use the built-in one (dom.txt)
- Save your findings - Export results to a file for later
- Rate limiting - Won't spam the target and get you blocked
- Solid default wordlist - Organized and comprehensive for better results
- Python 3.8 or higher
- pip (Python package manager)
Clone the repository:
git clone https://github.com/moscovium-mc/CloudRip
cd CloudRipCreate a virtual environment and install dependencies:
Linux/macOS:
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtWindows:
python -m venv venv
venv\Scripts\activate
pip install -r requirements.txtTip
Always use a virtual environment to avoid dependency conflicts with other Python projects.
Basic scan:
python3 cloudrip.py example.comWith all the options:
python3 cloudrip.py example.com -w wordlist1.txt -w wordlist2.txt -t 20 -o report.json -f jsonOptions:
| Option | Description |
|---|---|
<domain> |
The site you're testing (like example.com) |
-w, --wordlist |
Wordlist file(s). Can be specified multiple times (default: dom.txt) |
-t, --threads |
How many threads to run (default: 10) |
-o, --output |
Save results to a file |
-f, --format |
Output format: normal, json, yaml, csv (default: normal) |
-v, --verbose |
Show all results including "not found" entries |
-q, --quiet |
Minimal output - only show found IPs |
Basic scan:
python3 cloudrip.py example.comMultiple wordlists with JSON output:
python3 cloudrip.py example.com -w subs1.txt -w subs2.txt -o report.json -f jsonFast scan with 50 threads:
python3 cloudrip.py example.com -t 50 -o results.csv -f csvVerbose mode (see all attempts):
python3 cloudrip.py example.com -vQuiet mode (only found IPs):
python3 cloudrip.py example.com -q -o found.txtCloudRip Scan Report
============================================================
Target: example.com
Date: 2025-11-28T12:00:00+00:00
Total checked: 150
[FOUND] Non-Cloudflare IPs (3):
mail.example.com
v4:[192.168.1.1, 192.168.1.2, 192.168.1.3]
ftp.example.com
v4:[10.0.0.1] | v6:[2001:db8::1]
[CLOUDFLARE] Behind Cloudflare (5):
www.example.com
v4:[104.16.1.1 [CF], 172.67.1.1 [CF]] | v6:[2606:4700::1 [CF]]
{
"target_domain": "example.com",
"scan_date": "2025-11-28T12:00:00+00:00",
"total_checked": 150,
"summary": {
"found": 3,
"cloudflare": 5,
"not_found": 142,
"errors": 0
},
"results": { ... }
}domain,ipv4,ipv4_cloudflare,ipv6,ipv6_cloudflare,status,error
mail.example.com,192.168.1.1;192.168.1.2;192.168.1.3,,,,found,
www.example.com,104.16.1.1;172.67.1.1,104.16.1.1;172.67.1.1,2606:4700::1,2606:4700::1,cloudflare,See CHANGELOG.md for full version history.
Huge thanks to @Dxsk for the contributions to v2.1.0
Got ideas for improvements? Found a bug? If it's better wordlists, new features, or bug fixes - all contributions help.
How to contribute:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a pull request
Guidelines:
- Follow Python best practices and PEP 8
- Add type hints to new code
- Update documentation as needed
- Test your changes thoroughly
If you find this project useful, consider supporting my work:
Crypto donations:
bc1quavqz6cxqzfy4qtvq4zxc4fjgap3s7cmxja0k40x5287af72afbc152b09b3bf20af3693157db9e425HYZjfEx8NbEMJX1vL1GmGj39zA6TgMsHm5KCHWSZxF4j86zv6vTDuG35sdBzBpwVAsD71hbt2gjH14qiesyrSsMkUAWHQkPZyY9TreeQ5dXRuP57yitP4Yn13SQEcMK4MhtwFzPoRR1
CloudRip makes many DNS queries. Cloudflare will eventually block your IP.
Solution: Residential proxies rotate your IP address so you can scan without getting blocked.
Why ScrapingAnt?
- 3M+ residential IPs across 100+ countries
- Supports security testing workflows
- Free 10,000 credits to start
👉 Sign up for ScrapingAnt use code moscovium for 5% off.
Note: Run CloudRip through a system-wide proxy or use ScrapingAnt's API. Direct SOCKS proxy support coming when ScrapingAnt adds it.
Warning
FOR AUTHORIZED SECURITY TESTING ONLY
Only use CloudRip on systems you have explicit permission to test. This tool is designed for ethical security research, authorized penetration testing, and educational purposes only.
Unauthorized reconnaissance or scanning of systems is illegal and may violate various laws including:
- Computer Fraud and Abuse Act (CFAA) in the United States
- Computer Misuse Act in the United Kingdom
- Similar legislation in other jurisdictions
You are solely responsible for how you use this tool. The author assumes NO LIABILITY for any misuse, damage, or illegal activity conducted with CloudRip.
Ethical Use Required:
- Obtain written authorization before testing
- Respect rate limits and system resources
- Follow responsible disclosure practices
- Comply with all applicable laws and regulations
MIT License - See LICENSE for details.
Star this repo if you find it useful