← All Tools

unwaf

Discover the real origin IP behind a WAF/CDN using passive techniques.
GitHub ★ 180
go install github.com/mmarting/unwaf@latest
unwaf flow diagram

unwaf automates the process of finding origin IPs that bypass WAF/CDN protection. It combines 15 passive discovery methods (most with free tiers) and verifies candidates through a multi-signal scoring system: HTML similarity (60%), SSL certificate matching (25%), and HTTP header comparison (15%). Features uTLS Chrome fingerprinting to bypass WAF TLS detection, HTTP/2 support, CIDR neighbor scanning, ASN lookup, proxy support, batch processing, and JSON output. No active scanning, no brute force, just smart passive reconnaissance.

How it works

WAF Detection
Validates current DNS resolution against known WAF/CDN IP ranges and fingerprints via HTTP headers
Favicon Hashing
Fetches favicon.ico and generates MD5/SHA256/MMH3 hashes for external search
IP Discovery
Runs all enabled methods (up to 15 sources) to collect candidate IPs
Filtering
Removes WAF/CDN IPs (dynamically fetched CIDRs) and current DNS records
Port Scanning
Checks candidates on 8 common web ports concurrently
Verification
Scores candidates using HTML similarity (60%), SSL certificates (25%), and HTTP headers (15%)
Neighbor Scanning
Optionally scans /24 CIDR neighbors of confirmed IPs
ASN Lookup
Identifies ASN and organization for confirmed origin IPs
Results
Reports matches with scoring breakdown, ASN info, and verification commands

Features

  • 15 discovery methods (6 free, 8 free tier, 1 paid)
  • Multi-signal verification scoring: HTML similarity (60%), SSL certificates (25%), HTTP headers (15%)
  • WAF confirmation: checks if the domain is actually behind a WAF before scanning
  • WAF fingerprinting: identifies Cloudflare, Akamai, AWS CloudFront, Fastly, Sucuri, Imperva, FortiWeb, Radware, Azure Front Door, Google Cloud Armor, Vercel, Netlify and more
  • uTLS Chrome TLS fingerprinting to bypass WAFs detecting Go's TLS stack
  • HTTP/2 support with h1 fallback and browser-realistic headers
  • Favicon hashing (MD5, SHA256, MMH3) for Shodan/Censys lookups
  • CIDR /24 neighbor scanning for nearby origin IPs
  • ASN/organization lookup for confirmed IPs
  • Dynamic Cloudflare CIDR fetching with IPv6 WAF range support
  • Proxy support (HTTP, SOCKS5)
  • Rate limiting and retry logic with exponential backoff
  • Batch processing with domain list input
  • JSON output format for automation
  • Quiet mode (-q): outputs only IPs for piping into other tools
  • Smart domain input: accepts both example.com and https://example.com/path
  • Concurrent scanning with configurable workers

Discovery Methods

MethodTypeDescription
SPF recordsIncludedExtracts IPs from ip4:/ip6: SPF mechanisms
MX recordsIncludedResolves mail server hostnames (skips Google/Microsoft/etc.)
Subdomain probingIncludedResolves 30+ common subdomains (mail, dev, staging, origin...)
Certificate TransparencyIncludedQueries crt.sh for all subdomains, resolves to non-WAF IPs
WAF detectionIncludedFingerprints the WAF vendor via HTTP headers
Favicon hashingIncludedGenerates MD5/SHA256/MMH3 hashes for Shodan/Censys favicon search
AlienVault OTXFree APIPassive DNS records (optional API key improves rate limits)
RapidDNSFree APISubdomain enumeration via HTML scraping
HackerTargetFree APIHost search API (50 req/day limit)
Wayback MachineFree APIExtracts hostnames from archived snapshots via CDX API
ShodanFree APIHost search by SSL CN, hostname, favicon hash (free tier available)
DNSDB / FarsightFree APIHistorical DNS records (Community Edition: 500 queries/month)
SecurityTrails historyFree APIHistorical DNS A records (50 req/month free tier)
ViewDNS historyFree APIHistorical DNS A records (250 free requests, no credit card)
Censys SSL searchPaid APIFinds hosts presenting SSL certs matching the domain

Verification Scoring

SignalWeightDescription
HTML similarity60%Diff-based text comparison between candidate and reference
SSL certificates25%Serial matching (50%), CN match (25%), SAN overlap (25%)
HTTP headers15%Server, X-Powered-By, Set-Cookie comparison
Status codesadjustment+/-5-20% bonus/penalty based on status code alignment

Usage Examples

unwaf -d example.com
Basic scan with free methods only
unwaf -d https://example.com/path
Full URLs also work
unwaf -d example.com -s original.html
Use a manually saved HTML file as reference
unwaf -d example.com -t 40
Lower threshold to catch partial matches
unwaf -d example.com -w 100
Increase concurrency for faster scanning
unwaf -d example.com -v
Verbose output
unwaf -d example.com --json
JSON output format
unwaf -d example.com --scan-neighbors
Scan /24 CIDR neighbors of discovered IPs
unwaf -d example.com --proxy socks5://127.0.0.1:9050
Route through a proxy
unwaf -d example.com --rate-limit 2 --timeout 5
Rate limiting with custom timeout
unwaf -l domains.txt --json -o results.json
Batch processing with JSON output to file
unwaf -q -d target.com | nuclei -l -
Pipe into nuclei for automated testing
unwaf -q -d target.com | httpx -silent
Pipe into httpx for probing
unwaf -d target.com --json | jq '.bypasses[].ip'
Extract IPs from JSON output with jq

Options

FlagDescription
-d, --domainTarget domain or full URL (required)
-l, --listFile with domains, one per line (batch mode)
-s, --sourceLocal HTML file for comparison (optional)
-o, --outputWrite results to file
-c, --configConfig file path (default: $HOME/.unwaf.conf)
-t, --thresholdSimilarity threshold percentage (default: 60)
-w, --workersNumber of concurrent workers (default: 50)
--timeoutHTTP timeout in seconds (default: 10)
--rate-limitMax requests per second, 0 = unlimited (default: 0)
--proxyProxy URL (http:// or socks5://)
--scan-neighborsScan /24 CIDR neighbors of discovered IPs
--jsonJSON output format
-v, --verboseEnable verbose output
-q, --quietSilent mode: only output bypass IPs (for piping/automation)
--versionPrint version
-h, --helpDisplay help information
Version:3.0
Language:Go
License:GPL v3