Bypass IP Blocking

X-Forwarded-For

Try to include X-Forwarded-Forto the request

If X-Forwarded-For is supported, use a Pitchwork attack and add it as a payload. You can use a Collaborator payload or even a Number type

Include your own valid credz in your list

You might sometimes find that your IP is blocked if you fail to log in too many times. In some implementations, the counter for the number of failed attempts resets if the IP owner logs in successfully. This means an attacker would simply have to log in to their own account every few attempts to prevent this limit from ever being reached.

In this case, merely including your own login credentials at regular intervals throughout the wordlist is enough to render this defense virtually useless.

Burp Extension - IP rotate

GitHub - PortSwigger/ip-rotate: Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.GitHub

Bypassing API rate limiting using IP rotation in Burp SuiteDana Epp's Blog

IPSpinner

GitHub - synacktiv/IPSpinner: IPSpinner works as a local proxy that redirects requests through external services.GitHub

Tool to launch a password spray / brute force attach via Amazon AWS

CredMaster

GitHub - knavesec/CredMaster: Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttlingGitHub

Credmaster2WhyNotSecurity

Git rotate

GitHub - dunderhay/git-rotate: Leveraging GitHub Actions to rotate IP addresses during password spraying attacks to bypass IP-Based blockingGitHub

Resources

Bypassing IP Based Blocking with AWS API GatewayRhino Security Labs