search

Bypass IP Blocking

hashtag
X-Forwarded-For

Try to include X-Forwarded-Forto the request

If X-Forwarded-For is supported, use a Pitchwork attack and add it as a payload. You can use a Collaborator payload or even a Number type

hashtag
Include your own valid credz in your list

You might sometimes find that your IP is blocked if you fail to log in too many times. In some implementations, the counter for the number of failed attempts resets if the IP owner logs in successfully. This means an attacker would simply have to log in to their own account every few attempts to prevent this limit from ever being reached.

In this case, merely including your own login credentials at regular intervals throughout the wordlist is enough to render this defense virtually useless.

hashtag
Burp Extension - IP rotate

LogoGitHub - PortSwigger/ip-rotate: Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.GitHubchevron-right
LogoBypassing API rate limiting using IP rotation in Burp SuiteDana Epp's Blogchevron-right

hashtag
IPSpinner

LogoGitHub - synacktiv/IPSpinner: IPSpinner works as a local proxy that redirects requests through external services.GitHubchevron-right

hashtag
Tool to launch a password spray / brute force attach via Amazon AWS

CredMaster

LogoGitHub - knavesec/CredMaster: Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttlingGitHubchevron-right
Credmaster2WhyNotSecuritychevron-right

hashtag
Git rotate

LogoGitHub - dunderhay/git-rotate: Leveraging GitHub Actions to rotate IP addresses during password spraying attacks to bypass IP-Based blockingGitHubchevron-right

hashtag
Resources

LogoBypassing IP Based Blocking with AWS API GatewayRhino Security Labschevron-right
PreviousKraken - All-in-One ToolNextHydra - Basics

Last updated