Skip to content

Octolus/OctoIntel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

6 Commits
.github/workflows
.github/workflows
Β 
Β 
docs
docs
Β 
Β 
src
src
Β 
Β 
.gitattributes
.gitattributes
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CHANGELOG.md
CHANGELOG.md
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
Cargo.lock
Cargo.lock
Β 
Β 
Cargo.toml
Cargo.toml
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
ips.txt.example
ips.txt.example
Β 
Β 

Repository files navigation

πŸ” OctoIntel

Rust License: MIT Platform

Production-ready, ultra-fast reverse proxy backend IP scanner for discovering backend servers behind CDNs and reverse proxies like Cloudflare.

By Octolus from OctoVPN team

⚑ Features

  • πŸš€ Blazing Fast - 2000-10000+ concurrent connections with dynamic CPU scaling
  • πŸ“ File Input - Load IP ranges from text files (CIDR notation)
  • 🌐 Multiple HTTP Methods - Support for HEAD, GET, and POST requests
  • πŸ” Content Matching - Search for specific patterns in HTML responses (regex supported)
  • 🎯 Flexible Status Codes - Match any HTTP status code (default: 202)
  • πŸ“Š Progress Tracking - Real-time progress bars with speed and ETA
  • 🎨 Beautiful Output - Colored terminal UI with detailed results
  • βš™οΈ Auto-Optimization - Automatically detects CPU cores and RAM for optimal performance
  • πŸ”§ Custom Headers - Add custom HTTP headers to requests
  • 🌍 Cross-Platform - Works on Windows, Linux, and macOS

πŸ“‹ Requirements

  • Rust 1.70+ (for building from source)
  • Windows 10/11, Linux, or macOS
  • At least 4GB RAM (8GB+ recommended for large scans)

πŸ”§ Installation

Build from Source

# Clone the repository
git clone https://github.com/Octolus/OctoIntel.git
cd OctoIntel

# Build release binary
cargo build --release

# Binary will be at: target/release/octointel.exe (Windows)
#                 or: target/release/octointel (Linux/macOS)

🎯 Real-World Use Case: Finding Backend Behind Cloudflare

When a website is behind Cloudflare (or similar CDN), you know the domain but need to find the actual backend server IP.

Scenario Setup

Your Domain: example.com
Current Status: Behind Cloudflare (proxy enabled)
Goal: Find the real backend IP address

Method 1: Fast Discovery with HEAD Request

Use HEAD when you know the backend returns a specific status code (like 202 Accepted):

# Quick scan looking for 202 status
octointel example.com \
  --ranges 35.207.0.0/16 \
  --method HEAD \
  --status-code 202

When to use HEAD:

  • βœ… Fast scanning (doesn't download content)
  • βœ… Backend returns unique status code
  • βœ… You don't need to check page content
  • ❌ Limited to HTTP status line only

Method 2: Content-Based Discovery with GET Request

Use GET when you need to verify content matches your site:

# Find backend by checking for your site's title
octointel example.com \
  --method GET \
  --content-match "<title>My Site Title</title>" \
  --ranges 35.207.0.0/16

When to use GET:

  • βœ… Need to verify page content
  • βœ… Can check for unique identifiers
  • βœ… More accurate (reduces false positives)
  • ❌ Slower (downloads full response)

Method 3: Regex Pattern Matching

Search for flexible patterns in the HTML:

# Match title with regex (case-insensitive, flexible)
octointel example.com \
  --method GET \
  --content-match "<title>.*example.*</title>" \
  --ranges 35.207.0.0/16

Common patterns to search for:

# Look for specific server headers
--content-match "Server: nginx/1.18.0"

# Find WordPress sites
--content-match "wp-content|wp-includes"

# Search for unique app identifiers
--content-match "data-app-id=\"abc123\""

# Match copyright text
--content-match "Copyright.*YourCompany"

πŸ“ IP Ranges File Format

Create ips.txt with CIDR ranges to scan:

# ips.txt - IP ranges to scan
# Lines starting with # are comments

# Google Cloud Platform - Common regions
35.207.0.0/16
35.208.0.0/16
35.209.0.0/16

# AWS - US East
3.208.0.0/12
52.0.0.0/14

# Digital Ocean
159.65.0.0/16
167.99.0.0/16

# Cloudflare (if backend is also on CF)
104.16.0.0/12
172.64.0.0/13

Then scan using the file:

octointel example.com --ip-file ips.txt

See ips.txt.example for comprehensive cloud provider ranges.

πŸš€ Quick Start Examples

Example 1: Basic Scan with Default Ranges

# Uses built-in Google Cloud ranges
octointel example.com

Example 2: Custom IP Ranges (Cloudflare Scenario)

# You know your backend is on Google Cloud US-West
octointel example.com \
  --ranges 35.207.0.0/16,35.208.0.0/16,35.209.0.0/16

Example 3: Find Backend by Page Title

# Your site has unique title, use GET to verify
octointel example.com \
  --method GET \
  --content-match "<title>Welcome to Example Corp</title>" \
  --ip-file ips.txt

Example 4: Check for Specific HTTP Header

# Backend returns custom header
octointel example.com \
  --method HEAD \
  --content-match "X-Custom-Backend: production" \
  --ranges 10.0.0.0/16

Example 5: Search for Server Signature

# Look for specific nginx version
octointel example.com \
  --method GET \
  --content-match "Server:.*nginx/1\\.18" \
  --ranges 35.207.0.0/20

Example 6: High-Speed Scan (Known Status Code)

# Backend always returns 202 for your domain
octointel example.com \
  --method HEAD \
  --status-code 202 \
  --workers 10000 \
  --timeout 300 \
  --ip-file google-cloud.txt

πŸ“– HEAD vs GET: When to Use Which?

Use HEAD When:

octointel example.com --method HEAD --status-code 202

βœ… Advantages:

  • Extremely fast (no content download)
  • Low bandwidth usage
  • Efficient for large IP ranges
  • Good when backend has unique status code

❌ Limitations:

  • Only checks HTTP status line and headers
  • Cannot verify page content
  • More false positives

Use GET When:

octointel example.com --method GET --content-match "<title>Your Site</title>"

βœ… Advantages:

  • Can verify actual page content
  • More accurate results
  • Can use regex for flexible matching
  • Reduces false positives

❌ Limitations:

  • Slower (downloads full response)
  • Higher bandwidth usage
  • May need larger buffer for big pages

πŸŽ›οΈ Command-Line Options

Basic Options

Option Description Example
DOMAIN Target domain (required) example.com
-r, --ranges IP ranges to scan (CIDR) -r 35.207.0.0/16,35.208.0.0/16
-f, --ip-file Load ranges from file -f ips.txt
-m, --method HTTP method (HEAD/GET/POST) -m GET
--status-code Status code to match --status-code 200
-c, --content-match Search pattern (regex) -c "<title>.*</title>"
-p, --port Target port -p 8080
-v, --verbose Debug output -v

Performance Options

Option Description Default
-w, --workers Concurrent connections Auto (2000-10000)
-t, --timeout Timeout in milliseconds Auto (300-1000)
--stop-on-find Stop after first match true

Advanced Options

Option Description Example
--header Custom HTTP header --header "User-Agent: Custom"
--post-body POST request body --post-body '{"key":"value"}'
--single-ip Test single IP --single-ip 35.207.76.249
--https Use HTTPS (TLS) --https

πŸ’‘ Practical Tips

1. Start with Small Ranges

# Test with /24 first (256 IPs)
octointel example.com --ranges 35.207.76.0/24

# Then expand to /20 (4096 IPs)
octointel example.com --ranges 35.207.0.0/20

# Finally scan /16 if needed (65536 IPs)
octointel example.com --ranges 35.207.0.0/16

2. Use Content Matching for Accuracy

# Instead of just status code...
octointel example.com --status-code 200

# Add content verification to reduce false positives
octointel example.com \
  --method GET \
  --status-code 200 \
  --content-match "<title>Your Unique Title</title>"

3. Combine Multiple Search Criteria

# Find backend with specific characteristics
octointel example.com \
  --method GET \
  --status-code 200 \
  --content-match "nginx.*Your-App-Name" \
  --header "Host: example.com"

4. Save Time with Known Information

If you know your hosting provider:

# Google Cloud only
octointel example.com --ip-file google-cloud.txt

# AWS only  
octointel example.com --ip-file aws.txt

# Mix of providers
cat google-cloud.txt aws.txt digitalocean.txt > mixed.txt
octointel example.com --ip-file mixed.txt

πŸ” Debugging Tips

Verbose Mode

# See every connection attempt
octointel example.com --ranges 35.207.76.0/24 --verbose

Output shows:

  • Connection attempts
  • Failures and reasons
  • Response details
  • Timing information

Test Single IP First

# Verify your pattern works on known IP
octointel example.com --single-ip 35.207.76.249 --verbose

Check Your Regex Pattern

Test regex before scanning large ranges:

# Test on small range first
octointel example.com \
  --ranges 35.207.76.0/28 \
  --content-match "your-pattern" \
  --verbose

πŸ“Š Understanding Output

============================================================
πŸ” OctoIntel v1.0.0
⚑ Ultra-fast reverse proxy backend scanner
============================================================

β„Ή Auto-detected system capabilities:
  β†’ CPU Cores: 8
  β†’ RAM: 16 GB
  β†’ Concurrent Workers: 5000
  β†’ Connection Timeout: 500ms

============================================================
βš™ Scan Configuration:
============================================================
  β†’ Target domain: example.com
  β†’ HTTP method: GET
  β†’ Port: 80
  β†’ Target status: 200
  β†’ Content match: <title>Example</title>
  β†’ IP ranges: 3
  β†’ Concurrent workers: 5000
  β†’ Timeout: 500ms

============================================================
➀ Scanning 65536 IPs in range 35.207.0.0/16
============================================================
[00:00:15] [β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ] 65536/65536 (100%) | 4369 IPs/sec

βœ“ FOUND: 35.207.76.249 - Status: 200, Content matched

⚠ Backend IP found! Stopping scan immediately...

============================================================
βœ“ Scan completed in 15.23s
============================================================
βœ“ Found 1 backend IP(s):
  β†’ 35.207.76.249 - Status: 200, Content matched

πŸ› οΈ Troubleshooting

No Results Found?

  1. Try GET instead of HEAD

    --method GET

  2. Change status code

    --status-code 200  # Try 200 instead of 202

  3. Remove content matching temporarily

    # Test without pattern first
octointel example.com --ranges 35.207.76.0/24

  4. Use verbose mode

    -v

Scan Too Slow?

# Reduce workers
--workers 2000

# Increase timeout
--timeout 1000

# Use HEAD instead of GET
--method HEAD

Too Many Open Files (Linux/Mac)

ulimit -n 65536

πŸ“š Common Cloud Provider Ranges

Google Cloud Platform

# North America
35.207.0.0/16
35.208.0.0/16
35.209.0.0/16
35.210.0.0/16

# Europe
35.212.0.0/16
35.213.0.0/16

# Asia
35.215.0.0/16
35.216.0.0/16

Amazon AWS

# US East
3.208.0.0/12
52.0.0.0/14

# US West
13.56.0.0/16
54.176.0.0/12

Digital Ocean

# New York
159.65.0.0/16
167.99.0.0/16

# San Francisco
159.89.0.0/16
165.227.0.0/16

⚠️ Legal Notice

This tool is provided for educational and authorized testing purposes only.

  • βœ… Use on your own infrastructure
  • βœ… Use with explicit written permission
  • βœ… Use for authorized security assessments
  • ❌ Do NOT use for unauthorized access
  • ❌ Do NOT use for malicious purposes

Users are responsible for complying with all applicable laws and regulations.

🀝 Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

πŸ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

πŸ™ Acknowledgments

πŸ“§ Contact

Made with ❀️ and ⚑ Rust by Octolus from OctoVPN team

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages