cfsearch — Security Recon Tools tool screenshot
Security Recon Tools

cfsearch: Best Security Recon Tools for Pentesters in 2026

7 min read·

cfsearch finds origin IPs hidden behind Cloudflare by spraying CIDR ranges with concurrent HTTP/HTTPS probes and validating responses with a forged Host header.

Visit Homepage
GitHub3510
Pricing

Open-Source

Tech Stack

Go; concurrent HTTP/HTTPS probing; CIDR expansion; Host-header spoofing; file-based target lists

Target

pentesters, red teamers, and security researchers

Category

Security Recon Tools

What Is cfsearch?

cfsearch, built by internetkafe, is a Go-based security recon tool for pentesters and security researchers who need to recover an origin IP hidden behind Cloudflare or another CDN. cfsearch is one of the best Security Recon Tools for pentesters, red teamers, and incident responders. It scans CIDR ranges or flat IP lists, sends HTTP and HTTPS requests with a forged Host header, and checks whether the target domain appears in responses with status 200, 301, or 308.

Quick Overview

AttributeDetails
TypeSecurity Recon Tools
Best Forpentesters, red teamers, and security researchers
Language/StackGo; concurrent HTTP/HTTPS probing; CIDR expansion; Host-header spoofing; file-based target lists
LicenseN/A
GitHub StarsN/A as of Feb 2026
PricingOpen-Source
Last ReleaseN/A

Who Should Use cfsearch?

  • Pentesters validating edge exposure who need to test whether a hostname resolves to an origin that is still reachable through a CDN layer.
  • Red teams running controlled infrastructure recon that requires fast, scriptable probing of IP ranges without spinning up a full passive recon stack.
  • Incident responders checking misconfiguration when a web property may have leaked an origin IP through DNS history, stale records, or forgotten firewall rules.
  • Infrastructure engineers auditing CDN setup who want to confirm that the origin does not answer directly to Internet traffic with the public Host header.

Not ideal for:

  • Targets that aggressively rate-limit, tarp it, or block spoofed Host headers at the origin or perimeter.
  • Passive reconnaissance workflows where you only want DNS, certificate transparency, or subdomain enumeration results.
  • Teams that need a GUI, centralized cloud execution, or a managed scanning platform instead of a local CLI binary.

Key Features of cfsearch

  • CIDR and file-based input — cfsearch can scan IPs from a CIDR block or from a file containing explicit addresses. That makes it usable for both broad sweeps and curated target lists.
  • Concurrent worker pool — the -workers flag controls parallelism, so you can push throughput up on a fast link or back off when the target starts returning noise. The design is simple and predictable for shell pipelines.
  • Timeout tuning — the -timeout flag prevents slow hosts from clogging the scan queue. This matters when probing mixed infrastructure where some IPs blackhole traffic and others answer immediately.
  • HTTP and HTTPS probing — cfsearch sends both protocol variants, which matters because many origins answer on 443 even when the public site is fronted by a CDN. TLS verification is disabled for speed, so self-signed or mismatched certificates do not stop the probe.
  • Host-header validation — the tool does not rely on DNS resolution. It connects directly to candidate IPs and sets the Host header to the target domain, then checks whether the response body contains the domain name on success statuses.
  • Progress feedback — the -progress flag surfaces scan progress during long runs. That is useful when you are sweeping large CIDR ranges and want a quick read on throughput and completion.
  • Automatic hit persistence — discovered IPs are appended to cfsearch.txt by default. That makes it easy to diff results across runs, archive findings, or feed the output into another workflow such as OpenTrace for request-path verification or DataHaven for result retention.

cfsearch vs Alternatives

ToolBest ForKey DifferentiatorPricing
cfsearchFast origin-IP discovery from CIDR rangesDirect IP probing with forged Host header and status-aware body checksOpen-Source
CloudFailAutomated Cloudflare origin discoveryMore opinionated workflow around Cloudflare-focused bypass checksOpen-Source
amassBroad attack surface mappingMuch wider recon scope, including passive and active asset discoveryOpen-Source
subfinderPassive subdomain enumerationFinds hostnames, not origin IPs behind a CDNOpen-Source

Pick CloudFail when you want a more automated Cloudflare-oriented recon flow and do not mind a larger footprint. Pick amass when the task is broader asset discovery and you need subdomains, ASN data, and multiple recon stages in one pipeline.

Pick subfinder when you do not yet know which hostnames exist and need passive enumeration before active probing. cfsearch is the better fit once you already suspect an origin range and want to test IPs directly. For a wider set of adjacent workflows, browse all Security Recon Tools.

How cfsearch Works

cfsearch uses a straightforward active-probing model. The scanner expands candidate IPs from a CIDR block or reads them from a file, then pushes those targets through a worker pool implemented in Go. Each worker opens an HTTP or HTTPS request to the candidate IP, sets the Host header to the domain you are testing, and checks the response for a match in the body or one of the supported redirect statuses.

The design choice that matters most is direct socket-to-IP probing rather than DNS-based discovery. That means cfsearch can catch origin servers that still answer when the correct Host header is supplied, even if the public DNS points somewhere else. The trade-off is that it is only as accurate as the response behavior you get back, so blanket scanning without a plausible IP range creates noise and wasted time.

./cfsearch -cidr 104.16.0.0/12 -host example.com -workers 128 -timeout 5s -progress

That example scans a Cloudflare-sized CIDR block, uses a high worker count, and prints progress while looking for the target domain in successful responses. Expect the first valid hits to be written to cfsearch.txt, then verify those IPs manually with curl, browser requests, or a follow-up trace tool.

Pros and Cons of cfsearch

Pros:

  • Very small operational footprint — it is a Go CLI binary, so deployment is just build once and run anywhere the target OS supports Go output.
  • Fast parallel scanning — the worker model lets you trade rate for speed in a single flag instead of editing code.
  • Useful for controlled recon — it works well when you already have a CIDR block or a shortlist of candidate addresses.
  • Simple output handling — discovered IPs go into cfsearch.txt, which is easy to parse from shell scripts or CI jobs.
  • Protocol coverage — HTTP and HTTPS probing catches origins that answer on one port but not the other.
  • Low ceremony — there is no database, no web UI, and no agent to manage.

Cons:

  • Not passive — cfsearch does not discover targets for you, so you need a plausible IP range before it becomes useful.
  • Potential false positives — body matching on the domain string can surface responses that mention the domain without proving full control of the origin.
  • TLS verification is skipped — this speeds scanning, but it also means certificate problems will not help you distinguish legitimate from suspicious hosts.
  • Limited workflow scope — it does one job well and does not attempt broader attack surface mapping, DNS enumeration, or certificate intelligence.
  • Easy to trigger defenses — large worker counts against protected ranges can set off alerts or get traffic dropped quickly.

Getting Started with cfsearch

Clone the repository, build the binary, and run a narrow test scan first. The repo ships with a plain Go build path, so you do not need a package manager, container, or external service just to get started.

git clone https://github.com/internetkafe/cfsearch.git
cd cfsearch
go build -o cfsearch main.go
./cfsearch -cidr 173.245.48.0/20 -host example.com -workers 64 -timeout 4s -progress

After the first run, cfsearch appends matching IPs to cfsearch.txt and prints progress to the terminal if enabled. Start with a small CIDR block and conservative concurrency, then increase -workers only after you confirm the target network responds cleanly and your own environment can sustain the request volume.

Verdict

cfsearch is the strongest option for origin-IP discovery when you already have a plausible CIDR range and need fast, scriptable validation. Its key strength is direct Host-header probing with simple Go deployment; its caveat is that it depends on noisy active scans and can produce false positives. Use it when you want a narrow recon utility, not a full attack surface platform.

Frequently Asked Questions

Looking for alternatives?

Compare cfsearch with other Security Recon Tools tools.

See Alternatives →
Back to all tools

You Might Also Like

Nitro PDF Pro screenshot
PDF Editors

Nitro PDF Pro: Best PDF Editors for Windows Teams in 2026

Nitro PDF Pro turns scanned PDFs into searchable, editable files, redacts sensitive content permanently, and exports cleanly to Office formats on Windows without pushing documents through a browser.

PaidWindows desktop MSI, native OCR, PDF object editing, DOCX/XLSX/PPTX export
280
Saboteur screenshot
HTTP Fault Injection Proxies

Saboteur: Best HTTP Fault Injection Proxies for SREs in 2026

Saboteur injects request-aware HTTP faults at the proxy layer so you can test resilience with URL, header, and body-sensitive rules instead of blunt TCP chaos.

Open-SourceGo, Docker, YAML, REST API, Prometheus, Server-Sent Events
1582
DEEIX Chat screenshot
AI Workspaces

DEEIX Chat: Best AI Workspaces for Enterprise Teams in 2026

DEEIX Chat unifies model routing, multimodal chat, RAG, MCP tools, billing, and identity behind a Go-backed control plane, so teams can ship one governed AI workspace instead of stitching together multiple services.

Open-SourceNext.js 16, React 19, Go 1.25, PostgreSQL/pgvector, Redis, MCP, Docker
15220