Create With AI – Detecting Exposed Private IP Addresses on Public Assets
S4E.io
Enterprise-grade Automation with Pentester-level Flexibility
This library showcases real examples of how security teams use S4E Create with AI to save time, reduce manual effort, and strengthen their defenses.
Unlike traditional scanners that limit users to predefined checks, S4E Create with AI gives complete flexibility. You describe what you need, and the AI builds and runs it instantly. This allows teams to automate the exact tests they want instead of being restricted to what the product designer imagined.
Detecting Exposed Private IP Addresses on Public Assets
Problem
Web servers and applications sometimes accidentally reveal internal Private IP addresses (such as 10.x.x.x, 192.168.x.x, or 172.16-31.x.x) in HTTP response headers, error messages, or within the HTML source code. While these IPs are not directly reachable from the internet, exposing them provides attackers with valuable intelligence about your internal network topology. This information allows threat actors to map internal infrastructure, identify potential targets for Server-Side Request Forgery (SSRF) attacks, and understand how load balancers or backend servers are configured.
Risk Prevented: Network reconnaissance and internal infrastructure mapping that facilitates targeted attacks like SSRF.
Traditional Approach
Security analysts typically search for private IPs manually by “viewing source” on web pages or inspecting HTTP headers in proxy tools like Burp Suite. They might use grep commands on downloaded logs or source files. However, this process is tedious and inconsistent. It is easy to miss an IP hidden inside a long JSON response, a comment block, or a custom header. Performing this check across hundreds of assets manually is virtually impossible.
How Create with AI Changes It
With S4E Create with AI, you can automate internal IP detection across your entire attack surface with a single instruction. The AI generates a scan that:
- Sends a request to the target asset.
- Scans both the response body (HTML, JSON, scripts) and HTTP headers.
- Applies precise Regex patterns to identify standard private IPv4 ranges (RFC 1918).
- Alerts immediately if an internal IP is found, identifying exactly where the leak occurred.
This turns a manual reconnaissance task into an automated, continuous defense mechanism.
Instant Solution (Create with AI)
Prompt: Create a scan that detects the disclosure of internal Private IP addresses within the page source or HTTP headers. The scan should perform a GET request to the target asset and analyze the response body (including HTML comments, inline scripts, and JSON data) for patterns matching standard private IPv4 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). If a private IP address is found, raise an alert and report the specific IP detected; otherwise, return the message “No private IP disclosure detected.”
The generated scan inspects every response for specific patterns matching internal network ranges and reports any findings clearly.
🎥 Watch the Scan in Action
The video shows Create with AI generating the regex logic, scanning an asset, and successfully identifying a private IP address leaking within a server response header or HTML comment.
Value
- Prevents Network Mapping: Hides internal topology from external attackers.
- Mitigates SSRF Risks: Removes internal targets that attackers could exploit.
- Comprehensive Coverage: Checks both headers and body content (HTML, JSON, Comments).
- High Accuracy: Uses specific RFC 1918 regex patterns for accurate detection.
- Scalable: Runs instantly across all public-facing assets.
Closing Takeaway
Internal IP disclosure may seem like a minor information leak, but it is often the first step in a sophisticated attack chain. By automating the detection of these leaks, S4E Create with AI denies attackers the easy reconnaissance data they rely on to plan further exploits.
🧰 Check It Yourself
Check the sample scan below or watch the video for a live walkthrough.
class Job(Task):
def run(self):
asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
self.output['detail'] = []
self.output['compact'] = []
self.output['video'] = [f"python3 private_ip_scan.py {asset}"]
private_ip_patterns = [
r'\b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b',
r'\b172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}\b',
r'\b192\.168\.\d{1,3}\.\d{1,3}\b'
]
try:
response = self.session.get(asset, headers=self.headers, timeout=self.timeout, verify=False, allow_redirects=False)
self.output['video'].append(f"Response Code: {response.status_code}")
matches = set()
for pattern in private_ip_patterns:
matches.update(re.findall(pattern, response.text))
for header_value in response.headers.values():
for pattern in private_ip_patterns:
matches.update(re.findall(pattern, str(header_value)))
if matches:
self.output['compact'].append("Private IP disclosure detected.")
self.output['detail'].append("Private IP addresses found in response:")
self.output['detail'].extend(list(matches))
self.output['video'].append(f"Private IPs found: {', '.join(matches)}")
else:
self.output['detail'].append("No private IP disclosure detected.")
self.output['video'].append("No private IP disclosure detected.")
except:
self.output['detail'].append("No private IP disclosure detected.")
self.output['video'].append("No private IP disclosure detected.")
def calculate_score(self):
if self.output['compact']:
self.score = self.param['max_score']
else:
self.score = 0Want to see and learn more?
Want to start using and experience it yourself?
control security posture