Detecting HTTP Load Balancers using Halberd

本文涉及的产品
应用型负载均衡 ALB,每月750个小时 15LCU
传统型负载均衡 CLB,每月750个小时 15LCU
网络型负载均衡 NLB,每月750个小时 15LCU
简介: We covered Load Balancing Detection using LBD in a previous video.

We covered Load Balancing Detection using LBD in a previous video. In this one, we will cover a more advanced and stable tool called Halberd. Halberd detects HTTP based Load Balancing by using a host  of techniques - differences in HTTP response headers, timestamps, cookies and a couple other techniques. We will run Halberd on Msn.com and see how it is able to figure out that there are actually 15 servers behind the load balancer running various versions of the IIS web server.

I would highly recommend that you download Halberd and try it out. This tool is a must have when pentesting SaaS based installations.

 

Download:

http://halberd.superadditive.com/

 

2.

Finding Subdomains using Goorecon

In the Information Gathering stage of a pentest, we are interested in finding out the various sub-domains of our target domain. As we have seen in previous videos, querying DNS servers using zone transfer requests or trying to retrieve entries using a dictionary / brute-forcing attack, is a good start, but fails in most cases. Another alternate technique to figure out sub-domains is to query google and check if it has found any sub-domains during it's web mining exercise on the target. Goorecon is just the tool we need in order to do this.

In this video, we will find the various publicly available sub-domains of Cnn.com using Goorecon. Goorecon is included in Backtrack 4.

 

3.Load Balancing has becoming an important part of the network architecture, especially for companies which host applications accessed by millions around the world. Good examples of such companies would be Google, Facebook, MSN, YouTube etc. In most cases, Load Balancing for web applications in particular, happens using a DNS based balancer which cycles through the different IPs in the server farm in a round robin fashion, or using a HTTP Load Balancer device which multiplexes incoming connections to one of the servers in the farm.

As one can imagine from a pentest perspective, detection of load balancers is an important step in the information gathering stage. In this video we will look at a simple load balancing detector tool called Load Balancer Detector (LBD), which uses both DNS and HTTP based techniques to detect load balancers. During the tests, we find that the DNS detection works perfectly, however the HTTP based detection techniques, does give false positives at times (which the tool author acknowledges). LBD is included in the Backtrack 4 iso.

 

 

4.evilgrade

http://www.infobyte.com.ar/developments.html

 

 

#!/bin/bash
# lbd (load balancing detector) detects if a given domain uses
# DNS and/or HTTP Load-Balancing (via Server: and Date: header and diffs between server answers)
#
# License: GPL-v2
#
# Written by Stefan Behte
# Contact me, if you have any new ideas, bugs/bugfixes, recommondations or questions!
# Please also contact me, if you just like the tool. :)

# Stefan dot Behte at gmx dot net
#

QUERIES=50
DOMAIN=$1
METHODS=""

echo
echo "lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing."
echo "                                    Written by Stefan Behte (http://ge.mine.nu)"
echo "                                    Proof-of-concept! Might give false positives."

if [ "$1" = "" ]
then
echo "usage: $0 [domain]"
echo
exit -1
fi

echo -e -n "/nChecking for DNS-Loadbalancing:"
NR=`host $DOMAIN | grep -c "has add"`
if [ $NR -gt 1 ]
then
METHODS="DNS"
echo " FOUND"
host $DOMAIN | grep "has add"
echo
else
echo " NOT FOUND"
fi

echo -e "Checking for HTTP-Loadbalancing ["Server"]: "
for ((i=0 ; i< $QUERIES ; i++))
do
printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 > .nlog
S=`grep -i "Server:" .nlog | awk -F: '{print $2}'`
if ! grep "`echo ${S}| cut -b2-`" .log &>/dev/null
then
  echo "${S}"
fi
cat .nlog >> .log
done
NR=`sort .log | uniq | grep -c "Server:"`
if [ $NR -gt 1 ]
then
echo " FOUND"
METHODS="$METHODS HTTP[Server]"
else
echo " NOT FOUND"
fi
echo
rm .nlog .log


echo -e -n "Checking for HTTP-Loadbalancing ["Date"]: "
D4=
for ((i=0 ; i<$QUERIES ; i++))
do
D=`printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 | grep "Date:" | awk '{print $6}'`
printf "$D, "

Df=$(echo " $D" | sed -e 's/:0/:/g' -e 's/ 0/ /g')
D1=$(echo ${Df} | awk -F: '{print $1}')
D2=$(echo ${Df} | awk -F: '{print $2}')
D3=$(echo ${Df} | awk -F: '{print $3}')
if [ "$D4" = "" ];  then   D4=0;  fi

if [ $[ $D1 * 3600 + $D2 * 60 + $D3 ] -lt $D4 ]
then
  echo "FOUND"
  METHODS="$METHODS HTTP[Date]"
  break;
fi

D4="$[ $D1 * 3600 + $D2 * 60 + $D3 ]"
if [ $i -eq $[$QUERIES - 1] ]
then
  echo "NOT FOUND"
fi
done


echo -e -n "/nChecking for HTTP-Loadbalancing ["Diff"]: "
for ((i=0 ; i<$QUERIES ; i++))
do
printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 | grep -v -e "Date:" -e "Set-Cookie" > .nlog

if ! cmp .log .nlog &>/dev/null && [ -e .log ]
then
  echo "FOUND"
  diff .log .nlog | grep -e ">" -e "<"
  METHODS="$METHODS HTTP[Diff]"
  break;
fi

cp .nlog .log

if [ $i -eq $[$QUERIES - 1] ]
then
  echo "NOT FOUND"
fi
done

rm .nlog .log


if [ "$METHODS" != "" ]
then
echo
echo $DOMAIN does Load-balancing. Found via Methods: $METHODS
echo
else
echo
echo $DOMAIN does NOT use Load-balancing.
echo
fi

相关实践学习
SLB负载均衡实践
本场景通过使用阿里云负载均衡 SLB 以及对负载均衡 SLB 后端服务器 ECS 的权重进行修改,快速解决服务器响应速度慢的问题
负载均衡入门与产品使用指南
负载均衡(Server Load Balancer)是对多台云服务器进行流量分发的负载均衡服务,可以通过流量分发扩展应用系统对外的服务能力,通过消除单点故障提升应用系统的可用性。 本课程主要介绍负载均衡的相关技术以及阿里云负载均衡产品的使用方法。
目录
相关文章
|
安全 前端开发
Refused to load the image 'http://localhost:9527/favicon.ico'
Refused to load the image 'http://localhost:9527/favicon.ico'
111 0
|
6月前
|
小程序
Failed to load local image resource Xx the server responded with a status of of 500 (HTTP/1.1 500)
Failed to load local image resource Xx the server responded with a status of of 500 (HTTP/1.1 500)
163 4
|
Web App开发 JavaScript 前端开发
解决DevTools failed to load SourceMap Could not load content for .js.map HTTP error code 404 问题
解决DevTools failed to load SourceMap Could not load content for .js.map HTTP error code 404 问题
924 0
|
存储 NoSQL Java
java.lang.IllegalStateException: Cannot load configuration class: org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration
java.lang.IllegalStateException: Cannot load configuration class: org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration报错问题处理
java.lang.IllegalStateException: Cannot load configuration class: org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration
|
应用服务中间件 nginx
Nginx常见报错整理【Nginx服务出现413 Request Entity Too Large的解决办法、HTTP请求:Failed to load resource: the server r】
Nginx常见报错整理【Nginx服务出现413 Request Entity Too Large的解决办法、HTTP请求:Failed to load resource: the server r】
Nginx常见报错整理【Nginx服务出现413 Request Entity Too Large的解决办法、HTTP请求:Failed to load resource: the server r】
|
前端开发 移动开发
RN Exception: Failed to load http://localhost:8081/index.delta?platform=android&dev=true&minify=f...
异常 React Native调试时报如下错误 Failed to load http://localhost:8081/index.delta?platform=android&dev=true&minify=false: No 'Access-Co...
3087 0
|
安全 iOS开发
iOS ATS(App Transport Security has blocked a cleartext HTTP (http://) resource load since it is i...
异常日志: 2018-01-04 15:33:42.270 01NSURLConnection[532:15138] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure.
1310 0
|
Web App开发 前端开发 JavaScript
core.min.js:36 XMLHttpRequest cannot load http://【地址】. No 'Access-Control-Allow-Origin' header is pr
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/bitree1/article/details/50299663 core.
1115 0
|
Web App开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
TCP洪水攻击(SYN Flood)的诊断和处理 Posted by  海涛  on 2013 年 7 月 11 日 Tweet1 ​1. SYN Flood介绍 前段时间网站被攻击多次,其中最猛烈的就是TCP洪水攻击,即SYN Flood。
1011 0
|
Web App开发 新零售 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
1.尽可能地了解需求,系统层面适用开闭原则 2.模块化,低耦合,能快速响应变化,也可以避免一个子系统的问题波及整个大系统 3.
753 0