We covered Load Balancing Detection using LBD in a previous video. In this one, we will cover a more advanced and stable tool called Halberd. Halberd detects HTTP based Load Balancing by using a host of techniques - differences in HTTP response headers, timestamps, cookies and a couple other techniques. We will run Halberd on Msn.com and see how it is able to figure out that there are actually 15 servers behind the load balancer running various versions of the IIS web server.
I would highly recommend that you download Halberd and try it out. This tool is a must have when pentesting SaaS based installations.
Download:
http://halberd.superadditive.com/
2.
Finding Subdomains using Goorecon
In the Information Gathering stage of a pentest, we are interested in finding out the various sub-domains of our target domain. As we have seen in previous videos, querying DNS servers using zone transfer requests or trying to retrieve entries using a dictionary / brute-forcing attack, is a good start, but fails in most cases. Another alternate technique to figure out sub-domains is to query google and check if it has found any sub-domains during it's web mining exercise on the target. Goorecon is just the tool we need in order to do this.
In this video, we will find the various publicly available sub-domains of Cnn.com using Goorecon. Goorecon is included in Backtrack 4.
3.Load Balancing has becoming an important part of the network architecture, especially for companies which host applications accessed by millions around the world. Good examples of such companies would be Google, Facebook, MSN, YouTube etc. In most cases, Load Balancing for web applications in particular, happens using a DNS based balancer which cycles through the different IPs in the server farm in a round robin fashion, or using a HTTP Load Balancer device which multiplexes incoming connections to one of the servers in the farm.
As one can imagine from a pentest perspective, detection of load balancers is an important step in the information gathering stage. In this video we will look at a simple load balancing detector tool called Load Balancer Detector (LBD), which uses both DNS and HTTP based techniques to detect load balancers. During the tests, we find that the DNS detection works perfectly, however the HTTP based detection techniques, does give false positives at times (which the tool author acknowledges). LBD is included in the Backtrack 4 iso.
4.evilgrade
http://www.infobyte.com.ar/developments.html
#!/bin/bash
# lbd (load balancing detector) detects if a given domain uses
# DNS and/or HTTP Load-Balancing (via Server: and Date: header and diffs between server answers)
#
# License: GPL-v2
#
# Written by Stefan Behte
# Contact me, if you have any new ideas, bugs/bugfixes, recommondations or questions!
# Please also contact me, if you just like the tool. :)
#
# Stefan dot Behte at gmx dot net
#
QUERIES=50
DOMAIN=$1
METHODS=""
echo
echo "lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing."
echo " Written by Stefan Behte (http://ge.mine.nu)"
echo " Proof-of-concept! Might give false positives."
if [ "$1" = "" ]
then
echo "usage: $0 [domain]"
echo
exit -1
fi
echo -e -n "/nChecking for DNS-Loadbalancing:"
NR=`host $DOMAIN | grep -c "has add"`
if [ $NR -gt 1 ]
then
METHODS="DNS"
echo " FOUND"
host $DOMAIN | grep "has add"
echo
else
echo " NOT FOUND"
fi
echo -e "Checking for HTTP-Loadbalancing ["Server"]: "
for ((i=0 ; i< $QUERIES ; i++))
do
printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 > .nlog
S=`grep -i "Server:" .nlog | awk -F: '{print $2}'`
if ! grep "`echo ${S}| cut -b2-`" .log &>/dev/null
then
echo "${S}"
fi
cat .nlog >> .log
done
NR=`sort .log | uniq | grep -c "Server:"`
if [ $NR -gt 1 ]
then
echo " FOUND"
METHODS="$METHODS HTTP[Server]"
else
echo " NOT FOUND"
fi
echo
rm .nlog .log
echo -e -n "Checking for HTTP-Loadbalancing ["Date"]: "
D4=
for ((i=0 ; i<$QUERIES ; i++))
do
D=`printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 | grep "Date:" | awk '{print $6}'`
printf "$D, "
Df=$(echo " $D" | sed -e 's/:0/:/g' -e 's/ 0/ /g')
D1=$(echo ${Df} | awk -F: '{print $1}')
D2=$(echo ${Df} | awk -F: '{print $2}')
D3=$(echo ${Df} | awk -F: '{print $3}')
if [ "$D4" = "" ]; then D4=0; fi
if [ $[ $D1 * 3600 + $D2 * 60 + $D3 ] -lt $D4 ]
then
echo "FOUND"
METHODS="$METHODS HTTP[Date]"
break;
fi
D4="$[ $D1 * 3600 + $D2 * 60 + $D3 ]"
if [ $i -eq $[$QUERIES - 1] ]
then
echo "NOT FOUND"
fi
done
echo -e -n "/nChecking for HTTP-Loadbalancing ["Diff"]: "
for ((i=0 ; i<$QUERIES ; i++))
do
printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 | grep -v -e "Date:" -e "Set-Cookie" > .nlog
if ! cmp .log .nlog &>/dev/null && [ -e .log ]
then
echo "FOUND"
diff .log .nlog | grep -e ">" -e "<"
METHODS="$METHODS HTTP[Diff]"
break;
fi
cp .nlog .log
if [ $i -eq $[$QUERIES - 1] ]
then
echo "NOT FOUND"
fi
done
rm .nlog .log
if [ "$METHODS" != "" ]
then
echo
echo $DOMAIN does Load-balancing. Found via Methods: $METHODS
echo
else
echo
echo $DOMAIN does NOT use Load-balancing.
echo
fi