本文共 4883 字,大约阅读时间需要 16 分钟。
We covered Load Balancing Detection using LBD in a previous video. In this one, we will cover a more advanced and stable tool called . Halberd detects HTTP based Load Balancing by using a host of techniques - differences in HTTP response headers, timestamps, cookies and a couple other techniques. We will run Halberd on Msn.com and see how it is able to figure out that there are actually 15 servers behind the load balancer running various versions of the IIS web server.
I would highly recommend that you and try it out. This tool is a must have when pentesting SaaS based installations.
Download:
2.
In the Information Gathering stage of a pentest, we are interested in finding out the various sub-domains of our target domain. As we have seen in previous videos, querying DNS servers using zone transfer requests or trying to retrieve entries using a dictionary / brute-forcing attack, is a good start, but fails in most cases. Another alternate technique to figure out sub-domains is to query google and check if it has found any sub-domains during it's web mining exercise on the target. is just the tool we need in order to do this.
In this video, we will find the various publicly available sub-domains of Cnn.com using Goorecon. Goorecon is included in Backtrack 4.
3.Load Balancing has becoming an important part of the network architecture, especially for companies which host applications accessed by millions around the world. Good examples of such companies would be Google, Facebook, MSN, YouTube etc. In most cases, Load Balancing for web applications in particular, happens using a DNS based balancer which cycles through the different IPs in the server farm in a round robin fashion, or using a HTTP Load Balancer device which multiplexes incoming connections to one of the servers in the farm.
As one can imagine from a pentest perspective, detection of load balancers is an important step in the information gathering stage. In this video we will look at a simple load balancing detector tool called , which uses both DNS and HTTP based techniques to detect load balancers. During the tests, we find that the DNS detection works perfectly, however the HTTP based detection techniques, does give false positives at times (which the tool author acknowledges). LBD is included in the Backtrack 4 iso.
4.evilgrade
#!/bin/bash
# lbd (load balancing detector) detects if a given domain uses# DNS and/or HTTP Load-Balancing (via Server: and Date: header and diffs between server answers)## License: GPL-v2## Written by Stefan Behte# Contact me, if you have any new ideas, bugs/bugfixes, recommondations or questions!# Please also contact me, if you just like the tool. :)# # Stefan dot Behte at gmx dot net#QUERIES=50DOMAIN=$1METHODS=""echo echo "lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing."echo " Written by Stefan Behte (http://ge.mine.nu)"echo " Proof-of-concept! Might give false positives."if [ "$1" = "" ]then echo "usage: $0 [domain]" echo exit -1fiecho -e -n "/nChecking for DNS-Loadbalancing:"NR=`host $DOMAIN | grep -c "has add"`if [ $NR -gt 1 ]then METHODS="DNS" echo " FOUND" host $DOMAIN | grep "has add" echoelse echo " NOT FOUND"fiecho -e "Checking for HTTP-Loadbalancing ["Server"]: "for ((i=0 ; i< $QUERIES ; i++))do printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 > .nlog S=`grep -i "Server:" .nlog | awk -F: '{print $2}'` if ! grep "`echo ${S}| cut -b2-`" .log &>/dev/null then echo "${S}" fi cat .nlog >> .logdoneNR=`sort .log | uniq | grep -c "Server:"`if [ $NR -gt 1 ]then echo " FOUND" METHODS="$METHODS HTTP[Server]"else echo " NOT FOUND"fiechorm .nlog .logecho -e -n "Checking for HTTP-Loadbalancing ["Date"]: "D4=for ((i=0 ; i<$QUERIES ; i++))do D=`printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 | grep "Date:" | awk '{print $6}'` printf "$D, " Df=$(echo " $D" | sed -e 's/:0/:/g' -e 's/ 0/ /g') D1=$(echo ${Df} | awk -F: '{print $1}') D2=$(echo ${Df} | awk -F: '{print $2}') D3=$(echo ${Df} | awk -F: '{print $3}') if [ "$D4" = "" ]; then D4=0; fi if [ $[ $D1 * 3600 + $D2 * 60 + $D3 ] -lt $D4 ] then echo "FOUND" METHODS="$METHODS HTTP[Date]" break; fi D4="$[ $D1 * 3600 + $D2 * 60 + $D3 ]" if [ $i -eq $[$QUERIES - 1] ] then echo "NOT FOUND" fidoneecho -e -n "/nChecking for HTTP-Loadbalancing ["Diff"]: "for ((i=0 ; i<$QUERIES ; i++))do printf "HEAD / HTTP/1.0/r/n/r/n" | nc $DOMAIN 80 | grep -v -e "Date:" -e "Set-Cookie" > .nlog if ! cmp .log .nlog &>/dev/null && [ -e .log ] then echo "FOUND" diff .log .nlog | grep -e ">" -e "<" METHODS="$METHODS HTTP[Diff]" break; fi cp .nlog .log if [ $i -eq $[$QUERIES - 1] ] then echo "NOT FOUND" fidonerm .nlog .logif [ "$METHODS" != "" ]then echo echo $DOMAIN does Load-balancing. Found via Methods: $METHODS echoelse echo echo $DOMAIN does NOT use Load-balancing. echofi转载地址:http://uwqmb.baihongyu.com/