Lbd
Jump to navigation
Jump to search
Description
Load Balancing Detector (a.k.a. lbd) is a tool written by Stefan Behte (http://ge.mine.nu). It detects if a given domain uses DNS and/or HTTP Load-Balancing. Checks are made against Server: and Date: header and diffs between server answers (50 requests are sent and compared).
Notice that the tool is a proof of concept (PoC) and can hence provide false positives.
Installation
Installation of lbd
$ mkdir -p /pentest/enumeration/lbd/ $ cd /pentest/enumeration/lbd/ $ wget http://ge.mine.nu/code/lbd $ chmod +x lbd
Patch
Warning
Notice that your system can use a version of nc that is not compatible with lbd (e.g. this is the case for Kubuntu 10.04).
On a BackTrack 4, netcat corresponds to nc.traditional:
$ file /etc/alternatives/nc /etc/alternatives/nc: symbolic link to `/bin/nc.traditional'
whereas it links with nc.openbsd under some other distributions:
$ file /etc/alternatives/nc /etc/alternatives/nc: symbolic link to `/bin/nc.openbsd'
The solution is to install nc.traditional:
$ sudo apt-get install netcat-traditional
And to apply this patch (it replaces nc with nc.traditional):
$ cd /pentest/enumeration/lbd/ $ wget http://dl.dropbox.com/u/10761700/lbd.patch $ patch -p0 < lbd.patch
Usage
$ ./lbd <domain>
Examples
Positive answer
Folloowing example tested against microsoft.com shows that the site makes use of load balancing.
$ ./lbd www.microsoft.com
lbd - load balancing detector 0.2 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
lb1.www.ms.akadns.net has address 207.46.170.123
lb1.www.ms.akadns.net has address 207.46.170.10
Checking for HTTP-Loadbalancing [Server]:
Microsoft-IIS/7.5
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 10:30:51, 10:30:51, 10:30:52, 10:30:57, 10:30:58, 10:30:59, 10:30:59, 10:30:59, 10:31:00, 10:31:00, 10:31:01, 10:31:01, 10:31:02, 10:31:02, 10:31:02, 10:31:03, 10:31:04, 10:31:04, 10:31:04, 10:31:05, 10:31:06, 10:31:06, 10:31:07, 10:31:07, 10:31:07, 10:31:08, 10:31:10, 10:31:10, 10:31:11, 10:31:11, 10:31:12, 10:31:12, 10:31:12, 10:31:13, 10:31:13, 10:31:14, 10:31:14, 10:31:15, 10:31:15, 10:31:16, 10:31:17, 10:31:17, 10:31:17, 10:31:18, 10:31:18, 10:31:18, 10:31:19, 10:31:20, 10:31:20, 10:31:21, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< VTag: 438629013800000000
> VTag: 438195111400000000
www.microsoft.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
Negative answer
$ ./lbd look**.com
lbd - load balancing detector 0.2 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: NOT FOUND
Checking for HTTP-Loadbalancing [Server]:
zen
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 03:43:55, 03:43:55, 03:43:55, 03:43:56, 03:43:56, 03:43:56, 03:43:57, 03:43:57, 03:43:57, 03:43:58, 03:43:58, 03:44:00, 03:44:00, 03:44:00, 03:44:01, 03:44:01, 03:44:01, 03:44:02, 03:44:02, 03:44:02, 03:44:03, 03:44:03, 03:44:03, 03:44:04, 03:44:04, 03:44:04, 03:44:05, 03:44:05, 03:44:05, 03:44:06, 03:44:06, 03:44:06, 03:44:07, 03:44:07, 03:44:07, 03:44:08, 03:44:08, 03:44:08, 03:44:09, 03:44:09, 03:44:09, 03:44:10, 03:44:10, 03:44:10, 03:44:11, 03:44:11, 03:44:11, 03:44:12, 03:44:12, 03:44:12, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
look**.com does NOT use Load-balancing.