Load balancer in penetration Testing
In previous post we were talk about the problem we have to face when we implement load balacing for a system, so with pentesters what’s the problem we’ll face ? Let’s discuss about that.
What does load balancing mean for pen testers ?
Some may ask, what does load balancing mean to pen testers, and why should they care ?
The main goal fo a penetration test is to provide the client with a valid explaination of potential security holdes in their network. The information that is given to them must be accurate as the recommend fixes can cost a lot of money and time for a company to implement.
One of the first steps in a penetration test is reconaissance. If any of the servers or services that are beging enumerating are behind some sort of load balancing, then there may be inconsistent results.If pen tester is not careful in their exmamination of the results of this enumeration, it could lead them to miss important services or systems.
One of final objectives of a penetration test before the report generation is to attempt to exploit the vulnerabilites they have found. If you add a load balancer to this equation, you may be thinking that the exploit is not working, when it fact, it may be that you are hitting a different system which may not have the vulnerability. This could lead to a lot of wasted time that could have been eliminated if it was known that load balancing was in place.
How to identify load balancing
Most load-balancers are deployed for redudancy and performance improvement.
As an attacker-load balancers are a headache. You have no idea where your packets are going. There is absolutely no point running tools against a host without knowing if a load balancer has been deployed. We’ll take those steps below:
Step 1 Determine if the host is load balanced
Step 2 Determine what type of load balancing is in place(HTTPS or DNS)
There are a few things you can check that at least imply the existance of a balancer:
* The HTTP header may reveal the presense of a proxy server or other balancer
* Check here for different timestamps as well, implying slightly different clocks.
* check the order of the headers as well
* You can seach for the addition of non-standard webserver cookies and headers which are commonly used by load balancers to assist applicaitons with handling sessions and other security functions
* General reconnaisance
* The DNS respone may reveal multiple IP address, implying balancing.
* They may give it away in the hostname(cdn.xyz.com)
* You may be able to get some info from netcraft.com that leads you in the right direction
* Observe the system under load
* Generate a ton of traffic;see if your requests start going somewhere else, or if the headers change,etc.
Firefox LiveHTTP Headers(Firefox addons)
– Look in HTTP header for modifications such as:
1.BIGipServerOS in cookie
– Look for multiple addresses resolving to one domain name
– dig google.com
Look for things like “F5 BigIP”
– ./lbd.sh targethost.com
– Halberd discovers HTTP load balancers. It is useful for web application
security auditing and for load balancer configuration testing
– halberd targethost.com
Link previous posts in load balacner’s series:
Another idea, please free contact with me through email : [email protected]