Backtrack 4: Information Gathering: DNS: LBD - Check a domain for load balancing

The next tool up for review in the DNS section of the Backtrack 4 menu is a short script called lbd.sh. This is a small shell script with only one purpose and that is to check whether a domain is using load balncing. A common host in front of a bank of Web servers may be a load-balancing device or a Web redirector, so this information can be good to know.

The usage is very simple:

root@666:/pentest/enumeration/lbd# ./lbd.sh
lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
usage: ./lbd.sh [domain]

As you can see this is only a proof of concept so make sure you back up your findings with a second tool. This is excellent practice anyway when working on a penetration test. I never trust just one tool, I always like to get some back up data.

Lets run this on cnn.com since we have been using them for all the dns tutorials so far:

root@666:/pentest/enumeration/lbd# ./lbd.sh cnn.com
lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
cnn.com has address 157.166.255.19
cnn.com has address 157.166.255.18
cnn.com has address 157.166.226.26
cnn.com has address 157.166.226.25
cnn.com has address 157.166.224.26
cnn.com has address 157.166.224.25
Checking for HTTP-Loadbalancing [Server]:
Apache
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 13:45:43, 13:45:43, 13:45:43, 13:45:43, 13:45:43, 13:45:43, 13:45:44, 13:45:44, 13:45:44, 13:45:44, 13:45:44, 13:45:44, 13:45:45, 13:45:45, 13:45:45, 13:45:45, 13:45:45, 13:45:45, 13:45:45, 13:45:46, 13:45:46, 13:45:46, 13:45:46, 13:45:46, 13:45:46, 13:45:47, 13:45:47, 13:45:47, 13:45:47, 13:45:47, 13:45:47, 13:45:48, 13:45:48, 13:45:48, 13:45:48, 13:45:48, 13:45:48, 13:45:49, 13:45:49, 13:45:49, 13:45:49, 13:45:49, 13:45:49, 13:45:50, 13:45:50, 13:45:50, 13:45:50, 13:45:50, 13:45:50, 13:45:50, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Expires: Tue, 25 May 2010 13:46:42 GMT
> Expires: Tue, 25 May 2010 13:46:43 GMT
< Content-Length: 99979
> Content-Length: 99806
cnn.com does Load-balancing. Found via Methods: DNS HTTP[Diff]

As you can see the script has found load balancing to be active and has determined the information via two different methods. This is just one small piece of a jig saw puzzle when mapping out a network but a useful piece.