-
Notifications
You must be signed in to change notification settings - Fork 0
/
lbd.py
executable file
·157 lines (123 loc) · 5.88 KB
/
lbd.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#!/usr/bin/python
# -*- coding: utf-8 -*-
'''
Load Balancer Finder - Try to detect load balancers / domain using multiple hosts
Copyright (C) 2011 Alejandro Nolla Blanco - [email protected]
Nick: z0mbiehunt3r - @z0mbiehunt3r
Blog: navegandoentrecolisiones.blogspot.com
Thanks to:
Rubén Garrote García (Boken) for ideas, helping me and his getNumLBfromIPIDS function
Daniel García García (Crohn) for ideas and helping me
Raúl Siles for his F5 BIGIP Cookie Decoder script
Buguroo and Ecija team!
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
'''
'''
So understand
Don't waste your time always searching for those wasted years,
Face up...make your stand,
And realize you're living in the golden years.
Iron Maiden - Wasted Years
'''
import sys
import ConfigParser
import argparse
import utils
import methods
import os
def banner():
banner = '''
|----------------------------------------------------------|
| Load Balancer Finder |
| Alejandro Nolla (z0mbiehunt3r) |
|----------------------------------------------------------|\n'''
print banner
def usage():
print '''
Tries to find load balancers using several methods:
- Check multiple DNS "A" entries
- IPID Analysis
- IP TTL value analysis
- Server banner analysis
- Well-known load balancer cookies checking
- HTTP Date header timestamp analysis
- ICMP timestamp analysis
- TCP timestamp analysis
- Multiple DNS queries with different geolocated DNS servers (round-robin, anycast)
'''
def checkArgs():
if len(sys.argv) < 2:
usage()
parser.print_help()
sys.exit()
if __name__ == '__main__':
banner()
parser = argparse.ArgumentParser()
gr1 = parser.add_argument_group("Main options")
gr1.add_argument('-d', '--domain', dest='domain', required=False, help='domain to check')
gr1.add_argument('-u', '--url', dest='url', required=False, help='URL used for HTTP checks')
gr1.add_argument('-p', '--port', dest='port', required=False, default=80, type=int, help='port to check (default 80)')
gr1.add_argument('-s', '--ssl', dest='ssl', default=False, action='store_true', help='use SSL to HTTP request')
gr1.add_argument('-f', '--file', dest='configfile', default="lb-finder.conf", help='config file to use')
gr2 = parser.add_argument_group("Display options")
gr2.add_argument('-v', '--verbose', dest='verbose', default=False, action='store_true', help='show extra info about IPIDs, timpestamps, etc')
gr2.add_argument('-c', '--colours', dest='colour', default=False, action='store_true', help='coloured output')
checkArgs()
args = parser.parse_args()
progOptions = utils.cParams()
progOptions.set_normal_output(sys.stdout)
progOptions.set_error_output(sys.stderr)
progOptions.set_use_colours(args.colour)
progOptions.verbose = args.verbose
if not os.geteuid()==0:
utils.printMessage("[-] You have to be root (scapy packet injection)", "error", progOptions)
sys.exit(0)
# Configuration parsing
cfg = ConfigParser.ConfigParser()
try:
cfg.read(args.configfile)
nsyn = int(cfg.get("packets","ipid_syn"))
nicmp_packets = int(cfg.get("packets","nicmp_packets"))
tcp_timestamp = int(cfg.get("packets","tcp_timestamp"))
banner_retrieves = int(cfg.get("packets","banner_retrieves"))
cookie_retrieves = int(cfg.get("packets","cookie_retrieves"))
httptimestamp_retrieves = int(cfg.get("packets","httptimestamp_retrieves"))
socket_timeout = int(cfg.get("packets","socket_timeout"))
http_timeout = int(cfg.get("HTTP","http_timeout"))
dns_queries = int(cfg.get("packets","dns_queries"))
useragent = cfg.get("HTTP","useragent")
f5enumeration = cfg.get("HTTP", "f5enumeration")
except:
utils.printMessage("[-] Error parsing config options (check lb-finder.conf for reference)", "error", progOptions)
sys.exit(0)
# Battery tests
dns_servers_round_robin = utils.readDNSServers("dnsservers.txt", progOptions)
domain = args.domain
host = domain
port = args.port
url = args.url
if url:
url = url.rstrip()
domain = domain.rstrip()
verbose = args.verbose
utils.printMessage("[*] Looking for load balancers in %s\n" %domain, "info", progOptions)
methods.checkMultipleDNS(domain, progOptions)
methods.analyzeIPID(domain, port, nsyn, socket_timeout, verbose, progOptions)
methods.checkTTLF5(host, port, domain, socket_timeout, progOptions)
methods.analyzeServerBannerDiff(host, port, args.ssl, banner_retrieves, useragent, http_timeout, progOptions, url)
methods.checkLBCookie(host, port, args.ssl, useragent, http_timeout, f5enumeration, progOptions, url)
methods.analyzeHTTPTimestamp(host, port, args.ssl, httptimestamp_retrieves, useragent, http_timeout, verbose, progOptions, url)
methods.checkICMPTimestamp(host, socket_timeout, nicmp_packets, args.verbose, progOptions)
methods.checkTCPTimestamp(host, port, tcp_timestamp, socket_timeout, args.verbose, progOptions)
methods.analyzeDNSRoundRobin(domain, dns_queries, dns_servers_round_robin, progOptions)
utils.printMessage("[-] All tests done...\n\n", "info", progOptions)