Halberd

From aldeid
Jump to navigation Jump to search

Description

Halberd discovers HTTP load balancers. It is useful for web application security auditing and for load balancer configuration testing. Moreover, it can be used by an attacker to discover configuration differences and/or weaknesses on the real servers behind the load balancer's IP, that wouldn't have been noticed using the virtual IP.

Installation

$ cd ~/src/
$ wget http://halberd.superadditive.com/dist/halberd-0.2.4.tar.gz
$ tar xzvf halberd-0.2.4.tar.gz
$ cd halberd-0.2.4/
$ sudo python setup.py install

Usage

Syntax

$ halberd [OPTION]... URL

Options

--version
show program's version number and exit
-h, --help
show this help message and exit
-v, --verbose
explain what is being done
-q, --quiet
run quietly
-d, --debug
enable debugging information
-t NUM, --time=NUM
time (in seconds) to spend scanning the target
-p NUM, --parallelism=NUM
specify the number of parallel threads to use
-u FILE, --urlfile=FILE
read URLs from FILE
-o FILE, --out=FILE
write report to the specified file
-a ADDR, --address=ADDR
specify address to scan
-r FILE, --read=FILE
load clues from the specified file
-w DIR, --write=DIR
save clues to the specified directory
--config=FILE
use alternative configuration file

Example

Site using load balancing

As you can see on the below example, google.com is using many servers that resolve to google.com. Halberd confirms that they are real servers. 

$ halberd google.com
halberd 0.2.4 (14-Aug-2010)

INFO looking up host google.com... 
INFO host lookup done.
INFO google.com resolves to 173.194.34.100
INFO google.com resolves to 173.194.34.101
INFO google.com resolves to 173.194.34.102
INFO google.com resolves to 173.194.34.103
INFO google.com resolves to 173.194.34.104
INFO google.com resolves to 173.194.34.105
INFO google.com resolves to 173.194.34.110
INFO google.com resolves to 173.194.34.96
INFO google.com resolves to 173.194.34.97
INFO google.com resolves to 173.194.34.98
INFO google.com resolves to 173.194.34.99
173.194.34.100   [##########]  clues:   2 | replies: 552 | missed:   0

======================================================================
http://google.com (173.194.34.100): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 552 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.101   [##########]  clues:   2 | replies: 555 | missed:   0

======================================================================
http://google.com (173.194.34.101): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 555 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.102   [##########]  clues:   2 | replies: 560 | missed:   0

======================================================================
http://google.com (173.194.34.102): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 560 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.103   [##########]  clues:   2 | replies: 554 | missed:   0

======================================================================
http://google.com (173.194.34.103): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 554 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.104   [##########]  clues:   2 | replies: 555 | missed:   0

======================================================================
http://google.com (173.194.34.104): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 555 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.105   [##########]  clues:   2 | replies: 546 | missed:   0

======================================================================
http://google.com (173.194.34.105): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 546 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.110   [##########]  clues:   2 | replies: 551 | missed:   0

======================================================================
http://google.com (173.194.34.110): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 551 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.96    [##########]  clues:   2 | replies: 530 | missed:   0

======================================================================
http://google.com (173.194.34.96): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 530 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.97    [##########]  clues:   2 | replies: 555 | missed:   0

======================================================================
http://google.com (173.194.34.97): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 555 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.98    [##########]  clues:   2 | replies: 557 | missed:   0

======================================================================
http://google.com (173.194.34.98): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 557 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e
173.194.34.99    [##########]  clues:   2 | replies: 314 | missed:  14

======================================================================
http://google.com (173.194.34.99): 1 real server(s)
======================================================================

server 1: gws
----------------------------------------------------------------------

difference: -17997 seconds
successful requests: 314 hits (100.00%)
header fingerprint: 9dca9ec16a5267ee8a8297f544f7e7d15dfc288e

Site not using load balancing

# halberd ethical-intrusion.com
halberd 0.2.4 (14-Aug-2010)

INFO looking up host ethical-intrusion.com... 
INFO host lookup done.
88.190.253.248   [##########]  clues:   4 | replies: 503 | missed:   0

======================================================================
http://ethical-intrusion.com (88.190.253.248): 2 real server(s)
======================================================================

server 1: Apache/1.3.34 (Ubuntu) mod_vhost_online/1.2 mod_fastcgi/2.4.2 mod_log_online/0.1
----------------------------------------------------------------------

difference: -17996 seconds
successful requests: 2 hits (0.40%)
header fingerprint: ce191d0de7f8e25b4eb6f4145a3614e76f1735cf
different headers:
  1. Date: Fri, 18 May 2012 13:03:01 GMT

server 2: Apache/1.3.34 (Ubuntu) mod_vhost_online/1.2 mod_fastcgi/2.4.2 mod_log_online/0.1
----------------------------------------------------------------------

difference: -17996 seconds
successful requests: 501 hits (99.60%)
cookie(s):
  PHPSESSID=324135a4c33f14ad29e171f842eee6ab; path=/
header fingerprint: b94c045d7d5cbc18609b330abaee80beb4f1af39
different headers:
  1. Date: Fri, 18 May 2012 13:02:51 GMT
  2. Set-Cookie: PHPSESSID=324135a4c33f14ad29e171f842eee6ab; path=/
  3. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  4. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  5. Pragma: no-cache
  6. Location: login.php

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=Halberd&oldid=22087"