Web Infrastructure Detection







Risk Rating:


The technique used to detect web infrastructure components varies depending upon which component you are trying to detect. Load balancers are commonly configured to redirect incoming connections based on source IP address. Therefore, by making requests from a range of IP addresses and analyzing the output, you may be able to determine that a load balancer is present based on slight changes within the responses. These changes may include the HTTP Server headers showing different web server types and versions, variances in the server dates due to NTP not being configured, HTTP location headers leaking a range of IP addresses, or even differences in the pages being served due to nonstandard content found across all web servers.

Load balancers may also have some intrusion prevention capabilities that produce errors or send RST packets to shut down a connection, revealing their presence. Administrative web interfaces may also be open to the Internet, allowing an attacker to determine what type of load balancer is in use, whether any vulnerabilities exist for this specific version of load balancer, as well as the ability to perform brute-force attacks in an attempt to gain access to the administrative functions on the load balancer.

Load balancing, or load distribution, may also be performed by configuring DNS Round Robin, rather than implementing a physical load balancer. Determining if DNS Round Robin is configured is trivial when using the Linux dig utility. This utility will present more than one IP address for a specific domain, and the answers should appear randomized when performing multiple requests. This configuration allows an attacker to bypass the round robin load balancing to force all of the traffic to one specific IP address, which may increase the probability of a denial of service attack being successfully carried out.

You can use similar techniques for identifying intrusion prevention solutions and web proxies. Check HTTP Server headers in response to specifically crafted requests or error messages sent back from the web proxy or IPS solution due to the request being blocked. You can also detect database servers via error messages produced when nonstandard input is passed to the web application or by large amounts of dynamic content being produced within a web application.

You can also identify web proxies by requesting a URL over HTTP and HTTPS and then checking the Time To Live (TTL) value in the network traffic to determine if it varies. If the TTL varies, then the same URL is being redirected to two different machines for HTTP and HTTPS via some sort of proxy.

If a web cache is being used, or the web proxy also performs caching, then you may identify this by noting the Round Trip Time (RTT) of the first request and then performing the same request to see if the RTT value has decreased due to the request being cached. Hping is a great Linux tool to use to check these values.

Firewalls, if configured correctly, should drop all traffic aimed directly at them. By performing a TCP Traceroute to the web server on port 80 or 443, you can determine the position of the firewall since no response should come back at its location, allowing the number of hops between the attacker and the firewall to be determined. Firewalls are not always configured correctly and can leave some ports open to the Internet, or the firewall may be used for another purpose, such as a VPN solution. This is common when dealing with Check Point firewalls, which can often be detected via TCP ports 264 and 18264, immediately allowing an attacker to fingerprint the device. If a TTL is set to expire on the firewall itself, some firewalls will send back an ICMP Expired packet, allowing the attacker to enumerate the firewall location and possibly providing some insight into the type of firewall in place.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment