Peter is on the phone, talking to a client who asks him to perform a penetration test of a large web application that's just entered production.
He impatiently taps his fingers against the wooden table waiting for the email from the client to arrive. Our hero is finally given the green light and he begins his dutiful work.
First of all, a load balancer scanning is due. He fires up a virtual terminal and writes:
$ halberd http://www.target-company.com
Peter reads the output of his previous incantation and nods...
halberd 0.2.0 INFO looking up host www.target-company.com... INFO host lookup done. INFO www.target-company.com resolves to x.x.x.1 INFO www.target-company.com resolves to x.x.x.2 x.x.x.1 [###### ] clues: 3 | replies: 17 | missed: 0
After 17 replies he thinks halberd has enough samples to analyze, so he hits Control-C and stops the scan for this host. Peter notes there is DNS load balancing in place so he'll have to check both IP addresses.
*** finished (received SIGINT) *** ============================================================= http://www.target-company.com (x.x.x.1): 1 real server(s) ============================================================= server 1: foo/1.2.3 mod_bar/4.2 (Unix) ------------------------------------------------------------- difference: 3600 seconds successful requests: 17 hits (100.00%) header fingerprint: c0ba8262100168851872c8feea3196f21ba2d732 different headers: 1. Server: foo/1.2.3 mod_bar/4.2 (Unix)
"Nothing to see here, let's move along" muttered Peter while halberd progressed to the second IP address.
============================================================ http://www.target-company.com (x.x.x.2): 2 real server(s) ============================================================ server 1: foo/1.2.2 mod_bar/4.2 (Unix) ------------------------------------------------------------ difference: 3600 seconds successful requests: 11 hits (33.33%) header fingerprint: 732deadbeef100168851872c8feea196f21ba2d2 different headers: 1. Date: Wed, 16 Aug 2006 22:47:04 GMT 2. Server: foo/1.2.2 mod_bar/4.2 (Unix) server 2: foo/1.2.3 mod_bar/4.2 (Unix) ------------------------------------------------------------ difference: 3662 seconds successful requests: 23 hits (66.66%) header fingerprint: ad2d33a88f259b434c094a7b1172f5697a35cff4 different headers: 1. Date: Wed, 16 Aug 2006 22:46:02 GMT 2. Server: foo/1.2.3 mod_bar/4.2 (Unix)
"Aha!" shouts our fellow, almost falling off his chair. "Not only did they forget to set up NTP on those servers, letting me distinguish them easily, they also have different server versions!"
His eyes go blank while he runs a search in his brain cell based, caffeine fueled vulnerability database for the terms foo/1.2.2 mod_bar/4.2. He remembers there was a recent exploit for a buffer overflow in that version of foo.
Peter has to take into account that the vulnerable web server gets one third of the traffic (33.33%). Thus, he executes the exploit enough times to make sure it hits the exposed target and he finally breaks into the machine.
"I'm so lucky to have this wonderful load balancer detector in my toolkit! This vulnerability could have easily been skipped."
Our hero begins to walk in circles around the room, planning the next stages of his assault and anticipating with apprehension the time when he'll have to write the report for his client.