如何偵測網站是屬於Load Balance架構?
一般來說,大型網站大多設計有"Load Balance"架構,藉以應付\大量的網路存取並可分擔網路流量,但是對"滲透測試"來講,就必須先搞清楚,免得做了一堆無用測試。
下面介紹幾種偵測方法:
1. Dig 指令:
; <<>> DiG 9.8.1-P1 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18625
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
\
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 5 IN A 173.194.72.147
www.google.com. 5 IN A 173.194.72.99
www.google.com. 5 IN A 173.194.72.103
www.google.com. 5 IN A 173.194.72.104
www.google.com. 5 IN A 173.194.72.105
www.google.com. 5 IN A 173.194.72.106
;; Query time: 19 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 23 13:50:49 2013
;; MSG SIZE rcvd: 128
2. halberd
$ halberd -v www.yyy.yyy.cn
halberd 0.2.4 (14-Aug-2010)
INFO looking up host www.yyy.yyy.cn...
INFO host lookup done.
211.88.yyy.151 [##########] clues: 30 | replies: 286 | missed: 0
======================================================================
http://www.yyy.yyy.cn (211.88.yyy.151): 2 real server(s)
======================================================================
server 1: Apache/1.3.29 (Unix) PHP/4.3.6
----------------------------------------------------------------------
difference: 1369288820 seconds
successful requests: 118 hits (41.26%)
header fingerprint: 2d400052972048f733d653df965c209396fa5901
different headers:
1. X-Cache-Debug: TCP_MISS/NIP-CNVR/-
server 2: Apache/1.3.29 (Unix) PHP/4.3.6
----------------------------------------------------------------------
difference: 1369288820 seconds
successful requests: 168 hits (58.74%)
header fingerprint: 29cfb7ec75f8372af0ade98cdb9959a191248940
different headers:
1. X-Cache-Debug: TCP_CNC_MISS/CNC-NIP-CNVR/-
$ halberd -v www.xxx.xxx.cn
halberd 0.2.4 (14-Aug-2010)
INFO looking up host www.xxx.xxx.cn...
INFO host lookup done.
INFO www.xxx.xxx.cn resolves to 58.68.xxx.250
INFO www.xxx.xxx.cn resolves to 65.255.xxx.2
58.68.168.250 [##########] clues: 15 | replies: 160 | missed: 0
======================================================================
http://www.xxx.xxx.cn (58.68.xxx.250): 2 real server(s)
======================================================================
server 1: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 28800 seconds
successful requests: 156 hits (97.50%)
header fingerprint: c4d1afcc03570ffdaea39a17c7da23282b4c8b89
different headers:
1. Date: Thu, 23 May 2013 06:10:09 GMT
2. Powered-By-ChinaCache: HIT from 0600224355
3. Expires: Thu, 23 May 2013 06:11:09 GMT
4. Powered-By-ChinaCache: HIT from 26071413iA
server 2: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 30943 seconds
successful requests: 4 hits (2.50%)
header fingerprint: 576c78d99c688843ec355def953046e59556e2c5
different headers:
1. Date: Thu, 23 May 2013 05:34:26 GMT
2. Powered-By-ChinaCache: MISS from 0603517354
3. Powered-By-ChinaCache: HIT from 26071413iA
65.255.44.2 [##########] clues: 14 | replies: 112 | missed: 0
======================================================================
http://www.xxx.xxx.cn (65.255.xxx.2): 2 real server(s)
======================================================================
server 1: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 28815 seconds
successful requests: 4 hits (3.57%)
header fingerprint: 7f2729977dc32a8b0d81570e226a315103ca17c8
different headers:
1. Server: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
2. Date: Thu, 23 May 2013 06:10:09 GMT
3. Content-Type: text/html
4. Expires: Thu, 23 May 2013 06:11:09 GMT
5. Last-Modified: Mon, 31 Dec 2012 16:52:48 GMT
6. ETag: "9c240d2-f3-d7ce7800"
7. Powered-By-ChinaCache: HIT from 0603517354
8. Powered-By-ChinaCache: HIT from 26030513b1
server 2: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 28816 seconds
successful requests: 108 hits (96.43%)
header fingerprint: b8232b9e68039605b79a69c51e1bd32c464e523f
different headers:
1. Last-Modified: Mon, 31 Dec 2012 16:52:48 GMT
2. Content-Type: text/html
3. Date: Thu, 23 May 2013 06:10:09 GMT
4. Server: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
5. ETag: "9c240d2-f3-d7ce7800"
6. Powered-By-ChinaCache: HIT from 060531B35y
7. Expires: Thu, 23 May 2013 06:11:09 GMT
8. Powered-By-ChinaCache: HIT from 26030513b1
上述兩種就可以看出,www.gooogle.com 運用多個不同IP位置來提供網路分流,另外www.yyy.yyy.cn 雖然只有一個對外IP,但實際上有兩部Web Server在提供服務,
www.xxx.xxx.cn 有2組不同的IP。
一般來說,大型網站大多設計有"Load Balance"架構,藉以應付\大量的網路存取並可分擔網路流量,但是對"滲透測試"來講,就必須先搞清楚,免得做了一堆無用測試。
下面介紹幾種偵測方法:
1. Dig 指令:
$ dig www.google.com
; <<>> DiG 9.8.1-P1 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18625
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
\
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 5 IN A 173.194.72.147
www.google.com. 5 IN A 173.194.72.99
www.google.com. 5 IN A 173.194.72.103
www.google.com. 5 IN A 173.194.72.104
www.google.com. 5 IN A 173.194.72.105
www.google.com. 5 IN A 173.194.72.106
;; Query time: 19 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 23 13:50:49 2013
;; MSG SIZE rcvd: 128
2. halberd
$ halberd -v www.yyy.yyy.cn
halberd 0.2.4 (14-Aug-2010)
INFO looking up host www.yyy.yyy.cn...
INFO host lookup done.
211.88.yyy.151 [##########] clues: 30 | replies: 286 | missed: 0
======================================================================
http://www.yyy.yyy.cn (211.88.yyy.151): 2 real server(s)
======================================================================
server 1: Apache/1.3.29 (Unix) PHP/4.3.6
----------------------------------------------------------------------
difference: 1369288820 seconds
successful requests: 118 hits (41.26%)
header fingerprint: 2d400052972048f733d653df965c209396fa5901
different headers:
1. X-Cache-Debug: TCP_MISS/NIP-CNVR/-
server 2: Apache/1.3.29 (Unix) PHP/4.3.6
----------------------------------------------------------------------
difference: 1369288820 seconds
successful requests: 168 hits (58.74%)
header fingerprint: 29cfb7ec75f8372af0ade98cdb9959a191248940
different headers:
1. X-Cache-Debug: TCP_CNC_MISS/CNC-NIP-CNVR/-
$ halberd -v www.xxx.xxx.cn
halberd 0.2.4 (14-Aug-2010)
INFO looking up host www.xxx.xxx.cn...
INFO host lookup done.
INFO www.xxx.xxx.cn resolves to 58.68.xxx.250
INFO www.xxx.xxx.cn resolves to 65.255.xxx.2
58.68.168.250 [##########] clues: 15 | replies: 160 | missed: 0
======================================================================
http://www.xxx.xxx.cn (58.68.xxx.250): 2 real server(s)
======================================================================
server 1: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 28800 seconds
successful requests: 156 hits (97.50%)
header fingerprint: c4d1afcc03570ffdaea39a17c7da23282b4c8b89
different headers:
1. Date: Thu, 23 May 2013 06:10:09 GMT
2. Powered-By-ChinaCache: HIT from 0600224355
3. Expires: Thu, 23 May 2013 06:11:09 GMT
4. Powered-By-ChinaCache: HIT from 26071413iA
server 2: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 30943 seconds
successful requests: 4 hits (2.50%)
header fingerprint: 576c78d99c688843ec355def953046e59556e2c5
different headers:
1. Date: Thu, 23 May 2013 05:34:26 GMT
2. Powered-By-ChinaCache: MISS from 0603517354
3. Powered-By-ChinaCache: HIT from 26071413iA
65.255.44.2 [##########] clues: 14 | replies: 112 | missed: 0
======================================================================
http://www.xxx.xxx.cn (65.255.xxx.2): 2 real server(s)
======================================================================
server 1: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 28815 seconds
successful requests: 4 hits (3.57%)
header fingerprint: 7f2729977dc32a8b0d81570e226a315103ca17c8
different headers:
1. Server: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
2. Date: Thu, 23 May 2013 06:10:09 GMT
3. Content-Type: text/html
4. Expires: Thu, 23 May 2013 06:11:09 GMT
5. Last-Modified: Mon, 31 Dec 2012 16:52:48 GMT
6. ETag: "9c240d2-f3-d7ce7800"
7. Powered-By-ChinaCache: HIT from 0603517354
8. Powered-By-ChinaCache: HIT from 26030513b1
server 2: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
----------------------------------------------------------------------
difference: 28816 seconds
successful requests: 108 hits (96.43%)
header fingerprint: b8232b9e68039605b79a69c51e1bd32c464e523f
different headers:
1. Last-Modified: Mon, 31 Dec 2012 16:52:48 GMT
2. Content-Type: text/html
3. Date: Thu, 23 May 2013 06:10:09 GMT
4. Server: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix) mod_jk/1.2.26
5. ETag: "9c240d2-f3-d7ce7800"
6. Powered-By-ChinaCache: HIT from 060531B35y
7. Expires: Thu, 23 May 2013 06:11:09 GMT
8. Powered-By-ChinaCache: HIT from 26030513b1
上述兩種就可以看出,www.gooogle.com 運用多個不同IP位置來提供網路分流,另外www.yyy.yyy.cn 雖然只有一個對外IP,但實際上有兩部Web Server在提供服務,
www.xxx.xxx.cn 有2組不同的IP。
