NMap Experiment: Using a Banner Grabbing Attack to Bypass a Load Balancer

Disclaimer: This article talks about port scanning and banner grabbing in NMap, which can be used as precursors to an online attack. This information is for educational and entertainment purposes only and is not to be used for illegal hacking purposes. Disclosing vulnerabilities and exploits is protected by free speech laws, but using such information maliciously is not protected. I am not responsible for any illegal hacking activities you decide to engage in using this information, nor am I responsible for any damages caused by the malicious use of this information. Since I did manage to find possible vulnerabilities in some servers, all domain names, IP addresses, and company names for my targets have been redacted to prevent people from using this information to attack the companies in question. Please don’t hack anyone without their express permission. Thank you.

Hacker’s Log, Cyberdate 2021-06-07: We have encountered an obstacle while attempting to scan the Acme system for signs of life. A reverse proxy is standing in our way, preventing us from doing a proper analysis of the target system. We are now faced with the task of getting past the proxy so we can learn more about the system in question.

Yeah, I think I’m gonna do an intro like that for all my hacking-related posts moving forward. In any case, I’m back at it again, attempting to boldly go where I’m not invited. Not trying to steal company secrets or anything, I just do this shit because I can, and because I’m bored. 😛

While trying to do an NMap port scan on a website whose name will not be mentioned because I don’t want to get sued if anything bad happens, I encountered a load balancer blocking my path. I was testing various banner grabbing methods, just to see how well they worked. In an attempt to determine what kind of web server they were using, I scanned the target system with this command:


$ sudo nmap -sS -A -p 443 acme.com

And this is the information I got back from NMap:


Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 12:13 UTC
Nmap scan report for acme.com (313.56.237.45)
Host is up (0.031s latency).
Other addresses for acme.com (not scanned): 376.39.123.805 54.299.381.85
rDNS record for 313.56.237.45: console-us-standard.console.acme.com

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https Server
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad Request
|     Server: Server
|     Date: Sun, 06 Jun 2021 17:18:34 GMT
|     Content-Type: text/html
|     Content-Length: 71
|     Connection: close
|     ETag: "60a428a0-47"
|     <!DOCTYPE html><html><head><title>x</title></head><body></body></html>
|   RPCCheck: 
|     HTTP/1.1 500 Internal Server Error
|     Server: Server
|     Date: Sun, 06 Jun 2021 17:18:40 GMT
|     Content-Type: text/html
|     Content-Length: 187
|     Connection: close
|     <html>
|     <head><title>500 Internal Server Error</title></head>
|     <body bgcolor="white">
|     <center><h1>500 Internal Server Error</h1></center>
|     <hr><center>Server</center>
|     </body>
|     </html>
|   RTSPRequest: 
|     <html>
|     <head><title>500 Internal Server Error</title></head>
|     <body bgcolor="white">
|     <center><h1>500 Internal Server Error</h1></center>
|     <hr><center>Server</center>
|     </body>
|     </html>
|   tor-versions: 
|     HTTP/1.1 500 Internal Server Error
|     Server: Server
|     Date: Sun, 06 Jun 2021 17:18:34 GMT
|     Content-Type: text/html
|     Content-Length: 187
|     Connection: close
|     <html>
|     <head><title>500 Internal Server Error</title></head>
|     <body bgcolor="white">
|     <center><h1>500 Internal Server Error</h1></center>
|     <hr><center>Server</center>
|     </body>
|_    </html>
|_http-server-header: Server
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=*.peg.acme.com/organizationName=Acme.com, Inc./stateOrProvinceName=Washington/countryName=US
| Subject Alternative Name: DNS:acme.co.uk, DNS:uedata.acme.co.uk, DNS:www.acme.co.uk, DNS:origin-www.acme.co.uk, DNS:*.peg.acme.com, DNS:acme.com, DNS:acme.com, DNS:uedata.acme.com, DNS:us.acme.com, DNS:www.acme.com, DNS:www.acme.com, DNS:corporate.acme.com, DNS:buybox.acme.com, DNS:iphone.acme.com, DNS:yp.acme.com, DNS:home.acme.com, DNS:origin-www.acme.com, DNS:origin2-www.acme.com, DNS:retail-website.acme.com, DNS:huddles.acme.com, DNS:acme.de, DNS:www.acme.de, DNS:origin-www.acme.de, DNS:acme.co.jp, DNS:acme.jp, DNS:www.acme.jp, DNS:www.acme.co.jp, DNS:origin-www.acme.co.jp, DNS:*.aa.peg.acme.com, DNS:*.ab.peg.acme.com, DNS:*.ac.peg.acme.com, DNS:origin-www.acme.com.au, DNS:www.acme.com.au, DNS:*.bz.peg.acme.com, DNS:acme.com.au, DNS:origin2-www.acme.co.jp
| Not valid before: 2020-11-26T00:00:00
|_Not valid after:  2021-11-24T23:59:59
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: load balancer
Running (JUST GUESSING): Citrix embedded (91%)
Aggressive OS guesses: Citrix NetScaler load balancer (91%)
No exact OS matches for host (test conditions non-ideal).

TRACEROUTE (using port 443/tcp)
HOP RTT     ADDRESS
1   2.57 ms DSR-250 (192.168.10.1)
2   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.63 seconds
Yup, looks like they’re using a load balancer of some sort. Very useful for keeping nosy people like me out, in addition to spreading the load across the network of course.

But wait, what’s that? Looks like the NMap scan shows a bunch of other domain names listed under the Subject Alternative Name header. I did some research on the header and found this page from the load balancer vendor that explains what’s going on. Basically this field is configured by the network administrator when they have a load balancer with several different servers behind it that may fall under different domain names (e.g. example1.com and example2.com as opposed to all of them being under example.com).

Turns out I found a way to use an NMap banner grabbing attack to find the real domain name or IP address of a server that is sitting behind a load balancer or other reverse proxy. Since load balancers serve a security function in addition to their original traffic management function, this banner grabbing attack represents a potential security risk to the organization, and it also gives me the exciting feeling of hacking a large company’s network, even if I’m not trying to cause any harm.

I randomly decided to scan the Australian web server first, just to see what was there. To that end, I ran the following NMap command:


$ sudo nmap -sS -A -p 443 www.acme.com.au

This produced the following output:


Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 12:20 UTC
Nmap scan report for www.acme.com.au (504.198.237.93)
Host is up (0.019s latency).
rDNS record for 504.198.237.93: a10-10-19-9.deploy.static.acmetechnologies.com

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http AkamaiGHost (Akamai's HTTP Acceleration/Mirror service)
| http-methods: 
|_  Potentially risky methods: PUT DELETE TRACE
|_http-server-header: Server
| ssl-cert: Subject: commonName=www.acme.com.au/organizationName=Acme.com, Inc./stateOrProvinceName=Washington/countryName=US
| Subject Alternative Name: DNS:www.acme.com.au, DNS:p-yo-www-acme-com-au.acme.com.au, DNS:p-y3-www-acme-com-au.acme.com.au, DNS:p-nt-www-acme-com-au.acme.com.au, DNS:acme.com.au
| Not valid before: 2020-11-05T00:00:00
|_Not valid after:  2021-10-29T23:59:59
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   http/1.1
|_  http/1.0
| tls-nextprotoneg: 
|   http/1.1
|_  http/1.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X|4.X|5.X|3.X (89%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:3.10
Aggressive OS guesses: Linux 2.6.32 (89%), Linux 4.15 - 5.6 (88%), Linux 4.4 (88%), Linux 5.0 - 5.4 (87%), Linux 5.0 - 5.3 (87%), Linux 2.6.32 or 3.10 (86%), Linux 5.4 (85%), Linux 2.6.32 - 2.6.35 (85%), Linux 5.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 8 hops

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   2.80 ms  DSR-250 (192.168.10.1)
2   ... 7
8   19.09 ms a10-10-19-9.deploy.static.acmetechnologies.com (504.198.95.88)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.54 seconds
So it looks like the server software they’re running is AkamaiGHost. I looked up Akamai and it looks like they’re another firm writing security solutions for businesses. In this case, the Acme company is using a web server package for setting up a mirror server to sit behind a load balancer.

Also, it looks like I struck gold here in terms of vulnerabilities, because it turns out the server implements the PUT, DELETE, and TRACE methods, so someone could conceivably Telnet to their server and just start deleting random files. (Hence why I changed the name of the company to cover my own ass and avoid future lawsuits.)

Wanting to learn more, I did a full port scan of the target system:


$ sudo nmap -sS -A -T2 www.acme.com.au

You might notice that I used the -T2 switch to NMap here. This is to avoid detection by an IDS that could result in the Acme company blocking my IP address. Port scan-based IDS’s like PSAD work by detecting messages being sent to a large number of ports in a short space of time; thus if you deliberately slow down the scan so that the port knocks are spaced further apart, this lowers the probability of detection. (Initially I tried using -T1 but that turned out to be way too slow.)

The result of this scan looks like this:


Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 18:19 UTC
Nmap scan report for www.acme.com.au (504.198.237.93)
Host is up (0.036s latency).
rDNS record for 504.198.237.93: server-13-22-20-10.phl50.r.cloud.net
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Acme Cloud httpd
|_http-server-header: Cloud
|_http-title: Did not follow redirect to https://www.acme.com.au/
443/tcp open  ssl/http Acme Cloud httpd
| http-cookie-flags: 
|   /: 
|     session-id: 
|       httponly flag not set
|     session-id-time: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: PUT DELETE TRACE
| http-robots.txt: 82 disallowed entries (15 shown)
| /dp/product-availability/ /dp/rate-this-item/ 
| /exec/acmedos/account-access-login /exec/acmedos/change-style 
| /exec/acmedos/dt/assoc/handle-buy-box /exec/acmedos/flex-sign-in 
| /exec/acmedos/handle-buy-box /exec/acmedos/refer-a-friend-login 
| /exec/acmedos/subst/associates/join /exec/acmedos/subst/marketplace/sell-your-collection.html 
| /exec/acmedos/subst/marketplace/sell-your-stuff.html /exec/acmedos/subst/partners/friends/access.html 
|_/exec/acmedos/tg/cm/member/ /gp/cart /gp/content-form
| http-server-header: 
|   Cloud
|_  Server
|_http-title: Acme.com.au: Buy Acme products
| ssl-cert: Subject: commonName=www.acme.com.au
| Subject Alternative Name: DNS:acme.com.au, DNS:www.acme.com.au, DNS:origin-www.acme.com.au, DNS:www.acme.com, DNS:acme.com, DNS:p-nt-www-acme-com-au.acme.com.au, DNS:p-yo-www-acme-com-au.acme.com.au, DNS:p-y3-www-acme-com-au.acme.com.au
| Not valid before: 2021-03-23T00:00:00
|_Not valid after:  2022-02-24T23:59:59
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 21 hops

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   0.75 ms  DSR-250 (192.168.10.1)
2   ... 20
21  23.47 ms server-13-22-20-10.phl50.r.cloud.net (13.294.55.79)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1018.95 seconds

Turns out Acme is not actually using AkamaiGHost after all. That was just NMap doing some tentative fingerprinting based on the limited information it could glean from a banner grab on the HTTPS port. A banner grab on port 80 shows somewhat more complete information – that Acme is running their own custom web server. Interesting that port 80 provides information about the server software while port 443 doesn’t. This may be another security measure, though I really don’t know.

Out of curiosity, I decided to see what ports were open on the load balancer. I ran the following NMap scan:


$ sudo nmap -sS -T2 acme.com

Which produced the following output:


Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-07 11:47 UTC
Nmap scan report for acme.com (313.56.237.45)
Host is up (0.036s latency).
Other addresses for acme.com (not scanned): 376.39.123.805 54.299.381.85
Not shown: 995 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 414.82 seconds

Looks like in addition to the standard HTTP ports 80 and 443, the load balancer is also running some Microsoft services, including what looks like NetBIOS and an RPC server. I’m not sure what functions these serve. I tried using Telnet on these ports to do another banner grabbing attack, but I was locked out, so it looks like I won’t be able to get any further information about the server without actually breaking the law. My reconnaissance on the Acme company will have to stop here.

In the future I would like to do more NMap scans on other load balancers to see if I can replicate this banner grabbing attack for other vendors. For now, this is the extent of my research, so I’m going to say farewell, and happy hacking.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s