Overview
lbd (Load Balancer Detector) is a bash script that probes web servers to identify load balancing technologies, reverse proxies, Web Application Firewalls (WAFs), and clustering solutions. During authorized reconnaissance, lbd helps security professionals understand infrastructure complexity, identify potential single points of failure, and discover backend server configurations. It performs multiple detection techniques including HTTP header analysis, DNS queries, and response variation testing.
Installation
Linux
# Clone from GitHub
git clone https://github.com/ka7ch/lbd.git
cd lbd
# Make executable
chmod +x lbd.sh
# Install to system
sudo cp lbd.sh /usr/local/bin/lbd
macOS
# Using Homebrew
brew install lbd
# Or manual installation
git clone https://github.com/ka7ch/lbd.git
cd lbd
chmod +x lbd.sh
sudo cp lbd.sh /usr/local/bin/lbd
Kali Linux
# Pre-installed in many Kali releases
which lbd
# Or install via apt
apt-get update
apt-get install lbd
# Verify installation
lbd -h
Windows (WSL/Git Bash)
# Use Windows Subsystem for Linux
wsl bash lbd.sh target.com
# Or download and run directly
curl -O https://raw.githubusercontent.com/ka7ch/lbd/master/lbd.sh
bash lbd.sh target.com
Basic Usage
Simple Detection
| Command | Description |
|---|
lbd target.com | Detect load balancer on target.com |
lbd example.org -v | Verbose output with detailed analysis |
lbd 192.168.1.1 | Test IP address directly |
lbd target.com -d | Enable DNS resolution details |
Common Scenarios
# Test corporate website
lbd company.com
# Test web application
lbd api.application.com
# Test internal IP (on authorized network)
lbd 10.0.0.5
# Analyze multiple servers
lbd target1.com && lbd target2.com && lbd target3.com
Detection Methods
# lbd examines multiple HTTP response headers
lbd target.com -v
# Key headers analyzed:
# - Server
# - X-Forwarded-For
# - X-Forwarded-Proto
# - X-Real-IP
# - Via
# - Connection
# - Load-Balancer
# - X-Balancer
DNS Resolution Testing
# Check DNS round-robin load balancing
nslookup target.com
# Multiple IPs returned = potential DNS load balancing
# Use lbd with DNS analysis
lbd target.com -d
# Detailed DNS query
dig target.com +short
# Multiple DNS queries to observe rotation
for i in {1..5}; do
dig target.com +short | head -1
sleep 2
done
Response Variation Detection
# Test for different responses from backend servers
lbd target.com
# Indicators of load balancing:
# - Different response headers
# - Varying server identification
# - Different response times
# - Variable content chunks
Detailed Analysis
HTTP Response Analysis
# Capture full HTTP response
curl -i -v http://target.com/
# Check for proxy headers
curl -i http://target.com/ | grep -i "x-forwarded\|x-real-ip\|via"
# Multiple requests to detect variation
for i in {1..3}; do
echo "Request $i:"
curl -s -I http://target.com/ | grep -E "Server:|X-"
sleep 1
done
Load Balancer Signatures
| Load Balancer | Signature | Detection Method |
|---|
| F5 BIG-IP | BigIP, BIG-IP-Cookie | Header analysis |
| Citrix NetScaler | NetScaler, NSPT | Response header |
| A10 Thunder ADC | adc | Via header |
| Barracuda | Barracuda | Server header |
| Nginx | Nginx | Server header |
| HAProxy | HAProxy | Via header |
| AWS ELB | ELB-HealthChecker | User-Agent |
| AWS ALB | None (transparent) | DNS roundrobin |
Identifying WAF Signatures
# lbd also detects WAF implementations
lbd target.com
# Common WAF signatures:
# - ModSecurity
# - Cloudflare
# - Akamai
# - Imperva
# - F5 ASM
# - AWS WAF
Advanced Techniques
# Run lbd with DNS enumeration
lbd target.com -d
# Follow up with nmap on discovered IPs
nmap -sV -p 80,443 $(dig target.com +short)
# Test with curl for detailed response
curl -v http://target.com/ 2>&1 | grep -i "lb\|load\|balance"
Testing Multiple Endpoints
# Create list of targets
cat > targets.txt << EOF
target1.com
target2.com
target3.com
api.application.com
cdn.company.com
EOF
# Run lbd against all
while read target; do
echo "=== Testing $target ==="
lbd $target
echo ""
done < targets.txt
Scripted Analysis
#!/bin/bash
# Automated load balancer detection script
TARGET=$1
OUTPUT_FILE="${TARGET}_lbd_results.txt"
echo "Load Balancer Detection: $TARGET" > $OUTPUT_FILE
echo "Date: $(date)" >> $OUTPUT_FILE
echo "======================================" >> $OUTPUT_FILE
echo "" >> $OUTPUT_FILE
echo "=== lbd Output ===" >> $OUTPUT_FILE
lbd $TARGET -v >> $OUTPUT_FILE 2>&1
echo "" >> $OUTPUT_FILE
echo "=== DNS Resolution ===" >> $OUTPUT_FILE
dig $TARGET +short >> $OUTPUT_FILE
echo "" >> $OUTPUT_FILE
echo "=== HTTP Headers ===" >> $OUTPUT_FILE
curl -I http://$TARGET/ 2>/dev/null >> $OUTPUT_FILE
echo "Results saved to $OUTPUT_FILE"
Understanding Results
Positive Load Balancer Detection
# Example successful detection
$ lbd example.com -v
Checking HTTP headers...
[*] Server: nginx
[*] Via: Example-LB/1.0
Load Balancer Detected: YES
Type: Nginx with reverse proxy configuration
Confidence: HIGH
Backend Analysis:
- Multiple backend servers likely
- Session persistence: Cookie-based (SERVERID)
- Protocol: HTTP/1.1 with keep-alive
No Load Balancer Detected
# Example single server response
$ lbd example.com -v
Checking HTTP headers...
[*] Server: Apache/2.4.41
[*] No proxy headers detected
Load Balancer Detected: NO
Type: Direct connection to single server
Confidence: HIGH
Uncertain Detection
# Example ambiguous results
$ lbd example.com -v
Checking HTTP headers...
[*] Server: (empty or generic)
[*] Response varies between requests
Load Balancer Detected: POSSIBLE
Type: Transparent load balancer or CDN
Confidence: MEDIUM
Recommendation: Test with different request methods
Detecting Specific Technologies
AWS Load Balancer Detection
# AWS ELB indicators
lbd aws-target.com
# Check for AWS specific headers
curl -i aws-target.com | grep -i "elb\|aws\|amazon"
# Test health check endpoint
curl http://target.com/__health
Cloudflare Detection
# Cloudflare indicators
lbd cloudflare-protected.com
# Cloudflare headers
curl -I cloudflare-protected.com | grep -i "cf-\|cloudflare"
# CF-Ray header confirms Cloudflare
curl -v cloudflare-protected.com 2>&1 | grep "CF-Ray"
Google Cloud Load Balancer
# GCLB indicators
lbd google-cloud-target.com
# Check goog-* headers
curl -I google-cloud-target.com | grep -i "goog\|alt-svc"
Exploitation and Security Testing
Backend Server Enumeration
# After detecting load balancer, enumerate backends
# Use host headers to access backend servers directly
curl -H "Host: internal.backend1.local" http://192.168.1.100/
# Test for header manipulation
curl -H "X-Forwarded-For: 127.0.0.1" http://target.com/admin
curl -H "X-Real-IP: 127.0.0.1" http://target.com/admin
Identifying Single Points of Failure
# If load balancer has limited backend servers
lbd target.com
# Test backend availability
# Simulate backend failure or overload conditions
# This helps identify if all traffic funnels through single point
# Use slow attacks to identify backend counting
# If only 2 backends exist, behavior changes after exceeding threshold
Session Persistence Testing
# Identify session cookie handling
# Some load balancers use specific cookie names
curl -c cookies.txt http://target.com/login
curl -b cookies.txt http://target.com/authenticated
# Test for sticky sessions
# Ensure you maintain same backend connection
# Check for server identification in response
grep -i "serverid\|instance\|backend" response.html
Troubleshooting
Script Errors
# "Command not found" error
# Ensure lbd is in PATH or run with full path
./lbd.sh target.com
/usr/local/bin/lbd target.com
# Permission denied
chmod +x lbd.sh
# Bash compatibility issues
bash lbd.sh target.com
Network Issues
# "Connection timeout"
# Verify target is reachable
ping target.com
curl -v http://target.com/
# Check DNS resolution
nslookup target.com
dig target.com
# Test from different network/proxy
# Some networks block certain traffic patterns
Inconclusive Results
# Run multiple times to detect variance
for i in {1..5}; do
echo "Run $i:"
lbd target.com
sleep 5
done
# Use verbose mode for detailed output
lbd target.com -v
# Combine with additional tools
curl -I target.com
nmap -p 80,443 target.com
With Nmap
# Get IPs from DNS
IPS=$(dig target.com +short)
# Scan with Nmap
nmap -sV -p 80,443 $IPS
# Then run lbd for load balancer check
lbd target.com
# Use MSFconsole with lbd results
msfconsole
# Load auxiliary scanner
use auxiliary/scanner/http/dir_scanner
set RHOSTS target.com
run
# Run lbd separately to understand infrastructure
lbd target.com
With Burp Suite
# Configure Burp to use proxy
# Run lbd to identify load balancer
lbd target.com
# If load balancer is transparent, test for
# header-based session fixation attacks
# Cookie value manipulation
# X-Forwarded-For spoofing
Testing Large Target Lists
# Parallel execution for multiple targets
cat targets.txt | xargs -P 5 -I {} bash -c 'lbd {} > {}_results.txt'
# Sequential with timing
for target in $(cat targets.txt); do
echo "Testing $target..."
lbd $target >> results.log
sleep 1
done
Reducing Detection Impact
# lbd makes minimal requests, but consider:
# - Use during authorized testing windows
# - Notify network teams of testing
# - Monitor for WAF triggers
# Add delays between tests
lbd target.com
sleep 5
lbd target2.com
Legal and Ethical Considerations
Authorization Requirements
- Written authorization from system owner
- Defined scope of reconnaissance
- Authorized testing window
- Notification of network operations team
- Compliance with company policies
Responsible Disclosure
# Document findings professionally
# Example report template:
LOAD BALANCER DETECTION REPORT
Target: target.com
Date: 2026-05-02
Scope: Authorized penetration test
Findings:
- Load Balancer Detected: F5 BIG-IP
- Backend Servers: Approximately 3-5
- Session Handling: Cookie-based (SERVERID)
- Recommendation: Review access control rules
References
- lbd GitHub Repository
- Load Balancer Detection Guide
- Web Server Reconnaissance
- Infrastructure Enumeration Techniques
- OWASP Testing Guide
- Nmap Network Scanning
