lbd (Load Balancer Detector) is a bash script that probes web servers to identify load balancing technologies, reverse proxies, Web Application Firewalls (WAFs), and clustering solutions. During authorized reconnaissance, lbd helps security professionals understand infrastructure complexity, identify potential single points of failure, and discover backend server configurations. It performs multiple detection techniques including HTTP header analysis, DNS queries, and response variation testing.
# Clone from GitHub
git clone https://github.com/ka7ch/lbd.git
cd lbd
# Make executable
chmod +x lbd.sh
# Install to system
sudo cp lbd.sh /usr/local/bin/lbd
# Using Homebrew
brew install lbd
# Or manual installation
git clone https://github.com/ka7ch/lbd.git
cd lbd
chmod +x lbd.sh
sudo cp lbd.sh /usr/local/bin/lbd
# Pre-installed in many Kali releases
which lbd
# Or install via apt
apt-get update
apt-get install lbd
# Verify installation
lbd -h
# Use Windows Subsystem for Linux
wsl bash lbd.sh target.com
# Or download and run directly
curl -O https://raw.githubusercontent.com/ka7ch/lbd/master/lbd.sh
bash lbd.sh target.com
| Command | Description |
|---|
lbd target.com | Detect load balancer on target.com |
lbd example.org -v | Verbose output with detailed analysis |
lbd 192.168.1.1 | Test IP address directly |
lbd target.com -d | Enable DNS resolution details |
# Test corporate website
lbd company.com
# Test web application
lbd api.application.com
# Test internal IP (on authorized network)
lbd 10.0.0.5
# Analyze multiple servers
lbd target1.com && lbd target2.com && lbd target3.com
# lbd examines multiple HTTP response headers
lbd target.com -v
# Key headers analyzed:
# - Server
# - X-Forwarded-For
# - X-Forwarded-Proto
# - X-Real-IP
# - Via
# - Connection
# - Load-Balancer
# - X-Balancer
# Check DNS round-robin load balancing
nslookup target.com
# Multiple IPs returned = potential DNS load balancing
# Use lbd with DNS analysis
lbd target.com -d
# Detailed DNS query
dig target.com +short
# Multiple DNS queries to observe rotation
for i in {1..5}; do
dig target.com +short | head -1
sleep 2
done
# Test for different responses from backend servers
lbd target.com
# Indicators of load balancing:
# - Different response headers
# - Varying server identification
# - Different response times
# - Variable content chunks
# Capture full HTTP response
curl -i -v http://target.com/
# Check for proxy headers
curl -i http://target.com/ | grep -i "x-forwarded\|x-real-ip\|via"
# Multiple requests to detect variation
for i in {1..3}; do
echo "Request $i:"
curl -s -I http://target.com/ | grep -E "Server:|X-"
sleep 1
done
| Load Balancer | Signature | Detection Method |
|---|
| F5 BIG-IP | BigIP, BIG-IP-Cookie | Header analysis |
| Citrix NetScaler | NetScaler, NSPT | Response header |
| A10 Thunder ADC | adc | Via header |
| Barracuda | Barracuda | Server header |
| Nginx | Nginx | Server header |
| HAProxy | HAProxy | Via header |
| AWS ELB | ELB-HealthChecker | User-Agent |
| AWS ALB | None (transparent) | DNS roundrobin |
# lbd also detects WAF implementations
lbd target.com
# Common WAF signatures:
# - ModSecurity
# - Cloudflare
# - Akamai
# - Imperva
# - F5 ASM
# - AWS WAF
# Run lbd with DNS enumeration
lbd target.com -d
# Follow up with nmap on discovered IPs
nmap -sV -p 80,443 $(dig target.com +short)
# Test with curl for detailed response
curl -v http://target.com/ 2>&1 | grep -i "lb\|load\|balance"
# Create list of targets
cat > targets.txt << EOF
target1.com
target2.com
target3.com
api.application.com
cdn.company.com
EOF
# Run lbd against all
while read target; do
echo "=== Testing $target ==="
lbd $target
echo ""
done < targets.txt
#!/bin/bash
# Automated load balancer detection script
TARGET=$1
OUTPUT_FILE="${TARGET}_lbd_results.txt"
echo "Load Balancer Detection: $TARGET" > $OUTPUT_FILE
echo "Date: $(date)" >> $OUTPUT_FILE
echo "======================================" >> $OUTPUT_FILE
echo "" >> $OUTPUT_FILE
echo "=== lbd Output ===" >> $OUTPUT_FILE
lbd $TARGET -v >> $OUTPUT_FILE 2>&1
echo "" >> $OUTPUT_FILE
echo "=== DNS Resolution ===" >> $OUTPUT_FILE
dig $TARGET +short >> $OUTPUT_FILE
echo "" >> $OUTPUT_FILE
echo "=== HTTP Headers ===" >> $OUTPUT_FILE
curl -I http://$TARGET/ 2>/dev/null >> $OUTPUT_FILE
echo "Results saved to $OUTPUT_FILE"
# Example successful detection
$ lbd example.com -v
Checking HTTP headers...
[*] Server: nginx
[*] Via: Example-LB/1.0
Load Balancer Detected: YES
Type: Nginx with reverse proxy configuration
Confidence: HIGH
Backend Analysis:
- Multiple backend servers likely
- Session persistence: Cookie-based (SERVERID)
- Protocol: HTTP/1.1 with keep-alive
# Example single server response
$ lbd example.com -v
Checking HTTP headers...
[*] Server: Apache/2.4.41
[*] No proxy headers detected
Load Balancer Detected: NO
Type: Direct connection to single server
Confidence: HIGH
# Example ambiguous results
$ lbd example.com -v
Checking HTTP headers...
[*] Server: (empty or generic)
[*] Response varies between requests
Load Balancer Detected: POSSIBLE
Type: Transparent load balancer or CDN
Confidence: MEDIUM
Recommendation: Test with different request methods
# AWS ELB indicators
lbd aws-target.com
# Check for AWS specific headers
curl -i aws-target.com | grep -i "elb\|aws\|amazon"
# Test health check endpoint
curl http://target.com/__health
# Cloudflare indicators
lbd cloudflare-protected.com
# Cloudflare headers
curl -I cloudflare-protected.com | grep -i "cf-\|cloudflare"
# CF-Ray header confirms Cloudflare
curl -v cloudflare-protected.com 2>&1 | grep "CF-Ray"
# GCLB indicators
lbd google-cloud-target.com
# Check goog-* headers
curl -I google-cloud-target.com | grep -i "goog\|alt-svc"
# After detecting load balancer, enumerate backends
# Use host headers to access backend servers directly
curl -H "Host: internal.backend1.local" http://192.168.1.100/
# Test for header manipulation
curl -H "X-Forwarded-For: 127.0.0.1" http://target.com/admin
curl -H "X-Real-IP: 127.0.0.1" http://target.com/admin
# If load balancer has limited backend servers
lbd target.com
# Test backend availability
# Simulate backend failure or overload conditions
# This helps identify if all traffic funnels through single point
# Use slow attacks to identify backend counting
# If only 2 backends exist, behavior changes after exceeding threshold
# Identify session cookie handling
# Some load balancers use specific cookie names
curl -c cookies.txt http://target.com/login
curl -b cookies.txt http://target.com/authenticated
# Test for sticky sessions
# Ensure you maintain same backend connection
# Check for server identification in response
grep -i "serverid\|instance\|backend" response.html
# "Command not found" error
# Ensure lbd is in PATH or run with full path
./lbd.sh target.com
/usr/local/bin/lbd target.com
# Permission denied
chmod +x lbd.sh
# Bash compatibility issues
bash lbd.sh target.com
# "Connection timeout"
# Verify target is reachable
ping target.com
curl -v http://target.com/
# Check DNS resolution
nslookup target.com
dig target.com
# Test from different network/proxy
# Some networks block certain traffic patterns
# Run multiple times to detect variance
for i in {1..5}; do
echo "Run $i:"
lbd target.com
sleep 5
done
# Use verbose mode for detailed output
lbd target.com -v
# Combine with additional tools
curl -I target.com
nmap -p 80,443 target.com
# Get IPs from DNS
IPS=$(dig target.com +short)
# Scan with Nmap
nmap -sV -p 80,443 $IPS
# Then run lbd for load balancer check
lbd target.com
# Use MSFconsole with lbd results
msfconsole
# Load auxiliary scanner
use auxiliary/scanner/http/dir_scanner
set RHOSTS target.com
run
# Run lbd separately to understand infrastructure
lbd target.com
# Configure Burp to use proxy
# Run lbd to identify load balancer
lbd target.com
# If load balancer is transparent, test for
# header-based session fixation attacks
# Cookie value manipulation
# X-Forwarded-For spoofing
# Parallel execution for multiple targets
cat targets.txt | xargs -P 5 -I {} bash -c 'lbd {} > {}_results.txt'
# Sequential with timing
for target in $(cat targets.txt); do
echo "Testing $target..."
lbd $target >> results.log
sleep 1
done
# lbd makes minimal requests, but consider:
# - Use during authorized testing windows
# - Notify network teams of testing
# - Monitor for WAF triggers
# Add delays between tests
lbd target.com
sleep 5
lbd target2.com
- Written authorization from system owner
- Defined scope of reconnaissance
- Authorized testing window
- Notification of network operations team
- Compliance with company policies
# Document findings professionally
# Example report template:
LOAD BALANCER DETECTION REPORT
Target: target.com
Date: 2026-05-02
Scope: Authorized penetration test
Findings:
- Load Balancer Detected: F5 BIG-IP
- Backend Servers: Approximately 3-5
- Session Handling: Cookie-based (SERVERID)
- Recommendation: Review access control rules
- lbd GitHub Repository
- Load Balancer Detection Guide
- Web Server Reconnaissance
- Infrastructure Enumeration Techniques
- OWASP Testing Guide
- Nmap Network Scanning
