How To Decode BIG IP F5 Persistence Cookie Values

admin

Hey Guys,

I came across a BIG IP F5 Load balancer when doing a recent web application penetration test. The interesting thing about this load balancer was the cookie value:

1. Name BIGipServerLive_pool
   
2. Value 110536896.20480.0000
   
3. Path /
   
4. Secure No
   
5. Expires At End Of Session</span>

复制代码

As you can see the cookie value looks rather suspicious, lets see if we can reverse it! I came across the following page with a plethora of information regarding this particular cookie, it is well worth a read:

Overview of BIG-IP persistence cookie encoding

After reading that it was quite clear to me that the cookie value was an encoded IP and Port value. I wrote a quick Python script to help me decode the cookie value as the ones I found on the net were poorly written and didn’t work. Here is the code and an example run:

1. #!/usr/bin/env python
   
2. 
   
3. # example string: 110536896.20480.0000
   
4. 
   
5. import struct
   
6. import sys
   
7. 
   
8. if len(sys.argv) != 2:
   
9.         print "Usage: %s encoded_string" % sys.argv[0]
   
10.         exit(1)
    
11. 
    
12. encoded_string = sys.argv[1]
    
13. print "\n[*] String to decode: %s\n" % encoded_string
    
14. 
    
15. (host, port, end) = encoded_string.split('.')
    
16. 
    
17. (a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))]
    
18. 
    
19. 
    
20. print "[*] Decoded IP: %s.%s.%s.%s.\n" % (a,b,c,d)

复制代码

Then when you run the program:

1. root@bt:~/bigip# python bigip.py 110536896.20480.0000
   
2. 
   
3. [*] String to decode: 110536896.20480.0000
   
4. 
   
5. [*] Decoded IP: 192.168.150.6.
   
6. 
   
7. root@bt:~/bigip#

复制代码

Hopefully this will come in handy for someone out there

*** Update:  I have amended the code to allow for decoding of the port:

1. #!/usr/bin/env python
   
2. 
   
3. # example string: 110536896.20480.0000
   
4. 
   
5. import struct
   
6. import sys
   
7. 
   
8. if len(sys.argv) != 2:
   
9. print "Usage: %s encoded_string" % sys.argv[0]
   
10. exit(1)
    
11. 
    
12. encoded_string = sys.argv[1]
    
13. print "\n[*] String to decode: %s\n" % encoded_string
    
14. 
    
15. (host, port, end) = encoded_string.split('.')
    
16. 
    
17. (a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))]
    
18. 
    
19. (e) = [ord(e) for e in struct.pack("<H", int(port))]
    
20. port = "0x%02X%02X" % (e[0],e[1])
    
21. 
    
22. print "[*] Decoded Host and Port: %s.%s.%s.%s:%s\n" % (a,b,c,d, int(port,16))

复制代码

Example run:

1. dusty@HackBox:~$ python BigIPF5-Decoder.py 185903296.21520.0000
   
2. 
   
3. [*] String to decode: 185903296.21520.0000
   
4. 
   
5. [*] Decoded Host and Port: 192.168.20.11:4180
   
6. 
   
7. dusty@HackBox:~

复制代码

from：https://penturalabs.wordpress.co ... ence-cookie-values/