How To Decode BIG IP F5 Persistence Cookie Values
Hey Guys,
I came across a BIG IP F5 Load balancer when doing a recent web application penetration test. The interesting thing about this load balancer was the cookie value:
Name BIGipServerLive_pool
Value 110536896.20480.0000
Path /
Secure No
Expires At End Of Session
As you can see the cookie value looks rather suspicious, lets see if we can reverse it! I came across the following page with a plethora of information regarding this particular cookie, it is well worth a read:
Overview of BIG-IP persistence cookie encoding
After reading that it was quite clear to me that the cookie value was an encoded IP and Port value. I wrote a quick Python script to help me decode the cookie value as the ones I found on the net were poorly written and didn’t work. Here is the code and an example run:
#!/usr/bin/env python
# example string: 110536896.20480.0000
import struct
import sys
if len(sys.argv) != 2:
print "Usage: %s encoded_string" % sys.argv[0]
exit(1)
encoded_string = sys.argv[1]
print "\n[*] String to decode: %s\n" % encoded_string
(host, port, end) = encoded_string.split('.')
(a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))]
print "[*] Decoded IP: %s.%s.%s.%s.\n" % (a,b,c,d)
Then when you run the program:
root@bt:~/bigip# python bigip.py 110536896.20480.0000 [*] String to decode: 110536896.20480.0000 [*] Decoded IP: 192.168.150.6. root@bt:~/bigip#
Hopefully this will come in handy for someone out there 
Thank you, just what I needed to footprint my clients back-end.
What a frankly joy of a read.