How To Decode BIG IP F5 Persistence Cookie Values
Hey Guys,
I came across a BIG IP F5 Load balancer when doing a recent web application penetration test. The interesting thing about this load balancer was the cookie value:
Name BIGipServerLive_pool
Value 110536896.20480.0000
Path /
Secure No
Expires At End Of Session
As you can see the cookie value looks rather suspicious, lets see if we can reverse it! I came across the following page with a plethora of information regarding this particular cookie, it is well worth a read:
Overview of BIG-IP persistence cookie encoding
After reading that it was quite clear to me that the cookie value was an encoded IP and Port value. I wrote a quick Python script to help me decode the cookie value as the ones I found on the net were poorly written and didn’t work. Here is the code and an example run:
#!/usr/bin/env python # example string: 110536896.20480.0000 import struct import sys if len(sys.argv) != 2: print "Usage: %s encoded_string" % sys.argv[0] exit(1) encoded_string = sys.argv[1] print "\n[*] String to decode: %s\n" % encoded_string (host, port, end) = encoded_string.split('.') (a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))] print "[*] Decoded IP: %s.%s.%s.%s.\n" % (a,b,c,d)
Then when you run the program:
root@bt:~/bigip# python bigip.py 110536896.20480.0000 [*] String to decode: 110536896.20480.0000 [*] Decoded IP: 192.168.150.6. root@bt:~/bigip#
Hopefully this will come in handy for someone out there 🙂
*** Update: I have amended the code to allow for decoding of the port:
#!/usr/bin/env python # example string: 110536896.20480.0000 import struct import sys if len(sys.argv) != 2: print "Usage: %s encoded_string" % sys.argv[0] exit(1) encoded_string = sys.argv[1] print "\n[*] String to decode: %s\n" % encoded_string (host, port, end) = encoded_string.split('.') (a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))] (e) = [ord(e) for e in struct.pack("<H", int(port))] port = "0x%02X%02X" % (e[0],e[1]) print "[*] Decoded Host and Port: %s.%s.%s.%s:%s\n" % (a,b,c,d, int(port,16))
Example run:
dusty@HackBox:~$ python BigIPF5-Decoder.py 185903296.21520.0000 [*] String to decode: 185903296.21520.0000 [*] Decoded Host and Port: 192.168.20.11:4180 dusty@HackBox:~$
Thank you, just what I needed to footprint my clients back-end.
What a frankly joy of a read.
Thank you for the comments.
– Dusty
You’re the man! Thanks 🙂
You actually produced a number of outstanding stuff throughout your article, “How To Decode BIG
IP F5 Persistence Cookie Values Pentura Labs’s Blog”. I am going to be coming back again to ur page before long. Thanks a lot -Wayne
# Encoder and decoder
import struct
import sys
if len(sys.argv) != 2:
print “Usage: %s IP:port or encoded_string” % sys.argv[0]
exit(1)
arg = sys.argv[1]
# check if argument is IP address or encoded cookie
if ( arg.count(‘.’) == 2 ):
print “\n[*] String to decode: %s\n” % arg
(host, port, end) = arg.split(‘.’)
(a, b, c, d) = [ord(i) for i in struct.pack(“<I", int(host))]
print "[*] Decoded IP: %s.%s.%s.%s.\n" % (a,b,c,d)
if ( arg.count('.') == 3 ):
print "\n[*] String to encode: %s\n" % arg
(host, port) = arg.split(':')
(a, b, c, d) = map(int,host.split('.'))
en_host=a + b*256 + c*(256^2) + d*(256^3)
en_port=int(port)
en_port=((en_port <> 8)) & 0xFFFF
print “\n Encoded IP %d.%d.0000” %(en_host, en_port)
Sorry host encoding line should list ‘**’ instead of ‘^’
en_host=a + b*256 + c*(256**2) + d*(256**3)
Thanks for this post.. very helpful
How can we secure cookie value so that it can’t be Decoded
I have just amended the code as WordPress had garbled it!