How To Decode BIG IP F5 Persistence Cookie Values

Hey Guys,

I came across a BIG IP F5 Load balancer when doing a recent web application penetration test. The interesting thing about this load balancer was the cookie value:

Name BIGipServerLive_pool
Value 110536896.20480.0000
Path /
Secure No
Expires At End Of Session

As you can see the cookie value looks rather suspicious, lets see if we can reverse it! I came across the following page with a plethora of information regarding this particular cookie, it is well worth a read:

Overview of BIG-IP persistence cookie encoding

After reading that it was quite clear to me that the cookie value was an encoded IP and Port value. I wrote a quick Python script to help me decode the cookie value as the ones I found on the net were poorly written and didn’t work. Here is the code and an example run:

#!/usr/bin/env python

# example string: 110536896.20480.0000

import struct
import sys

if len(sys.argv) != 2:
        print "Usage: %s encoded_string" % sys.argv[0]
        exit(1)

encoded_string = sys.argv[1]
print "n[*] String to decode: %sn" % encoded_string

(host, port, end) = encoded_string.split('.')

(a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))]


print "[*] Decoded IP: %s.%s.%s.%s.n" % (a,b,c,d)

Then when you run the program:

root@bt:~/bigip# python bigip.py 110536896.20480.0000

[*] String to decode: 110536896.20480.0000

[*] Decoded IP: 192.168.150.6.

root@bt:~/bigip#

Hopefully this will come in handy for someone out there 🙂

*** Update:  I have amended the code to allow for decoding of the port:

#!/usr/bin/env python

# example string: 110536896.20480.0000

import struct
import sys

if len(sys.argv) != 2:
print "Usage: %s encoded_string" % sys.argv[0]
exit(1)

encoded_string = sys.argv[1]
print "n[*] String to decode: %sn" % encoded_string

(host, port, end) = encoded_string.split('.')

(a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))]

(e) = [ord(e) for e in struct.pack("<H", int(port))]
port = "0x%02X%02X" % (e[0],e[1])

print "[*] Decoded Host and Port: %s.%s.%s.%s:%sn" % (a,b,c,d, int(port,16))

Example run:


dusty@HackBox:~$ python BigIPF5-Decoder.py 185903296.21520.0000

[*] String to decode: 185903296.21520.0000

[*] Decoded Host and Port: 192.168.20.11:4180

dusty@HackBox:~$

9 thoughts on “How To Decode BIG IP F5 Persistence Cookie Values

  1. You actually produced a number of outstanding stuff throughout your article, “How To Decode BIG
    IP F5 Persistence Cookie Values « Pentura Labs’s Blog”. I am going to be coming back again to ur page before long. Thanks a lot -Wayne

  2. # Encoder and decoder
    import struct
    import sys

    if len(sys.argv) != 2:
    print “Usage: %s IP:port or encoded_string” % sys.argv[0]
    exit(1)

    arg = sys.argv[1]
    # check if argument is IP address or encoded cookie
    if ( arg.count(‘.’) == 2 ):
    print “n[*] String to decode: %sn” % arg
    (host, port, end) = arg.split(‘.’)
    (a, b, c, d) = [ord(i) for i in struct.pack(“<I", int(host))]
    print "[*] Decoded IP: %s.%s.%s.%s.n" % (a,b,c,d)
    if ( arg.count('.') == 3 ):
    print "n[*] String to encode: %sn" % arg
    (host, port) = arg.split(':')
    (a, b, c, d) = map(int,host.split('.'))
    en_host=a + b*256 + c*(256^2) + d*(256^3)
    en_port=int(port)
    en_port=((en_port <> 8)) & 0xFFFF
    print “n Encoded IP %d.%d.0000” %(en_host, en_port)

Comments are closed.