How To Decode BIG IP F5 Persistence Cookie Values

admin

03.29.2011

How To Decode BIG IP F5 Persistence Cookie Values

I came across a BIG IP F5 Load balancer when doing a recent web application penetration test. The interesting thing about this load balancer was the cookie value:

Name BIGipServerLive_pool
Value 110536896.20480.0000
Path /
Secure No
Expires At End Of Session

As you can see the cookie value looks rather suspicious, lets see if we can reverse it! I came across the following page with a plethora of information regarding this particular cookie, it is well worth a read:

Overview of BIG-IP persistence cookie encoding

After reading that it was quite clear to me that the cookie value was an encoded IP and Port value. I wrote a quick Python script to help me decode the cookie value as the ones I found on the net were poorly written and didn’t work. Here is the code and an example run:

#!/usr/bin/env python

# example string: 110536896.20480.0000

import struct
import sys

if len(sys.argv) != 2:
        print "Usage: %s encoded_string" % sys.argv[0]
        exit(1)

encoded_string = sys.argv[1]
print "n[*] String to decode: %sn" % encoded_string

(host, port, end) = encoded_string.split('.')

(a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))]


print "[*] Decoded IP: %s.%s.%s.%s.n" % (a,b,c,d)

Then when you run the program:

root@bt:~/bigip# python bigip.py 110536896.20480.0000

[*] String to decode: 110536896.20480.0000

[*] Decoded IP: 192.168.150.6.

root@bt:~/bigip#

Hopefully this will come in handy for someone out there 🙂

*** Update:  I have amended the code to allow for decoding of the port:

#!/usr/bin/env python

# example string: 110536896.20480.0000

import struct
import sys

if len(sys.argv) != 2:
print "Usage: %s encoded_string" % sys.argv[0]
exit(1)

encoded_string = sys.argv[1]
print "n[*] String to decode: %sn" % encoded_string

(host, port, end) = encoded_string.split('.')

(a, b, c, d) = [ord(i) for i in struct.pack("<I", int(host))]

(e) = [ord(e) for e in struct.pack("<H", int(port))]
port = "0x%02X%02X" % (e[0],e[1])

print "[*] Decoded Host and Port: %s.%s.%s.%s:%sn" % (a,b,c,d, int(port,16))

Example run:

dusty@HackBox:~$ python BigIPF5-Decoder.py 185903296.21520.0000

[*] String to decode: 185903296.21520.0000

[*] Decoded Host and Port: 192.168.20.11:4180

dusty@HackBox:~$