BigIP cookie contains internal network IP and port information in encoded format. When decoded, these cookies can help create an internal network map with potential web server IPs and their ports.
F5 has described the encoding algorithm here. It works like this:
F5 has described the encoding algorithm here. It works like this:
- If the IP address is a.b.c.d, it is encoded as d*256^3 + c*256^2 + b*256 +a
- To encode the port is to take the two bytes that store the port and reverse them. Thus, port 80 becomes 80 * 256 + 0 = 20480. Port 1433 (instead of 5 * 256 + 153) becomes 153 * 256 + 5 = 39173.
- These values are combined into cookie as <Encoded IP Address>.<Encoded Port Address>.<Componenet we are not concerned about>
These decoding mechanisms are packed into the following ruby script:
#!/usr/bin/ruby
#Cookie: BIGipcookie => 404007104.20480.0000#Cookie: BIGipcookie => 404007104.39173.0000
if (ARGV.length == 0) $stderr.puts "No input provided. Run as \n\tbigip.rb BigIP Cookie Value" exitend
ips = ARGV[0].split(".") encoded_val = ips[0].to_iport_val = ips[1].to_iip = []port = []
4.times do ip << encoded_val%256 encoded_val /= 256end
2.times do port << port_val%256 port_val /= 256end
puts "IP Address : #{ip.join(".")}"puts "Port : #{port[0]*256 + port[1]}" |
| A Sample bigip.rb run |
No comments:
Post a Comment