Security Bloggers Network 
SBN

Decoding BigIP Cookie

by Gursev Singh Kalra on December 18, 2011
BigIP cookie contains internal network IP and port information in encoded format. When decoded, these cookies can help create an internal network map with potential web server IPs and their ports.

F5 has described the encoding algorithm here. It works like this:

  1. If the IP address is a.b.c.d, it is encoded as d*256^3 + c*256^2 + b*256 +a
  2. To encode the port is to take the two bytes that store the port and reverse them. Thus, port 80 becomes 80 * 256 + 0 = 20480. Port 1433 (instead of 5 * 256 + 153) becomes 153 * 256 + 5 = 39173.
  3. These values are combined into cookie as <Encoded IP Address>.<Encoded Port Address>.<Componenet we are not concerned about>
These decoding mechanisms are packed into the following ruby script:
#!/usr/bin/ruby
#Cookie: BIGipcookie => 404007104.20480.0000
#Cookie: BIGipcookie => 404007104.39173.0000

if (ARGV.length == 0)
  $stderr.puts "No input provided. Run as \n\tbigip.rb BigIP Cookie Value"
  exit
end

ips = ARGV[0].split(".") 
encoded_val = ips[0].to_i
port_val = ips[1].to_i
ip = []
port = []

4.times do
  ip << encoded_val%256
  encoded_val /= 256
end

2.times do 
  port << port_val%256
  port_val /= 256
end

puts "IP Address : #{ip.join(".")}"
puts "Port       : #{port[0]*256 + port[1]}"

A Sample bigip.rb run

*** This is a Security Bloggers Network syndicated blog from Random Security authored by Gursev Singh Kalra. Read the original post at: http://gursevkalra.blogspot.com/2011/12/decoding-bigip-cookie.html

Gursev Singh Kalra , , ,