Lucene search

K
nmapSeth JacksonNMAP:HTTP-BIGIP-COOKIE.NSE
HistoryAug 17, 2017 - 4:29 p.m.

http-bigip-cookie NSE Script

2017-08-1716:29:10
Seth Jackson
nmap.org
737

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Decodes any unencrypted F5 BIG-IP cookies in the HTTP response. BIG-IP cookies contain information on backend systems such as internal IP addresses and port numbers. See here for more info: <https://support.f5.com/csp/article/K6917&gt;

Script Arguments

http-bigip-cookie.path

The URL path to request. The default path is “/”.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p &lt;port&gt; --script http-bigip-cookie &lt;target&gt;

Script Output

PORT    STATE SERVICE
80/tcp  open  http
| http-bigip-cookie:
|   BIGipServer&lt;pool_name&gt;:
|     address:
|       host: 10.1.1.100
|       type: ipv4
|_    port: 8080

Requires


description = [[
Decodes any unencrypted F5 BIG-IP cookies in the HTTP response.
BIG-IP cookies contain information on backend systems such as
internal IP addresses and port numbers.
See here for more info: https://support.f5.com/csp/article/K6917
]]

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"

---
-- @usage
-- nmap -p <port> --script http-bigip-cookie <target>
--
-- @output
-- PORT    STATE SERVICE
-- 80/tcp  open  http
-- | http-bigip-cookie:
-- |   BIGipServer<pool_name>:
-- |     address:
-- |       host: 10.1.1.100
-- |       type: ipv4
-- |_    port: 8080
--
-- @xmloutput
-- <table key="BIGipServer<pool_name>">
--   <table key="address">
--     <elem key="host">10.1.1.100</elem>
--     <elem key="type">ipv4</elem>
--   </table>
--   <elem key="port">8080</elem>
-- </table>
--
-- @args http-bigip-cookie.path The URL path to request. The default path is "/".

author = "Seth Jackson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "discovery", "safe" }

portrule = shortport.http

action = function(host, port)
  local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"

  local response = http.get(host, port, path, { redirect_ok = false })

  if not response then
    return
  end

  if not response.cookies then
    return
  end

  local output = stdnse.output_table()

  for _, cookie in ipairs(response.cookies) do
    if cookie.name:find("BIGipServer") then
      local host, port = cookie.value:match("^(%d+)%.(%d+)%.")

      if host and tonumber(host) < 0x100000000 and tonumber(port) < 0x10000 then
        host = table.concat({("BBBB"):unpack(("<I4"):pack(host))}, ".", 1, 4)
        port = (">I2"):unpack(("<I2"):pack(port))

        local result = {
          address = {
            host = host,
            type = "ipv4"
          },
          port = port
        }

        output[cookie.name] = result
      end
    end
  end

  if #output > 0 then
    return output
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:HTTP-BIGIP-COOKIE.NSE