summaryrefslogtreecommitdiffstats
path: root/scripts/http-bigip-cookie.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/http-bigip-cookie.nse')
-rw-r--r--scripts/http-bigip-cookie.nse83
1 files changed, 83 insertions, 0 deletions
diff --git a/scripts/http-bigip-cookie.nse b/scripts/http-bigip-cookie.nse
new file mode 100644
index 0000000..80b77c9
--- /dev/null
+++ b/scripts/http-bigip-cookie.nse
@@ -0,0 +1,83 @@
+description = [[
+Decodes any unencrypted F5 BIG-IP cookies in the HTTP response.
+BIG-IP cookies contain information on backend systems such as
+internal IP addresses and port numbers.
+See here for more info: https://support.f5.com/csp/article/K6917
+]]
+
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+
+---
+-- @usage
+-- nmap -p <port> --script http-bigip-cookie <target>
+--
+-- @output
+-- PORT STATE SERVICE
+-- 80/tcp open http
+-- | http-bigip-cookie:
+-- | BIGipServer<pool_name>:
+-- | address:
+-- | host: 10.1.1.100
+-- | type: ipv4
+-- |_ port: 8080
+--
+-- @xmloutput
+-- <table key="BIGipServer<pool_name>">
+-- <table key="address">
+-- <elem key="host">10.1.1.100</elem>
+-- <elem key="type">ipv4</elem>
+-- </table>
+-- <elem key="port">8080</elem>
+-- </table>
+--
+-- @args http-bigip-cookie.path The URL path to request. The default path is "/".
+
+author = "Seth Jackson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = { "discovery", "safe" }
+
+portrule = shortport.http
+
+action = function(host, port)
+ local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
+
+ local response = http.get(host, port, path, { redirect_ok = false })
+
+ if not response then
+ return
+ end
+
+ if not response.cookies then
+ return
+ end
+
+ local output = stdnse.output_table()
+
+ for _, cookie in ipairs(response.cookies) do
+ if cookie.name:find("BIGipServer") then
+ local host, port = cookie.value:match("^(%d+)%.(%d+)%.")
+
+ if host and tonumber(host) < 0x100000000 and tonumber(port) < 0x10000 then
+ host = table.concat({("BBBB"):unpack(("<I4"):pack(host))}, ".", 1, 4)
+ port = (">I2"):unpack(("<I2"):pack(port))
+
+ local result = {
+ address = {
+ host = host,
+ type = "ipv4"
+ },
+ port = port
+ }
+
+ output[cookie.name] = result
+ end
+ end
+ end
+
+ if #output > 0 then
+ return output
+ end
+end
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-08 23:05:44 +0000