-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[f5_bigip_cookie_disclosure] Store cookies in the database #12217
Conversation
The cookie name, pool name and route domain are now stored in the database as notes since they can contain useful recon information. See #12187.
The metacharacter '\w' already contains numbers and underscores.
@space-r7 The documentation has been added 👍 |
documentation/modules/auxiliary/gather/f5_bigip_cookie_disclosure.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/gather/f5_bigip_cookie_disclosure.md
Outdated
Show resolved
Hide resolved
I'm happy with the docs, i'll leave it to someone @ r7 to see if they have access to a F5 to test the updates against. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs look good to me
Hello, Any news on this PR? If you struggle getting your hands on an F5 BigIP, you can use Shodan or similar to find some online. The module will only collect and parse web cookies. Nothing harmful / illegal. |
Hey @h00die, this still in the works? Let us know if you want us to take over instead! |
Yea I don't have that device or legal authority to use/scan one. You guys may have more luck |
Thanks, @h00die! |
@SkypLabs we can't test this, unfortunately, so unless someone in the community has (legal) access to a device to test the module, we won't be able to merge it. We added our |
Since we can't merge this without testing it and we don't have access to (and legal authorization) for testing this vulnerability, I'm got to mark this as attic and close it out. If at a later point in time we can get a PCap, or access and authorization for testing we'd be happy to revisit it at that time. Thanks alot for the contribution! |
Hi @ccondon-r7, @smcintyre-r7, This is unfortunate but I understand the situation. I will try to get some evidence of the good functioning of my patch using a virtual appliance. I will come back to you once done. Until then, stay safe! |
@SkypLabs Must have missed your comment on the virtual appliance. I have one in my lab, but no idea how to configure it to be vulnerable. If you can provide some instructions on this, I can get it tested and landed! |
@h00die Great! Let me check the documentation and I will come back to you with instructions. Many thanks for your help! |
It seems that all you need is described on this page in the section "Creating a custom cookie persistence profile". |
@SkypLabs I found my VM, its a completely default stock image. I set the cookie persistence profile exactly as the instructions said. Then I scanned the F5 web interface, but got "F5 BIG-IP load balancing cookie not found". I'm pretty sure I'm not supposed to scan the F5 web interface directly, however I don't know enough about the devices to know what i need to set up networking wise to make the cookie happen. Any insight for me? |
@SkypLabs any help? |
Hey @h00die, sorry for the delay. Indeed, you won't get the persistent cookies by scanning the admin interface. You need to create a target pool of web servers to process the HTTP incoming requests with your custom cookie persistence profile attached to it. Then, you need to create a virtual server which has the previous created pool as target. You will get the cookies by scanning the IP of the virtual server. You will find step-by-step instructions in the same online documentation as the one you followed to create the cookie persistence profile. Once again, many thanks for your precious help! |
going through some backlog, i was able to verify this... yes, 1.5yrs later. I'll do some updates to the docs and such to get it back up to date for 2022 |
f5 big-ip module and doc updates
Hi @h00die. Many thanks for your help! I just merged your PR. Let me know if you need me for anything. |
https://www.shodan.io/search?query=%22Set-Cookie%3A+BIGipServer%22
working with the updates! |
Merged in 7b11429 |
Release NotesThis PR adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs) |
Great news. Thanks again @h00die. |
Hi,
This PR follows the feature request #12187.
Additionally, the references have been updated and style issues have been fixed based on the output of rubocop.
Verification
msfconsole
and make sure to use a databaseuse auxiliary/gather/f5_bigip_cookie_disclosure
set RHOSTS <vulnerable IP>
[+] F5 BigIP load balancing cookie...
notes
and verify that the cookie name is stored in the notes