@space-r7 The documentation has been added 👍

I'm happy with the docs, i'll leave it to someone @ r7 to see if they have access to a F5 to test the updates against.

Hello,

Any news on this PR?

If you struggle getting your hands on an F5 BigIP, you can use Shodan or similar to find some online. The module will only collect and parse web cookies. Nothing harmful / illegal.

Hey @h00die, this still in the works? Let us know if you want us to take over instead!

Yea I don't have that device or legal authority to use/scan one. You guys may have more luck

Thanks, @h00die!

@SkypLabs we can't test this, unfortunately, so unless someone in the community has (legal) access to a device to test the module, we won't be able to merge it. We added our needs testing label in hopes of enlisting community help.

Since we can't merge this without testing it and we don't have access to (and legal authorization) for testing this vulnerability, I'm got to mark this as attic and close it out. If at a later point in time we can get a PCap, or access and authorization for testing we'd be happy to revisit it at that time.

Thanks alot for the contribution!

Hi @ccondon-r7, @smcintyre-r7,

This is unfortunate but I understand the situation. I will try to get some evidence of the good functioning of my patch using a virtual appliance.

I will come back to you once done. Until then, stay safe!

@SkypLabs Must have missed your comment on the virtual appliance. I have one in my lab, but no idea how to configure it to be vulnerable. If you can provide some instructions on this, I can get it tested and landed!

@h00die Great! Let me check the documentation and I will come back to you with instructions. Many thanks for your help!

It seems that all you need is described on this page in the section "Creating a custom cookie persistence profile".

@SkypLabs I found my VM, its a completely default stock image. I set the cookie persistence profile exactly as the instructions said. Then I scanned the F5 web interface, but got "F5 BIG-IP load balancing cookie not found". I'm pretty sure I'm not supposed to scan the F5 web interface directly, however I don't know enough about the devices to know what i need to set up networking wise to make the cookie happen.

Any insight for me?

@SkypLabs any help?

Hey @h00die, sorry for the delay.

Indeed, you won't get the persistent cookies by scanning the admin interface. You need to create a target pool of web servers to process the HTTP incoming requests with your custom cookie persistence profile attached to it. Then, you need to create a virtual server which has the previous created pool as target. You will get the cookies by scanning the IP of the virtual server.

You will find step-by-step instructions in the same online documentation as the one you followed to create the cookie persistence profile.

Once again, many thanks for your precious help!

going through some backlog, i was able to verify this... yes, 1.5yrs later. I'll do some updates to the docs and such to get it back up to date for 2022

https://github.com/SkypLabs/metasploit-framework/pull/2

Hi @h00die.

Many thanks for your help! I just merged your PR.

Let me know if you need me for anything.

https://www.shodan.io/search?query=%22Set-Cookie%3A+BIGipServer%22

msf6 auxiliary(gather/f5_bigip_cookie_disclosure) > run
[*] Running module against 111.111.111.111

[*] Starting request /
[+] F5 BIG-IP load balancing cookie "BIGipServer~thing~thing2~thing3 = rd1o00000000000000000000ffffac292158o73" found
[+] Load balancing pool name "~thing~thing2~thing3" found
[+] Route domain "1" found
[+] Backend 172.11.11.11:80 found
[*] Auxiliary module execution completed
msf6 auxiliary(gather/f5_bigip_cookie_disclosure) > notes

Notes
=====

 Time                     Host             Service  Port  Protocol  Type                           Data
 ----                     ----             -------  ----  --------  ----                           ----
 2022-01-08 17:20:21 UTC  111.111.111.111                           f5_load_balancer_cookie_name   "BIGipServer~thing~thing2~thing3"
 2022-01-08 17:20:21 UTC  111.111.111.111                           f5_load_balancer_pool_name     "~thing~thing2~thing3"
 2022-01-08 17:20:21 UTC  111.111.111.111                           f5_load_balancer_route_domain  "1"
 2022-01-08 17:20:21 UTC  111.111.111.111                           f5_load_balancer_backends      [{:host=>"172.11.11.11", :port=>80}]

working with the updates!

Merged in 7b11429

Release Notes

This PR adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)

Great news. Thanks again @h00die.