Penetration testing process, often encounter the target server load balancing using F5 LTM.
If you can get to the target server's real IP address, the subsequent penetration will bring some convenience.
This article is both a little bit of experience recently encountered penetration share.
F5 modify cookie mechanism
F5 LTM doing load balancing, there are a variety of mechanisms to achieve session remains.
Which use a lot of one is achieved by modifying the cookie.
Specifically, F5 when obtaining request to the client for the first time, will use the set cookie header to the client embedded in a specific cookie.
For example:
the Set-Cookie: BIGipServerpool_8.29_8030 = 487098378.24095.0000
follow-up and then received a client request, F5 will see the cookie inside the field, to determine which server should be left to follow.
As a traditional manufacturers, F5 certainly not stupid enough to write directly to the server IP address to the cookie inside.
F5 very clever of the real IP address server is done twice coding, and then insert the cookie.
So, as long as the basis for decoding and smooth, unlock content 487098378.24095.0000, you get the real IP address server.
Decoding ideas
First, the decimal number of the first measure taken out, i.e., 487 098 378
second, which is converted to a hexadecimal number 1d08880a
third, from back to front, in order to take out the four-digit, i.e., 0a; 88; 08; 1d;
fourth, to turn them into decimal numbers: 10; 136; 8; 29
finally, get real internal network IP: 10.136.8.29
summary
strictly speaking, only within the network of private IP, on the front line of defense to help break the goal is not obvious.
However, when the need to do within the network penetration and roaming, this information is still valuable.
Then bad, when the write report, if it can not write, can also take this point