loading
loading
Recon
Determine the running software version of a remote F5 BIG-IP management interface.
overview
bigip-scanner identifies the exact software version of an exposed F5 BIG-IP management interface. F5 devices sit at the edge of many large networks, and their management plane has carried serious remote vulnerabilities, so knowing the precise version tells you whether a target is affected by a given CVE before you ever send an exploit.
It works by requesting resources whose fingerprints differ across releases and matching the responses against a version table. Point it at a target URL and it stops at the first exact match, or you can request every resource for a fuller fingerprint. The version table itself is an input, so you can extend it as new releases ship.
Wire bigip-scanner as a Recon node that takes a target and writes a file and a folder of results. Run it after a port or service scan flags a BIG-IP interface, then use the version it returns to decide which checks or templates to run next.
use cases
Fingerprint the management interface so you know the exact version, then map it to known CVEs instead of firing every exploit blindly.
Across an estate of edge appliances, version each BIG-IP interface to find which ones run releases with public, unpatched vulnerabilities.
Feed a host flagged as F5 by a port or service scan into bigip-scanner to confirm the appliance and capture its precise version.
Supply your own version table so the scanner recognizes the releases in your environment and reports drift as devices get patched.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -t | Target URL of the BIG-IP management interface. |
| version-table | FILE | -v | Version table mapping resource fingerprints to releases. |
| all | BOOLEAN | -a | Request all resources instead of stopping at the first exact match. |
| debug | BOOLEAN | -d | Debug mode, showing the requests and responses used to fingerprint. |
Showing key inputs. bigip-scanner exposes 4 inputs in total.
example
# fingerprint a BIG-IP management URL against the version tablebigip-scanner -t https://bigip.example.com -v version-table.txt[*] Target: https://bigip.example.com[*] Loading version table[*] Probing management resources[+] Exact match: BIG-IP 15.1.5 Build 0.0.1[*] Host: bigip.example.com[*] Interface: https://bigip.example.com[+] Version written for downstream CVE mappingguidance
Use bigip-scanner once you have found an F5 BIG-IP management interface and need its precise version to judge exposure. It fingerprints a known appliance, it does not discover hosts, so run it after a port scan such as naabu or a fingerprinter like fingerprintx flags the device.
General service fingerprinter across many protocols. bigip-scanner is purpose-built for the F5 BIG-IP version.
Runs CVE templates once you know the version. bigip-scanner tells you which version to target.
Detects tech and titles broadly. bigip-scanner pins the exact BIG-IP release a broad prober only hints at.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A host is probed by httpx to confirm a live F5 interface, then bigip-scanner fingerprints its release and writes the detected version as a queryable output.
Facts on this page come from the live Trickest tool library.