Attacks on IPMI

Cipher suite zero authentication bypass

From Cisco:

In IPMI, the authentication, confidentiality, and integrity mechanisms are done through cipher suites, specifically suites 1–14. Cipher suite 0 is the most insecure of the cipher suites because it lacks authentication, confidentiality, and integrity. Cipher Suite 0 should be disabled.

If IPMI on the server supports cipher suite zero then we can connect to it even if we don’t know the password:

ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P pass -C 0

Then you can do whatever you can: turn on and off power, configure a firewall, settings etc.

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval

the authentication process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the requested user’s password to the client, prior to the client authenticating

Yep. That’s right. The server will tell you the password of any existing user. We can use ipmi_dumphashes in Metasploit to exploit this:

use auxiliary/scanner/ipmi/ipmi_dumphashes

Screenshot from 2016-07-13 10-25-46.png

Then we can crack them using hashcat:

hashcat -m 7300 --username lists/hashes.list lists/passwords.list

Cipher suite zero authentication bypass

From Cisco:

In IPMI, the authentication, confidentiality, and integrity mechanisms are done through cipher suites, specifically suites 1–14. Cipher suite 0 is the most insecure of the cipher suites because it lacks authentication, confidentiality, and integrity. Cipher Suite 0 should be disabled.

If IPMI on the server supports cipher suite zero then we can connect to it even if we don’t know the password:

ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P pass -C 0

Then you can do whatever you can: turn on and off power, configure a firewall, settings etc.

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval

the authentication process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the requested user’s password to the client, prior to the client authenticating

Yep. That’s right. The server will tell you the password of any existing user. We can use ipmi_dumphashes in Metasploit to exploit this:

use auxiliary/scanner/ipmi/ipmi_dumphashes

Screenshot from 2016-07-13 10-25-46.png

Then we can crack them using hashcat:

hashcat -m 7300 --username lists/hashes.list lists/passwords.list