OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
0 likes215 views
This document summarizes a presentation about vulnerabilities in IPMI (Intelligent Platform Management Interface). IPMI allows remote management of servers through an embedded system called BMC on the motherboard. It uses weak authentication by default and passwords are sent in clear text. Several tools can discover exposed IPMI interfaces on the internet. Demonstrations showed exploiting the "cipher zero" vulnerability to remotely modify passwords, create new users, and shut down servers. While useful for server management, IPMI poses security risks if not properly configured and segmented from untrusted networks. The presentation recommended disconnecting IPMI from the internet if unnecessary, whitelisting access, and keeping firmware up to date.
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
- 1. AppSec - IPMI: An express train to hell Daniel Ramirez Warsaw, 10.10.2018 OWASP Poland Day 2018
- 2. whoami • Daniel Ramirez • Penetration Tester in Opera Software AS • OWASP Member
- 3. Agenda • Introduction • IPMI • Discovery and Exposure • Vulnerabilities and PoC • Countermeasures • Sum up
- 4. Introduction
- 5. Introduction • Intelligence Platform Management Interface a.k.a IPMI • Out-of-Band (OOB) channel to facilitate the Remote management of servers. • Published by Intel,Hewlett Packard, NEC and Dell, is used for emergency maintenance.
- 6. Introduction ● An embedded system called BMC implements the IPMI and lives on the server Motherboard. ● Also the BMC provide remote web access. ● Operate a very low level, invisible to the OS.
- 7. IPMI
- 8. IPMI ● IPMI manager connect over IP to the BMC on the Server motherboard. ● Allows an anonymous or Cipher zero Authentication ● RAKP ( RMCP + Authenticated Key Exchange Protocol)
- 9. IPMI
- 10. IPMI ● 4 way to communicate with BMC ○ ssh ○ Web Interface ○ CLI ○ Network Devices(Virtual media, remote consoles)
- 11. IPMI - Password Complexity ● IPMI 1.5 max length: 16 ● IPMI 2.0 max length: 20 ● The client received the password in clear text or hashed per any valid user (MSF module)
- 12. IPMI - Default Password
- 13. IPMI ● Owners can’t fix or patch BMC security problems because vendors ensure that only their own proprietary software to be used. ● Even backing up the firmware is disallowed
- 15. Discovery and Exposure ● IPMI works on UDP port 623 (sometimes also TCP) ● Several modules to use from metasploit auxiliar/scanner/ipmi/… (also nmap) ● ipmitool - cli
- 16. Discovery and Exposure “It would be a gross violation of best security practices to place any kind of management port on a publicly accessible network.”
- 20. Vulnerability and Demo-What we need? ● Shodan ● Misconfigured Server ● Kali tools ● Enjoy and profit
- 21. Vulnerability and PoC ● Cipher Zero Vulnerability ○ Modify Password root user ○ Create User ○ Shut Down the server ● Dump hash password / cracked it
- 28. Countermeasures
- 29. Countermeasures ● Disconnect the IPMI device from the Internet (If you do not need it at all). ● Have the IPMI devices accessible only via VPN (or from the internal network using private IP addresses). ● Whitelist IP, only SysAdmin/network Admin should access
- 30. Countermeasures ● If you have to keep your IPMI accessible publicly, these are some of the security measures to take: ○ Implement the IPMI security best practices ○ Replace the default administrator user ○ Delete any users that are no longer active, and disable the default users when possible. ○ Keep your IPMI software and firmware up to date
- 31. Sum up
- 32. Sum up ● Imagine trying to secure a computer with a small powerful parasite inside. ● Can’t be turned off, no documentation. ● Owners can’t fix or patched(only vendors). ● Backing up the firmware is disallowed. ● Designed for full control, remote management and monitoring.
- 33. Sum up ● If you thought “Stuxnet” was stealthy, at least was running in your CPU. ● How about something that has full access to your system and is impossible to discover from OS.