{"id":48402,"date":"2023-11-07T07:28:20","date_gmt":"2023-11-07T12:28:20","guid":{"rendered":"https:\/\/centricconsulting.com\/?p=48402"},"modified":"2024-05-15T08:41:51","modified_gmt":"2024-05-15T12:41:51","slug":"how-to-use-penetration-testing-to-prevent-ipmi-service-vulnerabilities","status":"publish","type":"post","link":"https:\/\/centricconsulting.com\/blog\/how-to-use-penetration-testing-to-prevent-ipmi-service-vulnerabilities\/","title":{"rendered":"How to Use Penetration Testing to Prevent IPMI Service Vulnerabilities"},"content":{"rendered":"
Many organizations proactively scan and monitor for network-based vulnerabilities as part of an ongoing vulnerability management program. Dozens of commercial vulnerability scanning engines exist. One vulnerability that’s overlooked due to a seemingly low risk level is Intelligent Platform Management Interface (IPMI) service vulnerabilities. While they may not allow for full system takeover, the potential effects on a critical system could be devastating.<\/strong><\/p>\n We rely heavily on the Tenable Professional vulnerability scanner for network vulnerability scans and exploitation-based activities. The purpose of this blog is not to endorse a scanner. Rather, we wish to provide you additional tools and resources for testing and validating vulnerabilities.<\/p>\n We are going to take a deep dive into the Intelligent Platform Management (IPMI) service (Nessus plugin IDs 68931 and 80101). The IPMI services provide system monitoring and configuration capabilities absent a specific operating system.<\/p>\n You can use the IPMI service to monitor environmental system controls such as internal temperatures, voltage, fans, and power supplies. You can also use this service to remotely start and restart a system.<\/p>\n This specific attack relates to two common vulnerabilities associated with the IPMI service, include IPMI v2.0 Password Hash Disclosures (Plugin ID 68931) and IPMI Cipher Suite Zero (Plugin ID 80101).<\/p>\n To validate the IPMI v2.0 Password Hash Disclosure (Plugin ID 68931), a module exists (auxiliary\/scanner\/ipmi\/ipmi_dumphashes)<\/strong>. When run, the module attempts to dump password hashes for user accounts into a file format supported by HashCat or John the Ripper. More often than not, these default credentials are left on systems. The following is a list of known default IPMI credentials based on manufacturer.<\/strong><\/p>\n <\/a><\/p>\n The cool thing about the ipmi_dumphashes Metasploit module is that it will automatically detect whether a default password exists. It attempts to crack the password hash using a password dictionary compromised from the default passwords listed above. It is worth noting that HP is among the only manufacturer that uses a secure(ish) password.<\/p>\n In addition to the IPMI v2.0 Password Hash Disclosure, another commonly observed vulnerability is IPMI Cipher Suite Zero (Plugin ID 80101). The IPMI Cipher Suite Zero enables an attacker to log into the IPMI service with only a valid username. The attacker then bypasses the authentication mechanism put in place.<\/p>\n In our experience, Nessus does a poor job of detecting this vulnerability. Anytime we detect the IPMI service running on TCP\/623, we scan the vulnerability using an NMAP script. The following command will perform a targeted vulnerability scan against the IPMI service to look for the IPMI Cipher Suite Zero vulnerability:<\/p>\n In addition to the Nmap script, a Metasploit module (auxiliary\/scanner\/ipmi_cipher_zero) exists to scan specific systems or whole subnets for the vulnerability. After identifying the vulnerability, you can use the ipmitool to log into the IPMI service via a command terminal.<\/p>\n After successfully validating the Cipher Suite Zero vulnerability, it is possible to perform post-exploitation activities. You can add a user to the IPMI service, thereby establishing a backdoor into the system. You’d use the following IPMI commands to add a user to the system:<\/p>\n User set name 2 <USERNAME> User set password 2 <PASSWORD> User priv 2 4 User enable 2<\/p>\n Upon completion, you will have successfully established a backdoor into the IPMI service. You should then be able to SSH into the service as an administrator.<\/p>\n The IPMI service does not typically house sensitive data such as personal identifiable information<\/a> (PII) or personal health information (PHI).<\/strong> A persistent backdoor into a system at any level is never a good thing. But an attacker is going to have a limited vantage point within the IPMI service. Possible risks include:<\/p>\n Thankfully, there are some quick and easy things you can implement to harden the IPMI service to mitigate these attacks.<\/p>\n First and foremost, if you are not using IPMI for a business function, disable the service.<\/strong> The easiest way to mitigate a vulnerability in any environment is to disable unneeded and unnecessary services.<\/p>\n IPMI is a common service we find within just about every enterprise network we test. While the service may seem benign, companies can potentially do a lot of damage if they abuse it.<\/p>\n While it may not allow direct foothold into a system or give an attacker local admin access, you should examine IPMI-based vulnerabilities, nonetheless.<\/strong> Penetration testing<\/a> functions as a proactive defense mechanism. This allows you to detect and rectify your system\u2019s vulnerabilities before hackers can take advantage of them.<\/p>\n \n The Attack: Part One<\/h2>\n
The Attack: Part Two<\/h2>\n
Nmap --script=ipmi-cipher-zero <TARGET> -p 623<\/code><\/p>\n
Ipmitool -l <INTERFACE> -C 0 -H <TARGET> - U <USERNAME> -P <PASSWORD> <IPMI COMMAND><\/code><\/p>\n
The Risk of Using the IPMI Service<\/h2>\n
\n
The IPMI Service Risk Mitigation<\/h2>\n
\n
Use Penetration Testing to Prevent IPMI Service Vulnerabilities<\/h2>\n