Friday, March 27, 2015

IPMI and BMC Exploitation

A quick brain dump of resources/vulns/techniques for pwning IPMI devices:

Awesome work in this area by Rapid7, Dan Farmer, etc.

Educate yo-self

https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

Discovery

http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_version

Vulns

https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities

Exploits (MSF)

http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner
http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero
http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure
http://server:49152/PSBlock

Other resources

http://fish2.com/ipmi/
https://community.rapid7.com/community/metasploit/blog/2013/11/15/exploiting-the-supermicro-onboard-ipmi-controller
blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras
https://pedromadias.wordpress.com/2012/06/25/all-your-asus-servers-ikvmipmi-may-belong-to-other/
http://blog.devicenull.org/2014/02/02/supermicro-ipmi-firmware-x8sil-f-analysis.html


 I will update with more coherence when I get more time....