New Blog Series - Behind the Wires of Penetration Testing - Entry #1
Many organizations have proactively begun scanning and monitoring for network-based vulnerabilities as part of an ongoing vulnerability management program. Dozens of commercial vulnerability scanning engines exist. The Mako Group relies heavily on Tenable’s Nessus Professional vulnerability scanner for network vulnerability scans and exploitation-based activities. The purpose of this blog is not to endorse a scanner, but to provide additional tools and resources for testing and validating vulnerabilities.
We are going to take a deep dive into the Intelligent Platform Management (IPMI) service (Nessus plugin IDs 68931 and 80101). The IPMI services provide system monitoring and configuration capabilities absent a specific operating system. The IPMI service can be used to monitor environmental system controls such as internal temperatures, voltage, fans, and power supplies. This service can be used to remotely start and restart a system as well.
This specific attack relates to two common vulnerabilities associated with the IPMI service include IPMI v2.0 Password Hash Disclosures (Plugin ID 68931) and IPMI Cipher Suite Zero (Plugin ID 80101).
To validate the IPMI v2.0 Password Hash Disclosure, (Plugin ID 68931) a Metasploit module exists (auxiliary/scanner/ipmi/ipmi_dumphashes). When ran, the module attempts to dump password hashes for user accounts into a file format supported by HashCat and/or John the Ripper. A set of default usernames and passwords exist for a small number of well-known systems. More often than not, these default credentials are left on systems. The following is a list of known default IPMI credentials based on manufacturer.
The cool thing about the ipmi_dumphashes Metasploit module is it will automatically detect whether a default password exists by attempting to crack the password hash using a password dictionary compromised from the default passwords listed above. Worth noting is that HP is among the only manufacturer that uses a secure(ish) password.
In addition to the IPMI v2.0 Password Hash Disclosure, another commonly observed vulnerability is IPMI Cipher Suite Zero (Plugin ID 80101). The IPMI Cipher Suite Zero enables an attacker to log into the IPMI service with only a valid username, bypassing the authentication mechanism put in place. In our experience, Nessus does a poor job of detecting this vulnerability. Any time we detect the IPMI service running on TCP/623, we scan for the vulnerability using an NMAP script. The following command will perform a targeted vulnerability scan against the IPMI service to look for the IPMI Cipher Suite Zero vulnerability:
Nmap --script=ipmi-cipher-zero <TARGET> -p 623
In addition to the Nmap script, a Metasploit module (auxiliary/scanner/ipmi_cipher_zero) exists to scan specific systems or whole subnets for the vulnerability. After identifying the vulnerability, the ipmitool can be used to log into the IPMI service via a command terminal.
Ipmitool -l <INTERFACE> -C 0 -H <TARGET> - U <USERNAME> -P <PASSWORD> <IPMI COMMAND>
After successfully validating the Cipher Suite Zero vulnerability, it is possible to perform post-exploitation activities to add a user to the IPMI service, thereby establishing a backdoor into the system. To add a user to the system the following IPMI commands can be used:
User set name 2 <USERNAME> User set password 2 <PASSWORD> User priv 2 4 User enable 2
Upon completion you will have successfully established a backdoor into the IPMI service and should be able to SSH into the service as an Administrator.
The Risk and Mitigation
The IPMI service does not typically house sensitive data such as personal identifiable information (PII) or personal health information (PHI). While a persistent backdoor into a system at any level is not a good thing, an attacker is going to have a limited vantage point within the IPMI service. Possible risks include:
An attacker remotely shuts down and restarts the system using the IPMI service causing a loss of data or a denial-of-service situation.
Password reuse if the IPMI password hashes can be successfully dumped, cracked, and are used in other areas of the network.
Disabling of environmental alerts or alarms. If an attacker can disable environmental alerting surrounding the internal temperature of the system, the system may become overheated causing damage to internal components.
Used to gather internal intelligence as part of a larger network attack.
Thankfully there are some quick and easy things that can be implemented to harden the IPMI service to mitigate these attacks.
First and foremost, if you are not using IPMI for a business function, disable the service. The easiest way to mitigate a vulnerability in any environment is to disable unneeded and unnecessary services. There are many organizations however that actively use IPMI for a business function and are unable to disable the service. If this describes you, we recommend:
Ensuring that all default accounts (even HP’s) are disabled. Each user who may access or monitor the service should be provided their own unique count and the passwords should follow internal password policies (hopefully eight or more characters long and complex).
Implement access control lists (ACLs) to only allow specific systems to access the IPMI service. If Bob from accounting does not need to access the IPMI service, block him.
Finally, disable Cipher Suite Zero bypass. I cannot for the life of me think of a valid business reason to provide unauthenticated access to a network-based service. Should you have one, we recommend including this in any risk assessments and creating a security exception that is reviewed on an annual basis to ensure there is still a business requirement and/or need for the configuration.
IPMI is a common service we find within just about every enterprise network we test. While the service may seem benign, there is a lot of damage that can be potentially done by abusing the service. While it may not allow a direct foothold into the system or give an attacker local administrator access, IPMI based vulnerabilities should be examined none the less.
Brandyn Fisher, CISSP, CNDA, PenTest+, CHFI Information System Security Manager