tag:blogger.com,1999:blog-5331176366167100625.post2786269883320935490..comments2024-03-20T03:15:18.893-07:00Comments on SecuritySynapse: Hacking IPMI Cipher 0 Using Kali LinuxTony Leehttp://www.blogger.com/profile/04935721260910647091noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-5331176366167100625.post-21944113774293686302016-10-14T05:47:22.989-07:002016-10-14T05:47:22.989-07:00I got that same error when I tried to run commands...I got that same error when I tried to run commands without specifying -C 0 as one of the arguments.<br />I also got this error when specifying a non-existent user; is it possible one of these is your cause?<br /><br />HTHAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-67322992645459648772016-02-11T04:11:04.606-08:002016-02-11T04:11:04.606-08:00Interesting... Google turns up quite a bit on tha...Interesting... Google turns up quite a bit on that error message. Did you try using the verbose flag for ipmitool?Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-47936138197846577022016-02-11T01:25:50.803-08:002016-02-11T01:25:50.803-08:00Tying this on a Dell Poweredge r710. I get Error: ...Tying this on a Dell Poweredge r710. I get Error: Unable to establish IPMI v2 /RMCP+ sessionjayhttps://www.blogger.com/profile/05062005699295297419noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-86665422734498847512015-04-03T07:11:23.510-07:002015-04-03T07:11:23.510-07:00Does anybody know how to disable cipher suite 0 ? ...Does anybody know how to disable cipher suite 0 ? This is my server information.<br />ProLiant DL180 G6<br />integrated lights out 100<br /><br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-41086008920286835052015-04-03T07:08:25.038-07:002015-04-03T07:08:25.038-07:00I have also experienced with similar situation ca...I have also experienced with similar situation can anybody suggest me how to disable cipher suite 0. Here is the information of my server.<br />ProLiant DL180 G6<br />integrated light out 100.<br />since I am using the old version of ilo so I didn't see any disable option for this. Appreciate for your help.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-72926116221044368522014-04-10T13:44:14.459-07:002014-04-10T13:44:14.459-07:00Good to know--thank you for the update.Good to know--thank you for the update.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-80896667309311181732014-04-10T13:11:35.380-07:002014-04-10T13:11:35.380-07:00freeipmi-tools has been updated to 1.1.6 in Kali L...freeipmi-tools has been updated to 1.1.6 in Kali Linux. There's no longer need to install freeipmi-tools from source.Kali Linuxhttp://www.kali.orgnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-48488485496180153652013-12-09T04:45:43.327-08:002013-12-09T04:45:43.327-08:00Oh, now that everything has a web interface for ma...Oh, now that everything has a web interface for management, you can expect all kinds of mistakes you see during web app pentests. :)<br /><br />BTW, the system I tested was an HP iLO and I cannot get my hands on DELL servers right now, so let me know pls if this works with DRAC too.Dávid Szilihttps://www.blogger.com/profile/01907096581389103954noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-7487358008006291342013-12-06T06:08:14.325-08:002013-12-06T06:08:14.325-08:00Ha! I never thought to try to delete the account ...Ha! I never thought to try to delete the account with itself. I figured there would be something to prevent that from happening. :-O Now I can't wait to find that vulnerability again so I can try it out. I wonder if that is system dependent though, for example maybe that works with iLO and not DRAC or vice versa? What was the system you tried this against?<br /><br />Thanks again,<br />-TonyTony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-67498454504270998492013-12-06T04:45:09.846-08:002013-12-06T04:45:09.846-08:00No no. You don't need to use another admin acc...No no. You don't need to use another admin acc. You can use the one you've created to delete... well... the one you've created. Lemme try to explain it again.<br /><br />So for example, you create the TestUser account for the Section User2 slot, login to the webUI with TestUser, do your nasty stuff and when you are done, you can delete TestUser with TestUser (I know, right?) and finally, logout with TestUser (yes, by that time, TestUser was already deleted). :)Dávid Szilihttps://www.blogger.com/profile/01907096581389103954noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-79365019600186985402013-12-05T07:39:50.580-08:002013-12-05T07:39:50.580-08:00Thanks for the feedback David. Yeah, I ran into a...Thanks for the feedback David. Yeah, I ran into a rough clean up as well. If anyone figures it out without using another administrator account via the webUI, that would be great if you could post it back here. :)<br /><br />Funny enough, my brother ran into a client with a bunch of these vulnerable boxes. Still looking for an initial foothold, it could be easily scriptable to pop a list of affected hosts, but the cleanup needs to be a little better before that is attempted. ;)<br /><br />Thanks again for the feedback. Happy hacking sir.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-56326768346567843592013-12-05T07:25:29.268-08:002013-12-05T07:25:29.268-08:00Hey Tony,
I have just tried out the above tricks ...Hey Tony,<br /><br />I have just tried out the above tricks and removing the created user with bmc-config is not flawless. You will not be able to login again, but if you login with an Administrator user on the web interface, you will still see the added user there.<br /><br />However, simply deleting the newly created user on the web interface while you are still logger in with it (ehh) works with no problem at all! :)<br /><br />DavidDávid Szilihttps://www.blogger.com/profile/01907096581389103954noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-84608054032611704622013-10-22T13:20:08.247-07:002013-10-22T13:20:08.247-07:00Glad the post was so helpful. Because this is sti...Glad the post was so helpful. Because this is still relatively new and so prevalent I feel that many people will run into this issue in their environment or on pen tests. Thanks for the missing package fix.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-114835684985685612013-10-22T12:52:24.483-07:002013-10-22T12:52:24.483-07:00Great blog Tony! I just recently came across this...Great blog Tony! I just recently came across this finding on a pen test and my mind was blown after reading your blog. The only issue I ran into was the following error:<br /><br />error while loading shared libraries: libipmidetect.so.0: cannot open shared object file: No such file or directory<br /><br />Luckily it was a quick and easy fix - apt-get install libipmidetect-dev - I was on my way! Once again, great work sir!Anonymousnoreply@blogger.com