IPMI, in my network?
This week's update features a set of tools for auditing your IPMI infrastructure. "Phew, I'm glad I'm not one of those suckers," you might be thinking to yourself. Well, the thing about IPMI (aka, the Intelligent Platform Management Interface) is that it's just a skootch more esoteric than most protocols, and even experienced server administrators may not be aware of it. Do you use server hardware from IBM, Dell, or HP? Have you ever had to use IBM's Remote Supervisor adapters, Dell's DRAC cards, or HP's iLO kit? If so, congrats! Chances are extremely good that you're running IPMI, and so you should really take a second to take a look at HD's and Dan Farmer's IPMI material.
In addition to the IPMI modules, we also have a bonus utility shipping this week, expertly snuck into the tools/ directory. Turns out, most (all?) offline password crackers don't do such a great job at cracking salted SHA1s in many cases. This was problematic for IPMI auditing, so HD whipped up out hmac_sha1_crack.rb. In fact, if you weren't aware of the tools/ directory, take a look. There's a lot in there that can help not only exploit development, but are useful for all sorts of specialized security tasks that you might not normally think of using Metasploit for.
Back to IPMI. Obviously, this vector is most relevant for the insider threat; sensible network management means that these IPMI devices won't be talking to your waiting room, your call center, or your parking lot over WiFi. If you've spent any time at all in the penetration testing world, though, you know it's really easy to screw those boundaries up, so it's worth it to audit your networks -- all of them -- for protocol endpoints that sneak through unexpectedly. And hey, there are some BOFHs out there that will go to great lengths to route traffic over VPN (or the Internet) so they can remote manage their machines from home or their phone. I've known a few of those guys. I might have even been one of those guys in a past life. (:
Also this week, we've done some housekeeping on our Redmine bug tracker. While none of the updates should be really noticeable by you, my beloved public bug filers and feature requestors, please do pipe up on the #metasploit Freenode IRC channel or mailing lists if you see something that doesn't seem right to you. Thanks to Kernelsmith for first noticing and reporting the problem with the Redmine wiki, and HD for untangling the somewhat labyrinthine dependencies that have grown around this server over time.
Oh, and incidentally, avoid using Redmine wiki; virtually everything of import has been moved to either the Metasploit Community (you're soaking in it!), or, for developer docs, GitHub. We need to start putting in helpful redirects from the old wiki for the stragglers and identifying what's left to convert. If you'd like to help, feel free to volunteer, we can always use more motivated hands!
We've got six new modules this week, including the IPMI material. Go to town on your network before someone else does.
- IPMI 2.0 RAKP Cipher Zero Authentication Bypass Scanner by hdm and Dan Farmer exploits OSVDB-93040
- IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival by hdm and Dan Farmer
- IPMI Information Discovery by hdm and Dan Farmer
- InstantCMS 1.6 Remote PHP Code Execution by juan vazquez, AkaStep, and Ricardo Jorge Borges de Almeida exploits BID-60816
- ABBS Audio Media Player .LST Buffer Overflow by Julian Ahrens and modpr0be exploits OSVDB-75096
- ERS Viewer 2013 ERS File Handling Buffer Overflow by juan vazquez and James Fitts exploits CVE-2013-3482
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.