CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ipmi/ipmi_version.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::UDPScanner

10


11
  def initialize

12
    super(

13
      'Name'        => 'IPMI Information Discovery',

14
      'Description' => 'Discover host information through IPMI Channel Auth probes',

15
      'Author'      => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],

16
      'License'     => MSF_LICENSE,

17
      'References'  =>

18
        [

19
          ['URL', 'http://fish2.com/ipmi/']

20
        ]

21
    )

22


23
    register_options(

24
    [

25
      Opt::RPORT(623)

26
    ])

27


28
  end

29


30
  def rport

31
    datastore['RPORT']

32
  end

33


34
  def scanner_prescan(batch)

35
    print_status("Sending IPMI requests to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")

36
    @res = {}

37
  end

38


39
  def scan_host(ip)

40
    vprint_status "#{ip}:#{rport} - IPMI - Probe sent"

41
    scanner_send(Rex::Proto::IPMI::Utils.create_ipmi_getchannel_probe, ip, rport)

42
  end

43


44
  def scanner_process(data, shost, sport)

45
    info = Rex::Proto::IPMI::Channel_Auth_Reply.new.read(data) rescue nil

46


47
    # Ignore invalid responses

48
    return unless info

49
    unless info.ipmi_command == 56

50
      vprint_error "#{shost}:#{rport} - IPMI - Invalid response"

51
      return

52
    end

53


54
    # Ignore duplicate replies

55
    return if @res[shost]

56


57
    @res[shost] ||= info

58


59
    banner = info.to_banner

60


61
    print_good("#{shost}:#{rport} - IPMI - #{banner}")

62


63
    report_service(

64
      :host  => shost,

65
      :port  => rport,

66
      :proto => 'udp',

67
      :name  => 'ipmi',

68
      :info  => banner

69
    )

70


71
    # Potential improvements:

72
    # - Report a vulnerability if info.ipmi_user_anonymous has been set

73
    # - Report a vulnerability if ipmi 2.0 and kg is set to default (almost always the case)

74
    # - Report a vulnerability if info.ipmi_user_null has been set (null username)

75


76
  end

77
end

78


79