You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Host fe80::9af2:b3ff:fe3a:a823 is an HP iLO device which is susceptible to hash dumping via IPMI. It is reachable in the local ethernet segment from a Kali system and has the default username "administrator" present.
Use the module "scanner/ipmi/ipmi_dumphashes" from msfconsole
set RHOSTS fe80::9af2:b3ff:fe3a:a823
set verbose true
run
set RHOSTS fe80::9af2:b3ff:fe3a:a823%eth0
run
Expected behavior
The scanner should send the IPMI probes to the supplied IPv6 targets and receive a response.
Current behavior
No traffic is sent when specifying any IPv6 address with or without the interface scope.
It does not work with link-local addresses or global scope addresses.
Running tcpdump confirms that no traffic is being generated.
No error is displayed by msfconsole, so the user is left falsely believing the host is not vulnerable.
Metasploit version
Framework: 6.1.14-dev
Console: 6.1.14-dev
Additional Information
Modern IPMI devices support IPv6 by default, and will be reachable via the link-local address in the local segment. On some models of device, it is not possible to turn off IPv6 support.
It is not uncommon for an IPMI device to only be reachable via IPv6, for instance where legacy IP has been turned off or the device resides in a segment with no DHCP server.
NMap is able to detect the IPMI service:
Nmap scan report for ipmi1 (fe80::9af2:b3ff:fe3a:a823)
Host is up (0.00076s latency).
PORT STATE SERVICE VERSION
623/udp open asf-rmcp
| ipmi-version:
| Version:
| IPMI-2.0
| UserAuth:
| PassAuth: auth_user, non_null_user
|_ Level: 2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port623-UDP:V=7.91%I=7%D=12/16%Time=61BB2E59%P=x86_64-pc-linux-gnu%r(ip
SF:mi-rmcp,1E,"\x06\0\xff\x07\0\0\0\0\0\0\0\0\0\x10\x81\x1cc\x20\x008\0\x0
SF:2\x80\x14\x02\0\0\0\0\x10");
MAC Address: 98:F2:B3:3A:A8:23 (Hewlett Packard Enterprise)
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
The following commands were ran during the session and before this issue occurred:
Collapse
22 use scanner/ipmi/ipmi_dumphashes
23 set rhosts fe80::9af2:b3ff:fe3a:a823
24 set verbose true
25 run
26 version
27 set loglevel 3
28 run
29 debug
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
msf-ws.log does not exist.
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
[03/18/2021 13:43:06] [e(0)] core: Failed to connect to the database: No database YAML file
[03/18/2021 13:43:06] [d(0)] core: Created user based module store
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 06:00:36] [e(0)] core: Failed to connect to the database: No database YAML file
[12/16/2021 06:00:36] [d(0)] core: Updated user based module store
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 06:00:46] [d(0)] core: HistoryManager.push_context name: :msfconsole
[12/16/2021 08:23:27] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[12/16/2021 08:24:22] [e(0)] core: Failed to connect to the database: No database YAML file
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:40] [d(0)] core: HistoryManager.push_context name: :msfconsole
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
msf-ws.log does not exist.
Version/Install
The versions and install method of your Metasploit setup:
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
bcoles
added
not-stale
Label to stop an issue from being auto closed
and removed
Stale
Marks an issue as stale, to be closed if no action is taken
labels
Jan 20, 2022
Steps to reproduce
How'd you do it?
Expected behavior
The scanner should send the IPMI probes to the supplied IPv6 targets and receive a response.
Current behavior
No traffic is sent when specifying any IPv6 address with or without the interface scope.
It does not work with link-local addresses or global scope addresses.
Running tcpdump confirms that no traffic is being generated.
No error is displayed by msfconsole, so the user is left falsely believing the host is not vulnerable.
Metasploit version
Framework: 6.1.14-dev
Console: 6.1.14-dev
Additional Information
Modern IPMI devices support IPv6 by default, and will be reachable via the link-local address in the local segment. On some models of device, it is not possible to turn off IPv6 support.
It is not uncommon for an IPMI device to only be reachable via IPv6, for instance where legacy IP has been turned off or the device resides in a segment with no DHCP server.
NMap is able to detect the IPMI service:
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
History
The following commands were ran during the session and before this issue occurred:
Collapse
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
Version/Install
The versions and install method of your Metasploit setup:
Collapse
The text was updated successfully, but these errors were encountered: