[Info-vax] Temperature information via OpenVMS
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed May 9 15:28:42 EDT 2018
On 2018-05-09 18:55:34 +0000, Jairo Alves said:
> Em terça-feira, 8 de maio de 2018 11:37:32 UTC-3, Stephen Hoffman escreveu:
>>
>> Both of which are known to be insecure on OpenVMS. SMH on OpenVMS —
>> which is the source of SNMP MIBs for OpenVMS — has had numerous>
>> security flaws that have been patched on Linux and Windows, and one or
>> two of which I've been able to replicate on OpenVMS when exploits were>
>> available, and the SMNP implementation is SNMPv2 which is insecure. The
>> iLO IPMI service can be queried for hashed passwords, and the hash uses
>> a format that can be easily brute-forced. Isolate these services, if
>> planning to use them.
> I'm curious about guessing the password on IPMI. Do people get the
> hashed value and then brute force it on their computers to guess the
> password?
Ask the widget for the hash via metasploit, load the hash into hashcat,
and spool up your GPU.
Various of the following is from 2013. Brute-forcing has only gotten faster.
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04197764
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
https://hashcat.net/hashcat/
Tools: Kali or maybe Black Arch
A benchmark posted several years ago was claiming just shy of seven
hundred million tests per second, and that with cudaHashcat running on
then-low-end GPU gear.
For permutations for the password, figure... (62 ^ 1) + (62 ^ 2) + (62
^ 3) + (62 ^ 4) + (62 ^ 5) + (62 ^ 6) + (62 ^ 7) + (62 ^ 8) for a
one-to-eight character case-sensitive alphanumeric password. Dividing
that by however fast your particular attacker's GPU might be and
estimating however long the attacker might be willing to wait is left
to the reader.
As for the seriousness of an iLO breach, the iLO has complete system access.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list