One of my favorite parts of information security is cracking password hashes. I have a dual nVidia GPU rig that I use to run hashcat on and sometimes my research leads me to crack hashes.
For those who don’t know, HP has a system for Integrated Lights Out, and it allows for remote management of systems. Usually these interfaces are located on a management network that is inaccessible unless you’re a systems admin.
Well, I got my hands on some hashes using the Metasploit module called IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval. There’s a few blogs that talk about how to do that, so I’ll let you refer to them on the how. What I thought was interesting though is that a lot of the systems I was working with were left to the default password – which is a random 8 digit number.
With a dual GPU hashcat instance, that is fairly trivial. I set a bruteforce attack using -a 3 ?d?d?d?d?d?d?d?d and the result below is what happened.
1416515636048
It took a mere 4 seconds to spin across 8 digits. If you’re a server admin, I hope you’re setting the administrator passwords on your iLO sessions to something other than digits. Also, and this goes without saying, keep your management network completely firewall off of the production network! There is no need to have the general user with any sort of access at all to these ports.
Still, a very strong password is your last line of defense in the event a breach occurs.