[Freeipmi-devel] cRAKP'ing passwords remotely

[dan farmer]

I'm sure it's pretty obvious to many out there, but I'd never seen it written up anywhere… so… the short version is the RAKP protocol in the IPMI specification allows anyone to use IPMI commands to grab a HMAC hash that can be cracked remotely and/or offline.  It's super-simple - just use a command like "ipmitool -I lanplus -v -v -v -U ADMIN -P fluffy-wuffy -H 10.0.0.1 chassis identify" and parse and beast on the output a bit.

If you're not familiar with this, I wrote up a little bit here:

http://fish2.com/ipmi/remote-pw-cracking.html

And a perl program to implement this is here:

http://fish2.com/ipmi/tools/rak-the-ripper.pl

The tool isn't what I'd call production quality, but it might be illuminating.  You can test it out by simply:

rak-the-ripper.pl 10.0.0.1

Or whatever.

I've known about this for awhile, but… was busy knitting or something. Special thanks to Jarrod, who surely has forgotten more about IPMI than I'll ever know, and whose xCAT implementation of RAKP as well as private communiques were invaluable (plus, he already knew about it, but he doesn't ride the short bus with me.)  Also to Duncan for writing ipmitool, and who saved me from throwing my mac out the window by providing me with a lightbulb moment that shrank my code by doing all the hard work and - better still - actually made it work :)

All errors, etc., are mine, and feel free to toss any comments/questions my way.

Cheers -

dan

¸¸.·´¯`·.¸><(((º>