Jul 032013

Some misc ramblin’ notes/data on IPMI & SSL Certificates.

So I used the SSL observatory software (oddly written, but still cool) to scan for certificates on a bit over 300K systems suspected of running IPMI (which in turn were had from HD Moore of Rapid 7 – thanks HD!) and who were on the net.  In case anyone else was interested in using the SSL Observatory stuff, it’s pretty simple once you figure it out – here are my cliff notes (if nothing else it may save me from trying to figure it out again!)

Install with “git clone https://git.eff.org/public/observatory.git”.

In the “scan” subddir there’s an important file – FasterCertificateGrabber.py.  This is cool stuff – you can simply give it an IP addr:

$ python ./FasterCertificateGrabber.py
Attempting to fetch 1 certificates
happy: 4
Got 1 complete and 0 partial certs out of 1

Better still, however, is that it can use a filename stuffed with IP addresses, one per line – simply use the “-f” option.  On my mac, at least, it choked if the file was too big (like… say… 300K addrs ;)) because it ran out of file descriptors, so I simply chopped it up and put it all in a loop.  250 at a time seemed to work well, so I did something like:

$ split -a 5 -l 250 file-with-lotsa-IP-numbers.txt
$ for f in x* ; do
python ./FasterCertificateGrabber.py -f f

And the observer software was off to the races, doing 250 scans in parallel at a time, pretty nifty. It saves the results in raw format in a series of subdirs (e.g. 1.x.x.x/1.x.x.1/ for the IP address There’s another program to slice and dice the results – the “openssl_dump.py” command. It simply takes a subdir and snuffles around for results files, so you can do this (from the main SSL Observatory directory; I redirected the output to a file to avoid drowning in output):

$ python ./openssl_dump.py scan > ssl_results.txt

Inside is all the SSL glory; for instance:

--- SHA1 Fingerprint=C6:49:6C:33:56:9B:7B:18:0A:E2:64:29:D8:6E:8E:56:1E:D2:51:AF
Version: 1 (0x0)
Serial Number:
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=ILOCNG137TNRY
Not Before: Dec 5 20:25:26 2002 GMT
Not After : Dec 5 20:25:26 2022 GMT
Subject: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=ILOCNG137TNRY
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption

And finally some modest analysis/thoughts on the results.

The CN is an interesting field. Cisco seems to put their OUI in some of theirs (e.g. Issuer: CN=68:ef:bd:d8:d0:a6, OU=RV016, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California), maybe part of their install (as far as I can tell most network gear doesn’t use IPMI, this is probably their server stuff). Interestingly HP (with iLO2, it appears, although the strings seem like ILO3 as well at times) used to put a unique identifier on their cert – it looks like the serial # (e.g. Issuer: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=ILOSGH039XERW). Other iLO 2 systems have an IP addr on them… maybe the internal one? Puzzling. Various others use Mac addrs & IP addresses. A few IMM’s (IBM’s offering, which I’m still seeking some sort of ID’er for.) Looks like old DRACs as well (Issuer: C=US, L=Round Rock, O=Dell Inc., OU=iDRAC Group, CN=iDRACdefault00221981F8E5)

In any case it’s pretty clear you can recognize BMCs by their SSL cert (if there was any doubt before.) At times it has uniquely identifying information.

My fav perhaps is “CN=GET A NEW CERTIFICATE!!/emailAddress=FOR TEST PURPOSES ONLY”

Of the 312,357 IPs, 112,982 listened on 443.

Key lengths?

91231 RSA Public Key (1024 bit)
72429 RSA Public Key (2048 bit)
6970 RSA Public Key (512 bit)
294 RSA Public Key (1023 bit)
208 RSA Public Key (4096 bit)
37 RSA Public Key (768 bit)
25 RSA Public Key (1000 bit)
9 RSA Public Key (1279 bit)
1 RSA Public Key (8192 bit)
1 RSA Public Key (2049 bit)
1 RSA Public Key (2047 bit)
1 RSA Public Key (1027 bit)
1 RSA Public Key (1022 bit)
1 RSA Public Key (1017 bit)

3217 used DSA Public Keys.

So onto the Issuers – Linda and Doris appear to rule the ‘net! (1st & 3rd place.) Gotta like the “do not trust” notes that HP and some others put in. I was actually moderately surprised to not see any large company names – I guess no one really big puts their own stamp on things, at least not on the net, although this one was fun:

Issuer: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain

An 8K key!  They’re safe for now :)

Presumably some BMC manufacturer…. spot checked a few to see if I could discern any pattern, but they looked rather random.

The tail drops quickly. I tried to strip out the generics (verisign, thawte, etc.) Attaching the dup’d raw results – only a hair over 500 that had dups (e.g. > 1)

16092 Issuer C=US, ST=California, L=San Jose, O=Super Micro Computer Inc., OU=Software Department, CN=IPMI/emailAddress=linda.wu@supermicro.com
9967 Issuer C=US, ST=TX, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=iLO3 Default Issuer (Do not trust)
8763 Issuer C=TW, ST=Taiwan, L=Taipei, O=Aten, OU=SW1, CN=doris/emailAddress=doris@aten.com.tw
7414 Issuer C=US, ST=California, L=San Jose, O=Super Micro Computer, OU=Software, CN=Linda/emailAddress=linda.wu@supermicro.com
6920 Issuer C=US, ST=Georgia, L=Norcross, O=American Megatrends Inc., OU=Service Processors, CN=AMI/emailAddress=support@ami.com
6489 Issuer C=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Remote Access Group, CN=iDRAC6 default certificate
4774 Subject C=US, ST=TX, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=iLO3 Default Issuer (Do not trust)
4531 Issuer C=DE, ST=Saxony, L=Zwickau, O=Peppercon AG, OU=Security Department, CN=Peppercon CA/emailAddress=ca@peppercon.de
3308 Issuer C=US, ST=TX, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=iLO Default Issuer (Do not trust)
2893 Issuer C=US, ST=Georgia, L=Atlanta, O=American Megatrends Inc, OU=Service Processors, CN=AMI/emailAddress=support@ami.com

Dups in this case are strictly the issuer, it doesn’t say anything about the cert itself.

I stripped out the #’s 2-4, actually – they were all generic ones:

14396 Issuer C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
12069 Issuer C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
12018 Issuer C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
12007 Issuer C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA – G3

There may be other fields that could further highlight manufacturers, this is just on first glance. Certain getting the ilo and drac version #’s is easy enough.

I also took the keys and MD5’d them (just seemed easier to read than the rather long keys), sorted, uniq’d, etc.  These are different – matches here mean that systems have exactly the same SSL server key:

16092 fcda94c2b11147d1379d64673d6c3cdb
8763 260ec1312dc112732b11f4dca168bb70
7414 08528201362e9c656d5e729bb4176949
6920 6480ade4f0034df3038df8a69c3c5bf4
4531 968f7ea4fcc0934f75f372cf9fc34948
4487 af1e73d145ee2fb34fecb6c8af171b46
3577 3259a6cbfe0f7d4b7f5b6219950ae56b
2347 cc03d2839c5c289a4caba4d9b2043637
1870 0a023e8a69e44ecec8b2e46d2c687336
1836 75007fc42481ac5cf128683b82bad83d
1609 0fd1211c9aeea1891b4cc4ee61628cec
1527 43fa42b918965468e96d370c8c012960
1454 3367cbd9ff477dbb5b816776748d3161
1284 b06fca8011739b1d027513457beb8382
1275 fb1021b41666f966c25586fe332622f2
1076 1b770868b11d5e48dd604fae5810fb55

Almost the same as above (and some are identical) – but collects some more that are scattered due to unique things in the Issuer line.  A whole lotta people just don’t change or manage their certs.  Not that that is a surprise.

Here’s another look, based solely on the O= line in the Issuer:

48130 VeriSign
23594 Hewlett-Packard Company
16093 Super Micro Computer Inc.
14684 GeoTrust
14396 CA Issuers – URI:http://gtssl-aia.geotrust.com/gtssl.crt
12163 GeoTrust Inc.
12007 CA Issuers – URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
10864 Dell Inc.
8763 Aten
7414 Super Micro Computer
6920 American Megatrends Inc.
6567 Equifax
4531 Peppercon AG
2893 American Megatrends Inc
1836 LLC [note – this is actually pilotchip.com/emailAddress=pilot@serverengines.com, from another field]
1687 Fujitsu Technology Solutions GmbH
1206 Sun Microsystems

A hell of a lot of HPs out there. Wonder if VS is a default for some BMC vendors?

Sorry, the comment form is closed at this time.