{"id":712,"date":"2013-01-26T21:58:59","date_gmt":"2013-01-26T21:58:59","guid":{"rendered":"https:\/\/trouble.org\/?p=712"},"modified":"2013-07-17T15:11:22","modified_gmt":"2013-07-17T15:11:22","slug":"one-packet-auditing","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=712","title":{"rendered":"one packet auditing"},"content":{"rendered":"<p>Not all packets are equal.<\/p>\n<p>If you send a single UDP packet to port 623 that contains an &#8220;Get Channel Authentication Capabilities&#8221; (see secion 22.13 of the IPMI v2 spec), you&#8217;ll get back a packet that has some interesting features.<\/p>\n<p>You can get this by parsing the output of &#8220;ipmitool -v -v -H 10.0.0.1 -U user -P password lan print&#8221;, but more systems have python than ipmitool, so I wrote a python script to send the magic packet and parse the return. Data data everywhere, fun finding the information.<\/p>\n<p>The script takes a IP\/hosts as a single argument, will time out after 5 seconds if it doesn&#8217;t get a response. You really don&#8217;t want to see it come back with anonymous login enabled&#8230; interesting you can tell, per the spec, of problems w\/o any auth.<\/p>\n<p>1 packet, tens of bytes, 11 potential issues; best bang for the buck I&#8217;ve seen&#8230; perhaps ever.<\/p>\n<p>&#8211; what version of IPMI is supported, 1.5, 2.0,. or both<br \/>\n&#8211; &#8220;none&#8221; authentication is supported<br \/>\n&#8211; MD2 auth is allowed<br \/>\n&#8211; use of the straight password\/key auth supported<br \/>\n&#8211; OEM auth (maybe ok, maybe not)<br \/>\n&#8211; reserved auth bit in use<br \/>\n&#8211; KG key is set to default<br \/>\n&#8211; per message auth is disabled<br \/>\n&#8211; user level auth is disabled<br \/>\n&#8211; null usernames allowed<br \/>\n&#8211; anonymous login enabled and in use<\/p>\n<div class=\"codecolorer-container python blackboard\" style=\"overflow:auto;white-space:nowrap;height:800px;\"><div class=\"python codecolorer\"><span class=\"co1\">#!\/usr\/bin\/python<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># do an Get Channel Authentication Capabilities (see p142 of the IPMI v 2 spec)<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Usage: $0 ip-address<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Sends request, tears up response, does a little sanity checking, prints out some stuff<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Lots of comments are quotes from the most recent IPMI 2.0 spec.<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<br \/>\n<span class=\"kw1\">from<\/span> <span class=\"kw3\">socket<\/span> <span class=\"kw1\">import<\/span> *<br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">sys<\/span><br \/>\n<br \/>\nBYTE_SIZE <span class=\"sy0\">=<\/span> <span class=\"nu0\">8<\/span><br \/>\n<br \/>\n<span class=\"kw1\">try<\/span>:<br \/>\ntarget <span class=\"sy0\">=<\/span> <span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#93;<\/span><br \/>\n<span class=\"kw1\">except<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;usage: %s target&quot;<\/span> % <span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nexit<span class=\"br0\">&#40;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># in seconds<\/span><br \/>\ntimeout <span class=\"sy0\">=<\/span> <span class=\"nu0\">5<\/span><br \/>\n<span class=\"co1\"># udp<\/span><br \/>\nPORT <span class=\"sy0\">=<\/span> <span class=\"nu0\">623<\/span><br \/>\n<br \/>\n<span class=\"co1\"># assume not until proven otherwise<\/span><br \/>\nipmi15_support <span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\nipmi20_support <span class=\"sy0\">=<\/span> <span class=\"nu0\">0<\/span><br \/>\n<br \/>\n<span class=\"co1\"># get chan auth packet... snuffled from tcpdump &amp; wireshark traffic<\/span><br \/>\npayload <span class=\"sy0\">=<\/span> <span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>06<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>ff<span class=\"es0\">\\x<\/span>07<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>09<span class=\"es0\">\\x<\/span>20<span class=\"es0\">\\x<\/span>18<span class=\"es0\">\\x<\/span>c8<span class=\"es0\">\\x<\/span>81<span class=\"es0\">\\x<\/span>00<span class=\"es0\">\\x<\/span>38<span class=\"es0\">\\x<\/span>8e<span class=\"es0\">\\x<\/span>04<span class=\"es0\">\\x<\/span>b5&quot;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># helper function, just looks up a position in a string, which<\/span><br \/>\n<span class=\"co1\"># is representing a byte of network data.<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># The function returns the bit at position X; position 0 == least significant<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># lots of assumptions! #1 is that byte is 8 bits, #2 is that the bits are in a certain order<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"kw1\">def<\/span> check_bit<span class=\"br0\">&#40;<\/span>byte<span class=\"sy0\">,<\/span> position<span class=\"br0\">&#41;<\/span>:<br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> position <span class=\"sy0\">&gt;<\/span> BYTE_SIZE:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;out-of-byte-bounds (%s)&quot;<\/span> % position<span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">return<\/span><span class=\"br0\">&#40;<\/span>-<span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># print(&quot;\\t\\tchecking %s[%d]:&quot; % (byte, position)),<\/span><br \/>\nbyte <span class=\"sy0\">=<\/span> bin<span class=\"br0\">&#40;<\/span>byte<span class=\"br0\">&#41;<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">2<\/span>:<span class=\"br0\">&#93;<\/span>.<span class=\"me1\">rjust<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">8<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">'0'<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#91;<\/span>::-<span class=\"nu0\">1<\/span><span class=\"br0\">&#93;<\/span><br \/>\n<span class=\"co1\"># print(&quot;\\tbits =&gt; &quot; + byte),<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># make a string of bits that make up the bytes; flip byte<\/span><br \/>\n<span class=\"co1\"># so bit[0] = LSD (least-sig-digit)<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># print(&quot;\\tB:&quot;),<\/span><br \/>\n<span class=\"co1\"># print(byte)<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> byte<span class=\"br0\">&#91;<\/span>position<span class=\"br0\">&#93;<\/span> <span class=\"sy0\">==<\/span> <span class=\"st0\">&quot;1&quot;<\/span>:<br \/>\n<span class=\"kw1\">return<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">return<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># all the action goes here... if get a response, rip it up,<\/span><br \/>\n<span class=\"co1\"># compare it to the IPMI spec to see if it makes sense.<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"kw1\">def<\/span> parse_response<span class=\"br0\">&#40;<\/span>source<span class=\"sy0\">,<\/span> packet<span class=\"br0\">&#41;<\/span>:<br \/>\n<br \/>\n<span class=\"co1\"># sum of problems found<\/span><br \/>\nproblems <span class=\"sy0\">=<\/span> <span class=\"nu0\">0<\/span><br \/>\n<br \/>\n<span class=\"co1\"># did we get something that looks IPMI-esque?<\/span><br \/>\nipmi_support <span class=\"sy0\">=<\/span> <span class=\"kw2\">ord<\/span><span class=\"br0\">&#40;<\/span>packet<span class=\"br0\">&#91;<\/span><span class=\"nu0\">3<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>ipmi_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">0<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\nipmi20_support <span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>ipmi_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\nipmi15_support <span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> <span class=\"kw1\">not<\/span> ipmi20_support <span class=\"kw1\">and<\/span> <span class=\"kw1\">not<\/span> ipmi15_support:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;this doesn't support 1.5 or 2.0 IPMI, bailin' out&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nexit<span class=\"br0\">&#40;<\/span><span class=\"nu0\">2<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Channel Number<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Channel number that the Authentication Capabilities is being<\/span><br \/>\n<span class=\"co1\"># returned for. If the channel number in the request was set to<\/span><br \/>\n<span class=\"co1\"># Eh, this will return the channel number for the channel that the<\/span><br \/>\n<span class=\"co1\"># request was received on.<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\nchannel <span class=\"sy0\">=<\/span> <span class=\"kw2\">ord<\/span><span class=\"br0\">&#40;<\/span>packet<span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;Channel %s:&quot;<\/span> % channel<span class=\"br0\">&#41;<\/span><span class=\"sy0\">,<\/span><br \/>\n<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;IPMI &quot;<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">,<\/span><br \/>\n<span class=\"kw1\">if<\/span> ipmi15_support:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;1.5&quot;<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">,<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> ipmi20_support:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;2.0&quot;<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">,<\/span><br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot; supported&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Authentication Type Support<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Bit-by-bit breakdown of this byte<\/span><br \/>\n<br \/>\n<span class=\"co1\"># [7] 1b = IPMI v2.0+ extended capabilities available.<\/span><br \/>\n<span class=\"co1\"># 0b = IPMI v1.5 support only.<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [6] reserved<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [5] OEM proprietary (per OEM identified by the IANA OEM ID in the RMCP Ping Response)<\/span><br \/>\n<span class=\"co1\"># [4] straight password \/ key<\/span><br \/>\n<span class=\"co1\"># [3] reserved<\/span><br \/>\n<span class=\"co1\"># [2] MD5<\/span><br \/>\n<span class=\"co1\"># [1] MD2<\/span><br \/>\n<span class=\"co1\"># [0] none<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\nauth_support <span class=\"sy0\">=<\/span> <span class=\"kw2\">ord<\/span><span class=\"br0\">&#40;<\/span>packet<span class=\"br0\">&#91;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">7<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"co1\"># print(&quot;\\tIPMI 2.0 extended data:&quot;)<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">0<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>No auth is supported&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>MD2 auth supported&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">2<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;<span class=\"es0\">\\t<\/span>MD5 auth supported&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">4<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>straight password\/key auth supported&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">5<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>OEM auth supported (maybe it's ok, maybe not)&quot;<\/span><span class=\"br0\">&#41;<\/span> <span class=\"co1\"># maybe good, maybe not<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_support<span class=\"sy0\">,<\/span> <span class=\"nu0\">6<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>Using funky reserved bit, maybe trouble?&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># next thingee... this byte is a bit overloaded, so<\/span><br \/>\n<span class=\"co1\"># it has a few things here.<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Bit-by-bit breakdown from spec:<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [7:6] - reserved<\/span><br \/>\n<span class=\"co1\"># [5] - KG status (two-key login status). Applies to v2.0\/RMCP+ RAKP Authentication only. Otherwise, ignore as &quot;reserved&quot;.<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># 0b = KG is set to default (all zeros). User key KUID will be used in place of KG in RAKP<\/span><br \/>\n<span class=\"co1\"># 1b = KG is set to non-zero value. (Knowledge of both KG and user password (if not anonymous login) required for activating session.)<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># Following bits apply to IPMI v1.5 and v2.0:<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [4] - Per-message Authentication status<\/span><br \/>\n<span class=\"co1\"># 0b = Per-message Authentication is enabled<\/span><br \/>\n<span class=\"co1\"># 1b = Per-message Authentication is disabled<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [3] - User Level Authentication status<\/span><br \/>\n<span class=\"co1\"># 0b = User Level Authentication is enabled<\/span><br \/>\n<span class=\"co1\"># 1b = User Level Authentication is disabled<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [2:0] - Anonymous Login status<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [2] 1b = Non-null usernames enabled. (One or more users are enabled that have non-null usernames).<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [1] 1b = Null usernames enabled (One or more users that have a null username, but non-null password, are presently enabled)<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># [0] 1b = Anonymous Login enabled (A user that has a null username and null password is presently enabled)<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\nauth_stuff <span class=\"sy0\">=<\/span> <span class=\"kw2\">ord<\/span><span class=\"br0\">&#40;<\/span>packet<span class=\"br0\">&#91;<\/span><span class=\"nu0\">2<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># if !IPMI 2.0\/RMCP+ RAKP ignore<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"kw1\">if<\/span> ipmi20_support:<br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_stuff<span class=\"sy0\">,<\/span> <span class=\"nu0\">5<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>KG key is set to default (all 0's)&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">else<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;<span class=\"es0\">\\t<\/span>KG key has been set to a non-zero value&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># both 1.5\/2.0<\/span><br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_stuff<span class=\"sy0\">,<\/span> <span class=\"nu0\">4<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>Per message auth is disabled&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">else<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;<span class=\"es0\">\\t<\/span>Per message auth is enabled&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_stuff<span class=\"sy0\">,<\/span> <span class=\"nu0\">3<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>User lvl auth is disabled&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">else<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;<span class=\"es0\">\\t<\/span>User lvl auth is enabled&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_stuff<span class=\"sy0\">,<\/span> <span class=\"nu0\">2<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;<span class=\"es0\">\\t<\/span>Non-null usernames enabled&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">else<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>null usernames allowed&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> check_bit<span class=\"br0\">&#40;<\/span>auth_stuff<span class=\"sy0\">,<\/span> <span class=\"nu0\">6<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;*<span class=\"es0\">\\t<\/span>Anonymous login enabled (really bad: a user that has a null username &amp; password is enabled!)&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nproblems +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">else<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;<span class=\"es0\">\\t<\/span>Anonymous login disabled&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> problems <span class=\"sy0\">&gt;<\/span> <span class=\"nu0\">0<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;%s<span class=\"es0\">\\t<\/span>%s problems found (marked with *'s)&quot;<\/span> % <span class=\"br0\">&#40;<\/span>target<span class=\"sy0\">,<\/span> problems<span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">else<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;%s<span class=\"es0\">\\t<\/span>No problems found&quot;<\/span> % target<span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># create socket &amp; bind to local port<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<br \/>\nudp <span class=\"sy0\">=<\/span> <span class=\"kw3\">socket<\/span><span class=\"br0\">&#40;<\/span>AF_INET<span class=\"sy0\">,<\/span> SOCK_DGRAM<span class=\"br0\">&#41;<\/span><br \/>\nsake <span class=\"sy0\">=<\/span> udp.<span class=\"me1\">getsockname<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nudp.<span class=\"me1\">bind<\/span><span class=\"br0\">&#40;<\/span>sake<span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># actually send packet<\/span><br \/>\n<span class=\"kw1\">try<\/span>:<br \/>\nudp.<span class=\"me1\">settimeout<\/span><span class=\"br0\">&#40;<\/span>timeout<span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># if udp.sendto(&quot; &quot;, (target, PORT)) &lt;= 0:<\/span><br \/>\n<span class=\"kw1\">if<\/span> udp.<span class=\"me1\">sendto<\/span><span class=\"br0\">&#40;<\/span>payload<span class=\"sy0\">,<\/span> <span class=\"br0\">&#40;<\/span>target<span class=\"sy0\">,<\/span> PORT<span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&lt;=<\/span> <span class=\"nu0\">0<\/span>:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;couldn't send packet to %s&quot;<\/span> % target<span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># catch response<\/span><br \/>\ndata<span class=\"sy0\">,<\/span>addr <span class=\"sy0\">=<\/span> udp.<span class=\"me1\">recvfrom<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">512<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># skip the header<\/span><br \/>\ndata <span class=\"sy0\">=<\/span> data<span class=\"br0\">&#91;<\/span><span class=\"nu0\">21<\/span>:<span class=\"br0\">&#93;<\/span><br \/>\n<br \/>\nudp.<span class=\"me1\">close<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\nparse_response<span class=\"br0\">&#40;<\/span>addr<span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#93;<\/span><span class=\"sy0\">,<\/span> data<span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"co1\"># exceptions... this should also catch parsing stuff in parse_response<\/span><br \/>\n<span class=\"co1\">#<\/span><br \/>\n<span class=\"kw1\">except<\/span> <span class=\"kw2\">Exception<\/span><span class=\"sy0\">,<\/span> e:<br \/>\n<span class=\"kw1\">print<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;hmmm.... problems in paradise, tonto: %s, bailin'&quot;<\/span> % e<span class=\"br0\">&#41;<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Not all packets are equal. If you send a single UDP packet to port 623 that contains an &#8220;Get Channel Authentication Capabilities&#8221; (see secion 22.13 of the IPMI v2 spec), you&#8217;ll get back a packet that has some interesting features. You can get this by parsing the output of &#8220;ipmitool -v -v -H 10.0.0.1 -U [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[146,154,172,4],"tags":[184,113,185,186,183],"class_list":["post-712","post","type-post","status-publish","format-standard","hentry","category-hack","category-ipmi-2","category-python","category-security","tag-184","tag-ipmi","tag-network","tag-rmcp","tag-udp"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/712","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=712"}],"version-history":[{"count":10,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/712\/revisions"}],"predecessor-version":[{"id":875,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/712\/revisions\/875"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=712"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=712"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=712"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}