{"id":848,"date":"2013-07-03T18:48:05","date_gmt":"2013-07-03T18:48:05","guid":{"rendered":"https:\/\/trouble.org\/?p=848"},"modified":"2013-07-18T01:32:40","modified_gmt":"2013-07-18T01:32:40","slug":"linda-and-doris-rule-the-net","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=848","title":{"rendered":"Linda and Doris rule the ‘net"},"content":{"rendered":"

Some misc ramblin’ notes\/data on IPMI & SSL Certificates.<\/p>\n

So I used the SSL observatory <\/a>software (oddly written, but still cool) to scan for certificates on a bit over 300K systems\u00a0suspected\u00a0of running IPMI (which in turn were had from HD Moore of Rapid 7 – thanks HD!) and who were on the net. \u00a0In case anyone else was interested in using the SSL Observatory stuff, it’s pretty simple once you figure it out – here are my cliff notes (if nothing else it may save me from trying to figure it out again!)<\/p>\n

Install with “git clone https:\/\/git.eff.org\/public\/observatory.git”.<\/p>\n

In the “scan” subddir there’s an important file –\u00a0FasterCertificateGrabber.py. \u00a0This is cool stuff – you can simply give it an IP addr:<\/p>\n

$ python .\/<\/span>FasterCertificateGrabber.py 192.168.0.23
\nAttempting to fetch 1<\/span> certificates
\nhappy: 192.168.0.23:443<\/span> 4<\/span>
\nGot 1<\/span> complete<\/span> and 0<\/span> partial certs out of 1<\/span><\/div><\/div>\n

Better still, however, is that it can use a filename stuffed with IP addresses, one per line – simply use the “-f” option. \u00a0On my mac, at least, it choked if the file was too big (like… say… 300K addrs ;)) because it ran out of file descriptors, so I simply chopped it up and put it all in a loop. \u00a0250 at a time seemed to work well, so I did something like:<\/p>\n

$ split<\/span> -a<\/span> 5<\/span> -l<\/span> 250<\/span> file-with-lotsa-IP-numbers.txt
\n$ for<\/span> f in<\/span> x*<\/span> ; do<\/span>
\npython .\/<\/span>FasterCertificateGrabber.py -f<\/span> f
\ndone<\/span><\/div><\/div>\n

And the observer software was off to the races, doing 250 scans in parallel at a time, pretty nifty. It saves the results in raw format in a series of subdirs (e.g. 1.x.x.x\/1.x.x.1\/1.1.1.1.results for the IP address 1.1.1.1.) There’s another program to slice and dice the results – the “openssl_dump.py” command. It simply takes a subdir and snuffles around for results files, so you can do this (from the main SSL Observatory directory; I redirected the output to a file to avoid drowning in output):<\/p>\n

$ <\/span>python .\/<\/span>openssl_dump.py scan ><\/span> ssl_results.txt<\/div><\/div>\n

Inside is all the SSL glory; for instance:<\/p>\n

--- SHA1 Fingerprint=C6:49:6C:33:56:9B:7B:18:0A:E2:64:29:D8:6E:8E:56:1E:D2:51:AF
\nCertificate:
\nData:
\nVersion: 1 (0x0)
\nSerial Number:
\n55:65:c4:6b:36:2f:66:32:67:34:14:72:f0:7f:52:c0
\nSignature Algorithm: md5WithRSAEncryption
\nIssuer: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=ILOCNG137TNRY
\nValidity
\nNot Before: Dec 5 20:25:26 2002 GMT
\nNot After : Dec 5 20:25:26 2022 GMT
\nSubject: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=ILOCNG137TNRY
\nSubject Public Key Info:
\nPublic Key Algorithm: rsaEncryption
\nRSA Public Key: (1024 bit)
\nModulus (1024 bit):
\n00:9b:20:a2:2d:e3:91:89:4b:76:36:73:6d:18:5e:
\n51:e0:88:88:2d:b4:c2:6d:38:da:57:83:0c:54:86:
\nda:50:ff:9b:8b:83:0b:b8:1c:d2:6f:61:5d:d0:11:
\n5d:98:22:9b:69:e0:37:3a:48:ff:ec:f0:44:f7:85:
\nc0:84:55:42:28:78:4e:20:7f:28:45:58:d2:c4:5e:
\n82:f1:09:88:8b:ad:e8:7f:ef:8d:20:30:5d:03:7a:
\n91:3c:0f:05:07:64:dc:2f:d5:1d:81:d7:f1:21:ed:
\nd4:66:ec:63:7e:3b:11:82:e5:ec:20:39:e3:de:d0:
\nd4:a2:8c:a2:d2:28:ee:1b:23
\nExponent: 65537 (0x10001)
\nSignature Algorithm: md5WithRSAEncryption
\n97:79:ef:89:3d:6c:71:fa:cb:80:75:6f:8c:0f:84:35:53:a4:
\n3c:89:76:18:15:ce:8e:8b:de:e9:82:ca:22:40:5d:f7:1f:56:
\n2f:32:58:4d:e9:e2:bf:55:4d:2b:62:35:c0:e6:6f:5d:a5:08:
\n40:ce:7a:b8:f2:01:8c:2b:e7:45:35:04:13:db:fb:8a:b9:af:
\ne9:7f:e0:a8:6c:03:86:ef:9a:35:71:e1:ff:c5:2b:cb:d5:9f:
\n48:1f:39:be:f6:22:ee:af:00:7f:94:97:e9:16:cf:3e:f5:27:
\ne8:aa:c8:df:fc:49:03:58:4b:b4:e3:d2:20:a7:33:57:34:2d:
\n53:72<\/div><\/div>\n

And finally some modest analysis\/thoughts on the results.<\/p>\n

The CN is an interesting field. Cisco seems to put their OUI in some of theirs (e.g. Issuer: CN=68:ef:bd:d8:d0:a6, OU=RV016, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California), maybe part of their install (as far as I can tell most network gear doesn’t use IPMI, this is probably their server stuff). Interestingly HP (with iLO2, it appears, although the strings seem like ILO3 as well at times) used to put a unique identifier on their cert – it looks like the serial # (e.g. Issuer: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=ILOSGH039XERW). Other iLO 2 systems have an IP addr on them\u2026 maybe the internal one? Puzzling. Various others use Mac addrs & IP addresses. A few IMM’s (IBM’s offering, which I’m still seeking some sort of ID’er for.) Looks like old DRACs as well (Issuer: C=US, L=Round Rock, O=Dell Inc., OU=iDRAC Group, CN=iDRACdefault00221981F8E5)<\/p>\n

In any case it’s pretty clear you can recognize BMCs by their SSL cert (if there was any doubt before.) At times it has uniquely identifying information.<\/p>\n

My fav perhaps is “CN=GET A NEW CERTIFICATE!!\/emailAddress=FOR TEST PURPOSES ONLY”<\/p>\n

Of the 312,357 IPs, 112,982 listened on 443.<\/p>\n

Key lengths?<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
91231 RSA Public Key<\/td>\n(1024 bit)<\/td>\n<\/tr>\n
72429 RSA Public Key<\/td>\n(2048 bit)<\/td>\n<\/tr>\n
6970 RSA Public Key<\/td>\n(512 bit)<\/td>\n<\/tr>\n
294 RSA Public Key<\/td>\n(1023 bit)<\/td>\n<\/tr>\n
208 RSA Public Key<\/td>\n(4096 bit)<\/td>\n<\/tr>\n
37 RSA Public Key<\/td>\n(768 bit)<\/td>\n<\/tr>\n
25 RSA Public Key<\/td>\n(1000 bit)<\/td>\n<\/tr>\n
9 RSA Public Key<\/td>\n(1279 bit)<\/td>\n<\/tr>\n
1 RSA Public Key<\/td>\n(8192 bit)<\/td>\n<\/tr>\n
1 RSA Public Key<\/td>\n(2049 bit)<\/td>\n<\/tr>\n
1 RSA Public Key<\/td>\n(2047 bit)<\/td>\n<\/tr>\n
1 RSA Public Key<\/td>\n(1027 bit)<\/td>\n<\/tr>\n
1 RSA Public Key<\/td>\n(1022 bit)<\/td>\n<\/tr>\n
1 RSA Public Key<\/td>\n(1017 bit)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

3217 used DSA Public Keys.<\/p>\n

So onto the Issuers – Linda and Doris appear to rule the ‘net! (1st & 3rd place.) Gotta like the “do not trust” notes that HP and some others put in. I was actually moderately surprised to not see any large company names – I guess no one really big puts their own stamp on things, at least not on the net, although this one was fun:<\/p>\n

Issuer: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain\/emailAddress=root@localhost.localdomain<\/p>\n

An 8K key! \u00a0They’re safe for now :)<\/p>\n

Presumably some BMC manufacturer\u2026. spot checked a few to see if I could discern any pattern, but they looked rather random.<\/p>\n

The tail drops quickly. I tried to strip out the generics (verisign, thawte, etc.) Attaching the dup’d raw results – only a hair over 500 that had dups (e.g. > 1)<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
16092 Issuer<\/td>\nC=US, ST=California, L=San Jose, O=Super Micro Computer Inc., OU=Software Department, CN=IPMI\/emailAddress=linda.wu@supermicro.com<\/td>\n<\/tr>\n
9967 Issuer<\/td>\nC=US, ST=TX, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=iLO3 Default Issuer (Do not trust)<\/td>\n<\/tr>\n
8763 Issuer<\/td>\nC=TW, ST=Taiwan, L=Taipei, O=Aten, OU=SW1, CN=doris\/emailAddress=doris@aten.com.tw<\/td>\n<\/tr>\n
7414 Issuer<\/td>\nC=US, ST=California, L=San Jose, O=Super Micro Computer, OU=Software, CN=Linda\/emailAddress=linda.wu@supermicro.com<\/td>\n<\/tr>\n
6920 Issuer<\/td>\nC=US, ST=Georgia, L=Norcross, O=American Megatrends Inc., OU=Service Processors, CN=AMI\/emailAddress=support@ami.com<\/td>\n<\/tr>\n
6489 Issuer<\/td>\nC=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Remote Access Group, CN=iDRAC6 default certificate<\/td>\n<\/tr>\n
4774 Subject<\/td>\nC=US, ST=TX, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=iLO3 Default Issuer (Do not trust)<\/td>\n<\/tr>\n
4531 Issuer<\/td>\nC=DE, ST=Saxony, L=Zwickau, O=Peppercon AG, OU=Security Department, CN=Peppercon CA\/emailAddress=ca@peppercon.de<\/td>\n<\/tr>\n
3308 Issuer<\/td>\nC=US, ST=TX, L=Houston, O=Hewlett-Packard Company, OU=ISS, CN=iLO Default Issuer (Do not trust)<\/td>\n<\/tr>\n
2893 Issuer<\/td>\nC=US, ST=Georgia, L=Atlanta, O=American Megatrends Inc, OU=Service Processors, CN=AMI\/emailAddress=support@ami.com<\/td>\n<\/tr>\n
…<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Dups in this case are strictly the issuer, it doesn’t say anything about the cert itself.<\/p>\n

I stripped out the #’s 2-4, actually – they were all generic ones:<\/p>\n\n\n\n\n\n\n
14396 Issuer<\/td>\nC=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA<\/td>\n<\/tr>\n
12069 Issuer<\/td>\nC=US, O=GeoTrust Inc., CN=GeoTrust Global CA<\/td>\n<\/tr>\n
12018 Issuer<\/td>\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5<\/td>\n<\/tr>\n
12007 Issuer<\/td>\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)10, CN=VeriSign Class 3 Secure Server CA – G3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

There may be other fields that could further highlight manufacturers, this is just on first glance. Certain getting the ilo and drac version #’s is easy enough.<\/p>\n

I also took the keys and MD5’d them (just seemed easier to read than the rather long keys), sorted, uniq’d, etc. \u00a0These are different – matches here mean that systems have exactly the same SSL server key:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
16092<\/td>\nfcda94c2b11147d1379d64673d6c3cdb<\/td>\n<\/tr>\n
8763<\/td>\n260ec1312dc112732b11f4dca168bb70<\/td>\n<\/tr>\n
7414<\/td>\n08528201362e9c656d5e729bb4176949<\/td>\n<\/tr>\n
6920<\/td>\n6480ade4f0034df3038df8a69c3c5bf4<\/td>\n<\/tr>\n
4531<\/td>\n968f7ea4fcc0934f75f372cf9fc34948<\/td>\n<\/tr>\n
4487<\/td>\naf1e73d145ee2fb34fecb6c8af171b46<\/td>\n<\/tr>\n
3577<\/td>\n3259a6cbfe0f7d4b7f5b6219950ae56b<\/td>\n<\/tr>\n
2347<\/td>\ncc03d2839c5c289a4caba4d9b2043637<\/td>\n<\/tr>\n
1870<\/td>\n0a023e8a69e44ecec8b2e46d2c687336<\/td>\n<\/tr>\n
1836<\/td>\n75007fc42481ac5cf128683b82bad83d<\/td>\n<\/tr>\n
1609<\/td>\n0fd1211c9aeea1891b4cc4ee61628cec<\/td>\n<\/tr>\n
1527<\/td>\n43fa42b918965468e96d370c8c012960<\/td>\n<\/tr>\n
1454<\/td>\n3367cbd9ff477dbb5b816776748d3161<\/td>\n<\/tr>\n
1284<\/td>\nb06fca8011739b1d027513457beb8382<\/td>\n<\/tr>\n
1275<\/td>\nfb1021b41666f966c25586fe332622f2<\/td>\n<\/tr>\n
1076<\/td>\n1b770868b11d5e48dd604fae5810fb55<\/td>\n<\/tr>\n
…<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Almost the same as above (and some are identical) – but collects some more that are scattered due to unique things in the Issuer line. \u00a0A whole lotta people just don’t change or manage their certs. \u00a0Not that that is a surprise.<\/span><\/p>\n

Here’s another look, based solely on the O= line in the Issuer:<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
48130<\/td>\nVeriSign<\/td>\n<\/tr>\n
23594<\/td>\nHewlett-Packard Company<\/td>\n<\/tr>\n
16093<\/td>\nSuper Micro Computer Inc.<\/td>\n<\/tr>\n
14684<\/td>\nGeoTrust<\/td>\n<\/tr>\n
14396<\/td>\nCA Issuers – URI:http:\/\/gtssl-aia.geotrust.com\/gtssl.crt<\/td>\n<\/tr>\n
12163<\/td>\nGeoTrust Inc.<\/td>\n<\/tr>\n
12007<\/td>\nCA Issuers – URI:http:\/\/SVRSecure-G3-aia.verisign.com\/SVRSecureG3.cer<\/td>\n<\/tr>\n
10864<\/td>\nDell Inc.<\/td>\n<\/tr>\n
8763<\/td>\nAten<\/td>\n<\/tr>\n
7414<\/td>\nSuper Micro Computer<\/td>\n<\/tr>\n
6920<\/td>\nAmerican Megatrends Inc.<\/td>\n<\/tr>\n
6567<\/td>\nEquifax<\/td>\n<\/tr>\n
4531<\/td>\nPeppercon AG<\/td>\n<\/tr>\n
2893<\/td>\nAmerican Megatrends Inc<\/td>\n<\/tr>\n
1836<\/td>\nLLC [note – this is actually pilotchip.com\/emailAddress=pilot@serverengines.com, from another field]<\/td>\n<\/tr>\n
1687<\/td>\nFujitsu Technology Solutions GmbH<\/td>\n<\/tr>\n
1206<\/td>\nSun Microsystems<\/td>\n<\/tr>\n
…<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

A hell of a lot of HPs out there. Wonder if VS is a default for some BMC vendors?<\/p>\n","protected":false},"excerpt":{"rendered":"

Some misc ramblin’ notes\/data on IPMI & SSL Certificates. So I used the SSL observatory software (oddly written, but still cool) to scan for certificates on a bit over 300K systems\u00a0suspected\u00a0of running IPMI (which in turn were had from HD Moore of Rapid 7 – thanks HD!) and who were on the net. \u00a0In case […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[154,4,6,1,87],"tags":[129,130,225],"class_list":["post-848","post","type-post","status-publish","format-standard","hentry","category-ipmi-2","category-security","category-tech","category-uncategorized","category-web","tag-certs","tag-ssl","tag-vendors"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=848"}],"version-history":[{"count":21,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/848\/revisions"}],"predecessor-version":[{"id":876,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/848\/revisions\/876"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}