Nmap ipmi-cipher-zero NSE Script
This page contains detailed information about how to use the ipmi-cipher-zero NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/ipmi-cipher-zero.nse
Script categories: vuln, safe
Target service / protocol: asf-rmcp, udp
Target network port(s): 623
List of CVEs: -
Script Description
IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
Ipmi-cipher-zero NSE Script Arguments
This is a full list of arguments supported by the ipmi-cipher-zero.nse script:
vulns.shortIf set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE
ones. By default the library will only report the VULNERABLE
entries: VULNERABLE
, LIKELY VULNERABLE
, VULNERABLE (DoS)
and VULNERABLE (Exploitable)
. This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..]
syntax. For example:
nmap --script=ipmi-cipher-zero --script-args vulns.short=value,vulns.showall=value <target>
Ipmi-cipher-zero NSE Script Example Usage
Here's an example of how to use the ipmi-cipher-zero.nse script:
nmap -sU --script ipmi-cipher-zero -p 623 <host>
Ipmi-cipher-zero NSE Script Example Output
Here's a sample output from the ipmi-cipher-zero.nse script:
623/udp open|filtered unknown no-response
| ipmi-cipher-zero:
| VULNERABLE:
| IPMI 2.0 RAKP Cipher Zero Authentication Bypass
| State: VULNERABLE
| Risk factor: High
| Description:
|
| The issue is due to the vendor shipping their devices with the
| cipher suite '0' (aka 'cipher zero') enabled. This allows a
| remote attacker to authenticate to the IPMI interface using
| an arbitrary password. The only information required is a valid
| account, but most vendors ship with a default 'admin' account.
| This would allow an attacker to have full control over the IPMI
| functionality.
|
| References:
| http://fish2.com/ipmi/cipherzero.html
|_ https://www.us-cert.gov/ncas/alerts/TA13-207A
Ipmi-cipher-zero NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file>
option, Nmap will produce a XML output and save it in the file.xml
file.
Author
- Claudiu Perta [email protected]>
References
- https://nmap.org/nsedoc/scripts/ipmi-cipher-zero.html
- https://github.com/nmap/nmap/tree/master/scripts/ipmi-cipher-zero.nse
- http://fish2.com/ipmi/cipherzero.html
- https://www.us-cert.gov/ncas/alerts/TA13-207A
See Also
Related NSE scripts to the ipmi-cipher-zero.nse script:
Visit Nmap NSE Library for more scripts.
Version
This page has been created based on Nmap version 7.92.