Wednesday, October 3, 2012

iDRAC in the Wild

iDRAC is Dell's remote management feature. It comes in 2 flavors Basic and Enterprise. Like most things it comes with a default user name and password combo (root calvin). Unfortunately it does not require you to change it before it becomes enabled. So you can have iDRAC run with the default user and pass.

Well obviously that's not good.

Dave Kennedy recently made a post about using this during a penetration test. Blog Post at Trusted Sec
The scanner he wrote is the best part.

With the Enterprise version you get a virtual console and the ability to load virtual media to boot from. So load up your favorite live cd reboot and get pwning.

So I thought to myself, well I wonder if people have this default configuration but with a public address, that could cause all kinds of problems.

They do, and there are many of them with the default login from the small amount of searching I've done.

The biggest  problem I see, aside from the obvious threat to your entire network, is that someone could launch a live cd, setup a temporary server, do what ever evil deeds need done then reboot back to the normal boot device and all evidence is gone. What a fantastic jump point to attack some other network. Need a server for about 20 minutes to drop some files and want to make sure no evidence remains after that? iDRAC is the way to go.

Google Search : intitle:"Integrated Dell Remote Access Controller 6 Enterprise"
Shodan Search : 2.6.24-ami (Just one example)



No comments:

Post a Comment

All comments moderated.
Comments like "sweet dude" or "this is awesome" or "thanks" will be denied,
if you've got something genuinely interesting to say, say it. Other than that just sit back and bask in the glory.