> In short, the authentication process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the requested user's password to the client, prior to the client authenticating.
ipmi also has a maximum password length of 20 characters. In realworld you have to note that we only expect hashes to remain secret from known pentesters who have a limited contractual runtime, not a real attacker with unlimited time on their hands.
I'm very critical of this. It's been in the spec for 20 years. Is not the whole point of software that it is easier to change than hardware? It's easy to say "you should put this on a vlan" but I pretty much ALWAYS see ipmi on the business network in my assessments. If you put dumb stuff in your defaults then you're gonna end up with dumb stuff all over the globe and that includes every business without a knowledgeable security administrator that decides to "buy a server".
> In short, the authentication process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the requested user's password to the client, prior to the client authenticating.
ipmi also has a maximum password length of 20 characters. In realworld you have to note that we only expect hashes to remain secret from known pentesters who have a limited contractual runtime, not a real attacker with unlimited time on their hands.
I'm very critical of this. It's been in the spec for 20 years. Is not the whole point of software that it is easier to change than hardware? It's easy to say "you should put this on a vlan" but I pretty much ALWAYS see ipmi on the business network in my assessments. If you put dumb stuff in your defaults then you're gonna end up with dumb stuff all over the globe and that includes every business without a knowledgeable security administrator that decides to "buy a server".