IPMI: Hack a Server That Is Turned Off

UnderAttack writes "A common joke in infosec is that you can't hack a server that is turned off. You better make sure that the power cord is unplugged, too. Otherwise, you may be exposed via IPMI, a component present on many servers for remote management that can be used to flash firmware, get a remote console and power cycle the server even after the normal power button has been pressed to turn the server off."

Different networks

[__aardcx5948]

We keep the management network and the production network on separate physical networks. So if you get into a box, you still can't IPMI to any other box.

Also, this is not hacking, it's by design.

Who would say such a thing?

[Anonymous Coward]

Saying "you can't hack ..." is just stupid because there's no bigger challenge. That's famous-last-words material right there.

Re:Different networks

[ewanm89]

Same as if I turned wakeonlan on, it should be no surprise one can remotely wake it up if I did turn it off.

Re:Change the password

[Junta]

However, IME it's a half-baked technology

It's a very robust and reliable technology. Just because supermicro pushes half-baked tools doesn't mean the technology is flawed. People go with supermicro because they are cheaper than the IBM, Dell, and HP implementations, but you get what you pay for.

Re:Different networks

[Gription]

I think the submitter of this article (and the approver...) think that this is something new.

They will be horrified if they ever run across standard management modules like iLo2 or DRAC.
This "warning" is like the warnings for dihydrogen monoxide and hydric acid.

IPMI Surviving vendor infections so far

[m.dillon]

So far IPMI has managed to survive all the crap vendors try to add to it. Chalk one up for standards! It's gone through some growing pains (the original standard was badly broken and precursors tried to share the ethernet port on the mobo), but has settled down into a usable implementation in the last few years, as long as you only use open-source IPMI tools like 'ipmitool'. There are typically still hicups with the video sniffing implementations (particularly when the OS switches video modes), but serial port forwarding seems to work quite well.

In anycase, IPMI has been a godsend for those of us with smaller server installations. It removes the need for an addressable PDU and removes the need for a console server. It removes a lot of cables.

Once the BIOS is setup you don't need to connect a keyboard or monitor to the machine ever again, even when you are physically in the machine room. You just plug you laptop into the switch or Wifi and poof.

There are numerous ways to secure the IPMI net. If configured properly IPMI 2.0 has reasonable security but still can be DOS'd. The best thing about the standard is that it is trivial to insert machines, IP filters, and other things between the IPMI network and the rest of the world but the fact that it can connect directly to the internet also ensures that those extra gadgets are going to be fairly cheap in order to compete. Always only use the IPMI 2.0 UDP protocol... if the thing has a web server or ssh access (easy to test), turn those off straight away.

Mobos with IPMI tend to cost ~$20-$50 more and the IPMI module itself (when not built in) typically costs $30-$60. Considering what you get for it, it's damn cheap. IPMI has already saved me thousands of dollars worth of equipment, gas, and time.

-Matt