Owning Dell DRAC for ONE AWESOME HACK!

When a new Dell Chassis hardware infrastructure is installed, a web interface is also present to help with management of the Chassis. Each blade has its own web interface that gets installed by default on 443 (HTTPS). During a penetration test, the Dell DRAC installations (web interface) can lead to an entire compromise of the overall infrastructure and ultimately own everything else. When the DRAC interface is installed, it installs with default credentials of username “root” and password of “calvin”. Today, we are releasing a new tools called the Dell Drac and Chassis Scanner for Default Credentials v0.1a which will scan CIDR notations look for default installations. It’s extremely quick in that it scans /24’s in less than a minute and class B’s in about an hour. This will give you the results of all of the default installations of the Dell DRAC and Dell Chassis Management Interfaces. Below is an example of the output:

Daves-MacBook-Pro-2:Desktop david$ python delldrac.py
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dell Drac and Chassis Scanner for Default Credentials v0.1a
Written by Dave Kennedy @ TrustedSec

Homepage


@TrustedSec and @dave_rel1k
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Example: python delldrac.py 10.1.1.1/24

python delldrac.py

Daves-MacBook-Pro-2:Desktop david$ python delldrac.py 10.1.1.1/16
[*] Scanning IP addresses, this could take a few minutes depending on how large the subnet range…
[*] Dell Chassis Compromised! Username: root Password: calvin for IP address: 10.1.1.5
[*] DRAC compromised! username: root and Password: calvin for IP address: 10.1.1.9
[*] DRAC compromised! username: root and Password: calvin for IP address: 10.1.1.18

Daves-MacBook-Pro-2:Desktop david$

Once you have an idea of what IP addresses have the default installations, browse via SSL to the installation below:

drac1

Using the default credentials of username “root” and password of “calvin”, you can successfully log into the main management interface:

drac2

Once inside, there is a lot of options available to you such as rebooting the server, server health, and most importantly the virtual media/console. Inside the virtual media/console options, you have the ability to mount remote Virtual media. Since you are interfacing directly with the hardware, you can enable the virtual media, have it automatically attach, then reboot the server on the other end into an ISO of your choosing. When we did this penetration test, we rebooted the Windows Server 2008 R2 instance into our favorite Back|Track 5 ISO and mounted the NTFS drive with read write. Once inside there, made a backup of utilman.exe (located in SYSTEM32) and copied cmd.exe to utilman.exe. When we rebooted into the server, hitting the windows key + U triggers Utilman (utilman.exe) and pops up a command prompt with SYSTEM level privileges. Below is a step by step:

1. Log into the Dell DRAC instance.
2. From the main console, select the Virtual Console/Media tab and select “Configuration>
3. Select the Console Plug-in Type for IE to Java instead of Active X (seemed buggy for me).
4. On the Virtual Media section in the same tab, select “Auto Attach”.

drac3

5. Select the Virtual Console and Virtual Media tab and launch the Java Applet console for the Virtual Media interface.
6. Once inside, mount the virtual media device and select your ISO from your local filesystem.

drac4

7. Under the “Power” tab, reboot the server. Select F11 during the initial boot sequence to force a selection of boot options, or edit the BIOS to ensure Virtual Media is selected first.
8. Wait for the boot sequence and select Virtual Media adapter.

drac5

9. Reboot into Back|Track Linux, this will take a few minutes since you are booting an ISO over the network.

drac6

10. Once inside, mount the NTFS share as read/write:
mkdir /mnt/windows
mount -t ntfs-3g /dev/sda1 /mnt/win

11. Once mounted, go to %WINDIR%system32 and do the following:
cd %WINDIR%system32
mv utilman.exe utilman.exe.bak
cp cmd.exe utilman.exe
umount /mnt/win

12. Reboot the machine and when the Server 2008 Window appears, hit the Windows Key + U. From there you will get a command prompt running as SYSTEM. Type explorer.exe to get a start menu. After that, dump hashes, add a local admin, pillage, steal kerberos tokens, etc. etc. Note in this step you can also use sethc.exe and make a backup of that and copy cmd.exe as sethc.exe. When rebooted you hit the shift key 5 times (sticky keys) and will have a SYSTEM command prompt as well.

drac7

You can download the tool here: Dell Drac and Chassis Scanner for Default Credentials v0.1a download

David Kennedy

Author: David Kennedy

Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.