posts /

Supermicro IPMIView and passwords

Posted Tue 27 Jun 2017 02:06:19 PM CEST Florian Lohoff in

Supermicro did a "wonderful" job in making it hard for people to create automatic configs for IPMIView. You can enter username, password and ip address and IPMIView will store it, but for additional security it will "encrypt" the password. They wont tell you how to do it, but will offer a tool to encrypt the password as a java jar file. With some java decompiler and debug code i rewrote it in perl. In the end Supermicro uses the Hostname truncated and padded to 16 bytes as the AES CBC 128 key to encrypt the password.

sub encryptpasswd {
        my ($hostname, $password) = @_;

        # Key is the hostname truncated to 16
        # Padded with NUL to 16 bytes (AES128)
        my $key = substr($hostname,0,16);
        $key.= "\0" x (16 - length($key));

        my $cbc = Crypt::CBC->new(
                -padding => "null",
                -keysize => 16,
                -header => "none",
                -iv => "\0" x 16);

        my $ciphertext = $cbc->encrypt($password);

        return hexstring($ciphertext);