- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- ProLiant Servers (ML,DL,SL)
- >
- Re: iLo5 default user "admin" with password "passw...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2021 07:37 PM
06-02-2021 07:37 PM
iLo5 default user "admin" with password "password" - what is this for? How do I change it?
So I just ran hponcfg -a -w and I see this in the output:-
<LOGIN USER_LOGIN="admin" PASSWORD="password">
That's not my username or password (which I do correctly see in the <ADD_USER> seciton of the XML later)
What are the above credentials used for? How do I change those?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2021 08:54 PM
06-02-2021 08:54 PM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
Hello,
I found the below information while going through the iLO 5 Scripting guide.
"For security reasons, the default user administrator and user passwords are not captured in the configuration file or returned in the response. A variable is provided in its place to use with the substitute optionto provide a default password for all users when restoring a configuration. Manually change the password before using the file to restore the configuration."
For more information you may refer to the HPE iLO 5 Scripting and Command Line Guide pg.27 (https://support.hpe.com/hpesc/public/docDisplay?docId=a00018323en_us)
Hope it helps!
Note: "While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2021 01:56 AM
06-03-2021 01:56 AM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
Hi - I am aware of that - and the name of the variable for passwords is " %user_password% "
Note also on the top of that same page that it explains that all variables are wrapped in % signs.
So "password" is not a variable - is the the actual password, in the clear.
Can you please find out what this is for? I have in the past reverse-engineered firmware for a few different devices like this, and in EVERY case so far, I have ALWAYS found a back-door of this kind - from the fact that this is in the XML dump, it shows that there is almost certainly an admin endpoint that is going to provide access to anyone who stuffs those credentials in. So - we all need to know, no guessing, no "maybe", exactly what those credentials are for. Maybe it's a web console? or a serial port login? or a mainboard firmware I2C plug? or maybe something else - the point here is that it's stored in the iLo EEPROM for some kind of reason, and a password of "password" is NEVER secure.
Never using simplistic hardcoded default passwrods is literally the #1 recommendation of every IoT security best-pracice guide there is.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2021 11:03 PM
06-03-2021 11:03 PM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
Hello,
The iLO default login and password are on the server pull tab on the server.
https://support.hpe.com/hpesc/public/docDisplay?docId=sf000046874en_us&docLocale=en_US
Thanks.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2021 09:47 PM
06-04-2021 09:47 PM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
Not funny.
Since your tag says you work for HPE, how about you get in touch with your firmware team and ask them what service accepts the credentials that are dumped out from the iLo with the username "admin" and the password "password".
You know - like - EXACTLY WHAT MY QUESTION ASKED IN THE FIRST PLACE.
The whole mess smells like a wormable CVE exploit just waiting for the baddies to find out, because nobody at HPE seem to care.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2021 07:46 PM
06-05-2021 07:46 PM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
have you try use it(the info you dump out) to login to your server?
I try use those kind info to login to server, admin/password
it doesn't work...
Easy way to break the iLO login it hard way to change the jump pin from motherboard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2021 09:01 PM
06-05-2021 09:01 PM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
Logins that I know of include:
a) The iLo web console
b) SSH
c) Serial
d) SPI/I2C onboard serail-console headers
I've tested (a) and (b) - not sure how to test (c). Do not have physical access to test (d) [my box is in a DC in another country]. You miss the point of my question though. The iLo stores this data, so that must be the username and password for SOMETHING - the problem here is that nobody at HPE is telling us WHAT that something actually IS. - it's not (a) or (b).
HPE - are you listenting? - WHAT ARE THOSE CREDENTIALS **FOR** ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2021 10:16 AM
06-07-2021 10:16 AM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
By the way, you can always use hydra to try and bruteforce the ilo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2021 04:55 PM - edited 06-07-2021 04:56 PM
06-07-2021 04:55 PM - edited 06-07-2021 04:56 PM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
I am the end user. The problem is that there is NO PLACE where those credentials can be replaced (see the manual page 351 I think - it lists "N/A" in the column for where we can administer those credentials).
Nobody here is even trying to address my actual question. Why is this so hard to understand.
What are these credentials FOR ?
Nobody puts the effort into adding XML fields to save and restore credentials that have no purpose, so HOW do we find out what that PURPOSE is.
Humans make mistakes - I'm not saying this is a deliberate back door, but I *am* saying that this definitey looks like an accidental one. "Never use default credentials" is literally the #1 rule of embedded security. I paid $12,000 for my server - I do not appreciate the fact that nobody at HPE seems to care one iota about my security here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2021 08:09 AM - edited 06-08-2021 08:35 AM
06-08-2021 08:09 AM - edited 06-08-2021 08:35 AM
Re: iLo5 default user "admin" with password "password" - what is this for? How d
So you're not actually pulling admin and password from the eeprom when you use the -w flag. When you use -w, iLO won't give you the system's user and PW and instead puts those placeholders into the XML for you so that if you want to use that XML to script changes in the future, you can add in the appropriate user and PW in those spots in order for the script to run. You can see the same type of thing in our XML example scripts https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_1cb36523d7474ac79a4a6c5d71
I'm an HPE Product Manager