APC PDU: resetting passwords with SNMP instead of a serial cable
So recently at one of the things I do for money, we got some used APC PDUs, AP7900. You can get them on eBay now for $100-$150USD, including shipping. They still sell the identical model, so there's nothing wrong with used gear. However, when they come, it's possible that the last owner didn't remove the passwords. There are some general guides on the Internet, but they almost exclusively revolve around using a custom serial cable.
While this guide is aimed at APC PDUs, APC actually uses a common embedded OS on many of their products, and the SNMP trick I have documented here was derived from their document: "Management Card Addendum", part number 990-6015A
Finding the device IP
If you're really lucky, the device will issue a BOOTP or DHCP request on boot. Then you can easily figure it out from there. If not, read on.
In the case of the PDUs, there is a large grey button. Hold it for 30 seconds, then release and press again, and it will cycle through displaying the IP. For other devices, you might been connect directly, and sniff for traffic to figure out the IP, or issue ARP requests for possible IPs (scanning 192.168.0.0/16, 172.16.0.0.0/12, 10.0.0.0/8 an hour or two with nmap for example).
Default passwords
You might as well try all the default passwords first, it wouldn't hurt you. The protocols you want to try are Telnet, SSH, HTTP, HTTPS. Usernames of apc, device, readonly (web interface only); all with a password of apc. If the username of apc works, you don't need the rest of this document.
If your firmware is really old, you should also try any username with the password of TENmanUFactOryPOWER. This will drop you into factory test mode, and you can read the password from the EEPROM this way (option 13, then look at offset 0x1D0, but realize that the offset is different in various revisions). In later revisions, this password is only usable with a serial cable.
SNMP
This is where we can get interesting. The PDUs come with a stock configuration of two SNMP communities: public and private. If the latter works, we'll use it to reset the device entirely. Test with: snmpget -v 1 -c private $IP SNMPv2-MIB::sysDescr.0, where $IP is the IP you found before.
Resetting the device with SNMP
If you've made it this far, you're stuck with an APC device, that you don't have administrator access with Telnet or SSH, but the SNMP private community does work
. You'll need to go and get the SNMP MIBS from APC next. Then you need a file from APC, it is a windows binary, but runs perfectly fine under WINE: i2c301.exe. Paste the file below to rpdu.ini:
[NetworkTCP/IP] SystemIP = 0.0.0.0 SubnetMask = 0.0.0.0 DefaultGateway = 0.0.0.0 Bootp = enabled [NetworkTFTPClient] RemoteIP = 0.0.0.0 [NetworkFTPClient] RemoteIP = 0.0.0.0 RemoteUserName = apc RemotePassword = apc [NetworkFTPServer] Access = enabled Port = 21 [NetworkTelnet] Access = enabled Port = 23 [NetworkWeb] Access = enabled Port = 80 [NetworkSNMP] Access = enabled AccessControl1Community = public AccessControl1NMSIP = 0.0.0.0 AccessControl1AccessType = read AccessControl2Community = private AccessControl2NMSIP = 0.0.0.0 AccessControl2AccessType = write [NetworkDNS] DNSServerIP = 0.0.0.0 [SystemID] Name = Unknown Contact = Unknown Location = Unknown [SystemDate/Time] Date = 01/01/2014 Time = 12:00:00 [SystemUserManager] Authentication = Basic AutoLogout = 10 AdminUserName = apc AdminPassword = apc AdminAuthPhrase = admin user phrase DeviceUserName = device DevicePassword = apc DeviceAuthPhrase = device user phrase
Run i2c301.exe rpdu.ini. This will generate apc.cfg. Setup up a TFTP server on your local subset, so that the IP on the PDU will be able to reach it. Place that apc.cfg in a path where it can be reached, I used /apc/apc.cfg in my case. Now run the following commands, giving a second or so between them.
snmpset -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferConfigTFTPServerAddress.0 s $SERVERIP snmpset -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferConfigSettingsFilename.0 s /apc/apc.cfg snmpset -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferControlInitiateFileTransfer.0 i initiateFileTransferDownloadViaTFTP snmpget -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferStatusLastTransferResult.0
The PDU will proceed to reset at this point, it can take up to two minutes. You should then be able to log in with the default of apc/apc. Beware that if you're running DHCP it will get a new IP.
You should probably upgrade the system at this point. If you grabbed the updated firmware from APC, it's a self-extracting zipfile (unpack with unzip in linux). FTP to the PDU, with the default login. Switch to binary mode (important!), and upload apc_hw02_aos_374.bin. Afterwards the device will reboot again. Reconnect afterwards and upload apc_hw02_rpdu_374.bin, again in binary mode.
Locking down your PDU
Now that you've reset the password and upgrade your device, it's time to lock it down PROPERLY. Switch to SSHv2 only, disable FTP, change all SNMP communities.
Giving up your PDU
If you're getting rid of old PDUs, please remember to remove the passwords on them! It makes it easier for the next sysadmin to deploy the PDU, but also prevents leaking any passwords to an attacker with a serial cable and the factory password.