Breaking into Servers via Remote Management Systems in 5 Mins💀

Hi everyone! I’m aravind0x7 — a cybersecurity enthusiast, researcher, and robotics engineer with a passion for uncovering vulnerabilities in the wild. You might have acrossed some of my other blogs where I’ve explored vending machine hacks or gave you insights of IoT security. Today, I’m bringing you another real-world story from my hunts in cyberspace — this time involving Remote Management Systems and the dangers of leaving default credentials unchecked.

Disclaimer: This blog is intended for educational and awareness purposes only. All activities mentioned here were performed in a controlled, ethical manner, and no harm was caused to any individual or organization. If you’re inspired to explore similar vulnerabilities, please ensure you have proper authorization before proceeding. Hacking without consent is illegal and unethical.

How It All Began

While sipping coffee and casually exploring Censys (a search engine designed for security researchers and IT professionals), I expected to land in some remote devices to look over exposed systems. For those unfamiliar, a Censys dork is essentially a targeted query used to uncover specific devices or services exposed on the internet. After surfing for a while, i got invited by the RMS (Remote Management Systems), the ultimate deathnote for, managing devices like Servers, IoT Devices, OT systems, etc., remotely.

Here’s an exact dork I found while hunting:

services.http.response.body: "ASMB9-iKVM"

Censys Search Results

This query quickly revealed a shocking number of ASUS ASMB9-iKVM modules openly accessible online. For context, the ASMB9-iKVM is a remote server management module used for server administration. It allows administrators to manage hardware remotely, even rebooting servers or accessing system logs. Sounds powerful, right? Well, it’s also terrifying when you realize many of these devices were still using their default credentials: admin:admin.

Login Interface

At this point, I knew I had to investigate further. With proper precautions and in an ethical manner, I tested one of the systems to confirm my suspicions. Sure enough, I was granted full access.

Access to Admin Controls

The Extent of the Exposure

Here’s a breakdown of what I discovered upon logging in:

• System Overview: Detailed hardware and firmware information.
• Power Control: Ability to power servers on or off remotely.
• Console Access: Direct server console access, enabling full control of the underlying system.
• User Management: Options to create, delete, or modify user accounts.

This level of access essentially gives an attacker the keys to the kingdom. It’s like finding a server’s master control panel left wide open for anyone to play with.

Live data from the server

The Fallout: Why This Matters

Let’s break down the potential consequences of such exposures:

1. Data Breaches: Exfiltration of sensitive business or personal data could lead to lawsuits and regulatory fines.
2. Service Damage: Critical services could be disrupted by remotely powering off servers.
3. Ransomware Deployment: Full console access makes it trivial to deploy malicious payloads.
4. Lateral Movement: Attackers could use these devices as entry points to pivot into broader network infrastructures.

Other Critical Exposures

Why Does This Keep Happening?

Leaving default credentials in place is one of the oldest mistakes in the book, yet it’s still in practice. Often, these devices are configured by third-party vendors who focus on getting things running quickly rather than securely. Organizations might not even realize these devices are exposed to the internet [the sad reality].

Remote Console Access

Securing Your RMS Devices

If you’re responsible for managing these devices, here’s how you can lock them down:

1. Change Default Credentials: Use strong, unique passwords.
2. Network Segmentation: Isolate management interfaces from public networks.
3. Regular Firmware Updates: Keep devices patched against known vulnerabilities.
4. Audits: Periodically use tools like Censys to check for exposure.
5. Disable Unused Features: Minimize the attack surface by turning off unnecessary functions.

Closure Thoughts

Leaving default credentials on internet-facing devices is like leaving your house unlocked with a neon sign saying, “Come in and take what you want 😂”. As cybersecurity professionals, it’s our responsibility to educate organizations about these risks and encourage better practices.

Always practice ethical disclosure and never exploit the vulnerabilities you find for malicious purposes. Let’s connect, catch me on LinkedIn.

Stay curious, stay secure, and hack responsibly. 🙌