Airgapped iDRAC access using ISOs in Virtual Media

Monday, 20 Apr 2020

Ever had an airgapped Baremetal Server (Cisco, Dell, HP, IBM or Whitebox), where your only access to it is via the BMC (iDRAC/iLO/IMM/CIMC/OOB/"Mgmt") Interface for "security reasons" - only to find you suddenly need to extract configuration files from it, or install an Application to it? So have I:

The problem

You need to update a configuration file, exfiltrate some data or install an Application or Binary onto an airgapped Baremetal Server (i.e. an AAA or RADIUS Authentication Box).

The tools

  • IsoCreator (or equivalent skills using "dd" or built-in tools to create an ISO)
  • Java (assuming your Baremetal's BMC doesn't have a HTML5 Native Console)
  • Access to your iDRAC LAN (OOB LAN or iLO LAN)

The solution

Assuming you've appropriately licensed your iLO or iDRAC for the Virtual Media Service (you did know that not all iDRAC Licenses actually let you use a Virtual Console, right?), and let's say you need to install PuTTY onto your airgapped Baremetal Server:

Yes, I too have had the "joy" of working on an IBM xSeries that had an IMM License that only allowed remote Power Operations, but no KVM Console, Virtual Media or anything else. Ta for that, Big Blue; hope that Red Hat acquisition goes real nice for you, you bag of di...

  1. Create an ISO container of your PuTTY exe's using IsoCreator or dd
    1. genisoimage -o putty.iso -V PuTTY -R -J /home/User/Downloads/putty
  2. Connect to your Baremetal Server using iDRAC KVM Console
    1. Dell iDRAC Virtual Console KVM Setup Screen
  3. Connect "Virtual Media"
    1. Dell iDRAC Virtual Console KVM Virtual Disk Screen
  4. Select your putty.iso and "Map Device" in the iDRAC
    1. Dell iDRAC Virtual Console KVM Virtual Media Connect Screen
  5. Your Putty.exe (or contents of putty.iso) are now available as the D:\ Drive (if Windows OS) or /mnt/cdrom (if Linux OS), or similar on your Baremetal OS
  6. Enjoy!

If you need to exfiltrate data out of the Server, simply use the same "Embed Application you want in your ISO, as a Network Transfer tool" process in reverse; but using the "Map Removable Disk" feature, and ensure the "Read Only" option is unticked, to allow you to use iDRAC Virtual Media as a writable location:

Dell iDRAC Virtual Console Map Removable Disk Screen

I hope that gets you out of the same holes it's got me out of.

Latest Posts

Categories

Stuff I Read

Buy me a Coffee