robbat2: (ubercoder)
[personal profile] robbat2

So recently at one of the things I do for money, we got some used APC PDUs, AP7900. You can get them on eBay now for $100-$150USD, including shipping. They still sell the identical model, so there's nothing wrong with used gear. However, when they come, it's possible that the last owner didn't remove the passwords. There are some general guides on the Internet, but they almost exclusively revolve around using a custom serial cable.

While this guide is aimed at APC PDUs, APC actually uses a common embedded OS on many of their products, and the SNMP trick I have documented here was derived from their document: "Management Card Addendum", part number 990-6015A

Finding the device IP

If you're really lucky, the device will issue a BOOTP or DHCP request on boot. Then you can easily figure it out from there. If not, read on.

In the case of the PDUs, there is a large grey button. Hold it for 30 seconds, then release and press again, and it will cycle through displaying the IP. For other devices, you might been connect directly, and sniff for traffic to figure out the IP, or issue ARP requests for possible IPs (scanning,, an hour or two with nmap for example).

Default passwords

You might as well try all the default passwords first, it wouldn't hurt you. The protocols you want to try are Telnet, SSH, HTTP, HTTPS. Usernames of apc, device, readonly (web interface only); all with a password of apc. If the username of apc works, you don't need the rest of this document.

If your firmware is really old, you should also try any username with the password of TENmanUFactOryPOWER. This will drop you into factory test mode, and you can read the password from the EEPROM this way (option 13, then look at offset 0x1D0, but realize that the offset is different in various revisions). In later revisions, this password is only usable with a serial cable.


This is where we can get interesting. The PDUs come with a stock configuration of two SNMP communities: public and private. If the latter works, we'll use it to reset the device entirely. Test with: snmpget -v 1 -c private $IP SNMPv2-MIB::sysDescr.0, where $IP is the IP you found before.

Resetting the device with SNMP

If you've made it this far, you're stuck with an APC device, that you don't have administrator access with Telnet or SSH, but the SNMP private community does work

. You'll need to go and get the SNMP MIBS from APC next. Then you need a file from APC, it is a windows binary, but runs perfectly fine under WINE: i2c301.exe. Paste the file below to rpdu.ini:
SystemIP =
SubnetMask =
DefaultGateway =
Bootp = enabled
RemoteIP =
RemoteIP =
RemoteUserName = apc
RemotePassword = apc
Access = enabled
Port = 21
Access = enabled
Port = 23
Access = enabled
Port = 80
Access = enabled
AccessControl1Community = public
AccessControl1NMSIP =
AccessControl1AccessType = read
AccessControl2Community = private
AccessControl2NMSIP =
AccessControl2AccessType = write
DNSServerIP =
Name = Unknown
Contact = Unknown
Location = Unknown
Date = 01/01/2014
Time = 12:00:00
Authentication = Basic
AutoLogout = 10
AdminUserName = apc
AdminPassword = apc
AdminAuthPhrase = admin user phrase
DeviceUserName = device
DevicePassword = apc
DeviceAuthPhrase = device user phrase

Run i2c301.exe rpdu.ini. This will generate apc.cfg. Setup up a TFTP server on your local subset, so that the IP on the PDU will be able to reach it. Place that apc.cfg in a path where it can be reached, I used /apc/apc.cfg in my case. Now run the following commands, giving a second or so between them.

snmpset -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferConfigTFTPServerAddress.0 s $SERVERIP
snmpset -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferConfigSettingsFilename.0 s /apc/apc.cfg
snmpset -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferControlInitiateFileTransfer.0 i initiateFileTransferDownloadViaTFTP
snmpget -v 1 -c private $DEVICEIP PowerNet-MIB::mfiletransferStatusLastTransferResult.0

The PDU will proceed to reset at this point, it can take up to two minutes. You should then be able to log in with the default of apc/apc. Beware that if you're running DHCP it will get a new IP.

You should probably upgrade the system at this point. If you grabbed the updated firmware from APC, it's a self-extracting zipfile (unpack with unzip in linux). FTP to the PDU, with the default login. Switch to binary mode (important!), and upload apc_hw02_aos_374.bin. Afterwards the device will reboot again. Reconnect afterwards and upload apc_hw02_rpdu_374.bin, again in binary mode.

Locking down your PDU

Now that you've reset the password and upgrade your device, it's time to lock it down PROPERLY. Switch to SSHv2 only, disable FTP, change all SNMP communities.

Giving up your PDU

If you're getting rid of old PDUs, please remember to remove the passwords on them! It makes it easier for the next sysadmin to deploy the PDU, but also prevents leaking any passwords to an attacker with a serial cable and the factory password.

(no subject)

Date: 2014-01-23 04:49 pm (UTC)
From: [identity profile] pál tóbiás (from
For the "Finding the device IP" part I usually use netdiscover:

May 2017

141516171819 20

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags