(623 UDP)IPMI
This document will be published upon completion of the module.
About
Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring.
It provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state. It operates using a direct network connection to the system's hardware and does not require access to the operating system via a login shell.
IPMI can also be used for remote upgrades to systems without requiring physical access to the target host.
To function, IPMI requires the following components:
Baseboard Management Controller (BMC) - A micro-controller and essential component of an IPMI
Intelligent Chassis Management Bus (ICMB) - An interface that permits communication from one chassis to another
Intelligent Platform Management Bus (IPMB) - extends the BMC
IPMI Memory - stores things such as the system event log, repository store data, and more
Communications Interfaces - local system interfaces, serial and LAN interfaces, ICMB and PCI Management Bus
Footprinting
Nmap
$ sudo nmap <TARGET> -p 623 -sU --script ipmi-version Metasploit
msf6 > use auxiliary/scanner/ipmi/ipmi_version
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options Default Credentials
It is possible that administrators have not changed the default password. Here's a list of some default passwords depending on the product running IPMI:
Dell iDRAC
root
calvin
HP iLO
Administrator
randomized 8-character string consisting of numbers and uppercase letters
Supermicro IPMI
ADMIN
ADMIN
Login credentials are always useful even if they don't give us access to whatever we were looking for, we could try to connect to another service using them. Here's a possible scenario:
RAKP flaw
The RAKP (Remote Authenticated Key-Exchange Protocol) is part of the IPMI (Intelligent Platform Management Interface), which is commonly used for managing and monitoring server hardware remotely.
RAKP is used in the authentication process for IPMI 2.0, particularly in the RMCP+ (Remote Management Control Protocol Plus) phase, which ensures secure communications between the client (e.g., an IPMI client) and the server (the BMC, or Baseboard Management Controller).
If default credentials do not work to access a BMC, we can turn to a flaw in the RAKP protocol in IPMI 2.0. During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. This can be leveraged to obtain the password hash for ANY valid user account on the BMC. These password hashes can then be cracked offline using a dictionary attack using
Hashcatmode7300. In the event of an HP iLO using a factory default password, we can use this Hashcat mask attack commandhashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?uwhich tries all combinations of upper case letters and numbers for an eight-character password.
So in short, we'll be using metasploit to dump password hashes and crack them offline.
Last updated