IPMI - 623
PORT 623 UDPIntelligent Platform Management Interfaceis used for system management for hardware based host management systems.- IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state.
- has a direct connection to the hardware system and does not require shell
- remote upgrades without physical access
- Access it via:
- Before the OS has booted to modify BIOS settings
- When the host is fully powered down
- Access to a host after a system failure
To Know:
- Systems that use IPMI are called BMCs
- The most common BMCs we often see during internal penetration tests are HP iLO, Dell DRAC, and Supermicro IPMI.
- If we can access a BMC during an assessment, we would gain full access to the host motherboard and be able to monitor, reboot, power off, or even reinstall the host operating system.
- Many BMCs (including HP iLO, Dell DRAC, and Supermicro IPMI) expose a web-based management console, some sort of command-line remote access protocol such as Telnet or SSH, and the port 623 UDP, which, again, is for the IPMI network protocol.
Dangerous Settings:
- If the default passwords do not work, we can leverage the RAKP Protocol Flaw here
- The server sends the users password in hash before authenticating
- We can try cracking the hash to find the password.
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u- Tries an 8 char password with caps and no caps
- MSF dump hashes: https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/
Commands:
sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local-
msf6 > use auxiliary/scanner/ipmi/ipmi_version\ -
Default Passwords:
- If these dont work, use the msfconsole to dump hashes.
use auxiliary/scanner/ipmi/ipmi_dumphashes
Checking for IPMI should be part of our internal penetration test playbook for any environment we find ourselves assessing.