IPMI (623)
Intelligent Platform Management Interface.
Port
623 UDP
IPMI
Attacks
Default Password
Product
Username
Password
Dell iDRAC
root
calvin
HP iLO
Administrator
randomized 8-character string consisting of numbers and uppercase letters
Supermicro IPMI
ADMIN
ADMIN
Brute force password thanks to RAKP in IPMI 2.0
During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. This can be leveraged to obtain the password hash for ANY valid user account on the BMC. These password hashes can then be cracked offline using a dictionary attack using Hashcat
mode 7300
.
# For HP iLO
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
Also possible to use the following metasploit module to retrieve IPMI hashes and for cracking
auxiliary/scanner/ipmi/ipmi_dumphashes
Wordlists
metasploit-framework/data/wordlists/ipmi_passwords.txt
metasploit-framework/data/wordlists/ipmi_users.txt
Last updated
Was this helpful?