> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/utility/service/ipmi-623.md).

# IPMI (623)

<details>

<summary>Protocol Information</summary>

Intelligent Platform Management Interface ([IPMI](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state. It operates using a direct network connection to the system's hardware and does not require access to the operating system via a login shell. IPMI can also be used for remote upgrades to systems without requiring physical access to the target host.\
Systems that use the IPMI protocol are called **Baseboard Management Controllers** (**BMCs**). BMCs are typically implemented as embedded ARM systems running Linux, and connected directly to the host's motherboard. BMCs are built into many motherboards but can also be added to a system as a PCI card. Most servers either come with a BMC or support adding a BMC. The most common BMCs we often see during internal penetration tests are HP iLO, Dell DRAC, and Supermicro IPMI. If we can access a BMC during an assessment, we would gain full access to the host motherboard and be able to monitor, reboot, power off, or even reinstall the host operating system. Gaining access to a BMC is nearly equivalent to physical access to a system. Many BMCs (including HP iLO, Dell DRAC, and Supermicro IPMI) expose a web-based management console, some sort of command-line remote access protocol such as Telnet or SSH, and the port 623 UDP, which, again, is for the IPMI network protocol.

</details>

## Port

<table data-header-hidden><thead><tr><th width="166">Port</th><th>Description</th></tr></thead><tbody><tr><td><mark style="color:green;"><strong>623</strong></mark><strong> UDP</strong></td><td>IPMI</td></tr></tbody></table>

## Attacks

### Default Password

<table><thead><tr><th width="194">Product</th><th>Username</th><th>Password</th></tr></thead><tbody><tr><td><strong>Dell iDRAC</strong></td><td>root</td><td>calvin</td></tr><tr><td><strong>HP iLO</strong></td><td>Administrator</td><td>randomized 8-character string consisting of numbers and uppercase letters</td></tr><tr><td><strong>Supermicro IPMI</strong></td><td>ADMIN</td><td>ADMIN</td></tr></tbody></table>

### Brute force password thanks to RAKP in IPMI 2.0

During the authentication process, the server sends a salted SHA1 or MD5 hash of the user's password to the client before authentication takes place. This can be leveraged to obtain the password hash for ANY valid user account on the BMC. These password hashes can then be cracked offline using a dictionary attack using `Hashcat` mode `7300`.

{% code overflow="wrap" %}

```bash
# For HP iLO
hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
```

{% endcode %}

Also possible to use the following metasploit module to retrieve IPMI hashes and for cracking

{% code overflow="wrap" %}

```
auxiliary/scanner/ipmi/ipmi_dumphashes
```

{% endcode %}

Wordlists

{% code overflow="wrap" %}

```
metasploit-framework/data/wordlists/ipmi_passwords.txt
metasploit-framework/data/wordlists/ipmi_users.txt
```

{% endcode %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/utility/service/ipmi-623.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.