623/UDP/TCP - IPMI
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Intelligent Platform Management Interface (IPMI) offers a standardized approach for remote management and monitoring of computer systems, independent of the operating system or power state. This technology allows system administrators to manage systems remotely, even when they're off or unresponsive, and is especially useful for:
Pre-OS boot configurations
Power-off management
Recovery from system failures
IPMI is capable of monitoring temperatures, voltages, fan speeds, and power supplies, alongside providing inventory information, reviewing hardware logs, and sending alerts via SNMP. Essential for its operation are a power source and a LAN connection.
Since its introduction by Intel in 1998, IPMI has been supported by numerous vendors, enhancing remote management capabilities, especially with version 2.0's support for serial over LAN. Key components include:
Baseboard Management Controller (BMC): The main micro-controller for IPMI operations.
Communication Buses and Interfaces: For internal and external communication, including ICMB, IPMB, and various interfaces for local and network connections.
IPMI Memory: For storing logs and data.
Default Port: 623/UDP/TCP (It's usually on UDP but it could also be running on TCP)
You can identify the version using:
In the realm of IPMI 2.0, a significant security flaw was uncovered by Dan Farmer, exposing a vulnerability through cipher type 0. This vulnerability, documented in detail at Dan Farmer's research, enables unauthorized access with any password provided a valid user is targeted. This weakness was found across various BMCs from manufacturers like HP, Dell, and Supermicro, suggesting a widespread issue within all IPMI 2.0 implementations.
To detect this flaw, the following Metasploit auxiliary scanner can be employed:
Exploitation of this flaw is achievable with ipmitool
, as demonstrated below, allowing for the listing and modification of user passwords:
This vulnerability enables retrieval of salted hashed passwords (MD5 and SHA1) for any existing username. To test this vulnerability, Metasploit offers a module:
A default configuration in many BMCs allows "anonymous" access, characterized by null username and password strings. This configuration can be exploited to reset passwords of named user accounts using ipmitool
:
A critical design choice in IPMI 2.0 necessitates the storage of clear-text passwords within BMCs for authentication purposes. Supermicro's storage of these passwords in locations such as /nv/PSBlock
or /nv/PSStore
raises significant security concerns:
Supermicro's inclusion of a UPnP SSDP listener in its IPMI firmware, particularly on UDP port 1900, introduces a severe security risk. Vulnerabilities in the Intel SDK for UPnP Devices version 1.3.1, as detailed by Rapid7's disclosure, allow for root access to the BMC:
HP randomizes the default password for its Integrated Lights Out (iLO) product during manufacture. This practice contrasts with other manufacturers, who tend to use static default credentials. A summary of default usernames and passwords for various products is provided as follows:
HP Integrated Lights Out (iLO) uses a factory randomized 8-character string as its default password, showcasing a higher security level.
Products like Dell's iDRAC, IBM's IMM, and Fujitsu's Integrated Remote Management Controller use easily guessable passwords such as "calvin", "PASSW0RD" (with a zero), and "admin" respectively.
Similarly, Supermicro IPMI (2.0), Oracle/Sun ILOM, and ASUS iKVM BMC also use simple default credentials, with "ADMIN", "changeme", and "admin" serving as their passwords.
Administrative access to the Baseboard Management Controller (BMC) opens various pathways for accessing the host's operating system. A straightforward approach involves exploiting the BMC's Keyboard, Video, Mouse (KVM) functionality. This can be done by either rebooting the host to a root shell via GRUB (using init=/bin/sh
) or booting from a virtual CD-ROM set as a rescue disk. Such methods allow for direct manipulation of the host's disk, including the insertion of backdoors, data extraction, or any necessary actions for a security assessment. However, this requires rebooting the host, which is a significant drawback. Without rebooting, accessing the running host is more complex and varies with the host's configuration. If the host's physical or serial console remains logged in, it can easily be taken over through the BMC's KVM or serial-over-LAN (sol) functionalities via ipmitool
. Exploring the exploitation of shared hardware resources, like the i2c bus and Super I/O chip, is an area that demands further investigation.
Upon compromising a host equipped with a BMC, the local BMC interface can be leveraged to insert a backdoor user account, creating a lasting presence on the server. This attack necessitates the presence of ipmitool
on the compromised host and the activation of BMC driver support. The following commands illustrate how a new user account can be injected into the BMC using the host's local interface, which bypasses the need for authentication. This technique is applicable to a wide range of operating systems including Linux, Windows, BSD, and even DOS.
port:623
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)