👾 Overview
IPMI, or Intelligent Platform Management Interface is a protocol that allows out of band management of servers. It’s a system that’s independent from the OS and allows management of the machine even if it’s off.
IPMI is used/implemented on BMCs, Baseboard Management Controllers. These embedded chips are separate from a server’s standard hardware and allow for remote access and management.
IPMI generally runs on UDP port 623, it should never be externally accessible; it’s an inherently vulnerable and sensitive remote management protocol. There are well-known default credentials for different manufacturers, an authentication bypass via Cipher 0, and IPMI hash retrieval.
🔌 Connecting to IPMI
One way to connect to a host with IPMI is using ipmitool on Linux, it’s a CLI tool for managing server’s with IPMI:
# Listing users
ipmitool -I lanplus -H [host] -U Administrator -P [password] user list💎 Exploits
🪃 IPMI Hash Retrieval
The IPMI specification is inherently vulnerable; it’ll provide the password hash for any valid user you request during authentication. This occurs before authenticating as a given user. If you tumble potential usernames you can both enumerate valid users, and grab their hash to crack offline.
Since this is a problem with the protocol; there’s no easy way to fix it, you have to segment these devices and prevent remote access to IPMI/BMCs except from specific networks.
The ipmi_dumphashes Metasploit module can be used to easily enumerate IPMI users and grab their hashes:
[2026-05-22 16:54:15] [192.168.171.128] (Sessions:0 Jobs:0) auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 10.129.1.123:623 - IPMI - Hash found: Administrator:[REDACTED]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedPasswords can then be cracked using hashcat mode 7300:
hashcat -a 0 -m 7300 ipmi.hash /tools/rockyou.txt0⃣ Cipher 0 Auth Bypass
Another glaring issues in IPMI is the Cipher 0 authentication bypass. If a server allows a client to use Cipher 0, or cleartext authentication, the server will allow access with any password. The Metasploit module ipmi_cipher_zero can be used to scan for this.
You can connect using Cipher zero with ipmitool by using the -C 0 flag, and submitting any password.
📖 Resources
| 🔗 Hyperlink | ℹ️ Info |
|---|---|
| Rapid7 | IPMI & BMC Blog |
| Dan Farmer | IPMI hash retrieval explained |