Dumping credential from IPMI services using Metasploit
IPMI Services?
IPMI (Intelligent Platform Management Interface) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring. It acts as an autonomous subsystem and works independently of the host’s BIOS, CPU, firmware, and underlying operating system. IPMI provides sysadmins with the ability to manage and monitor systems even if they are powered off or in an unresponsive state. It operates using a direct network connection to the system’s hardware and does not require access to the operating system via a login shell. IPMI can also be used for remote upgrades to systems without requiring physical access to the target host. IPMI is typically used in three ways:
- Before the OS has booted to modify BIOS settings
- When the host is fully powered down
- Access to a host after a system failure
When not being used for these tasks, IPMI can monitor a range of different things such as system temperature, voltage, fan status, and power supplies. It can also be used for querying inventory information, reviewing hardware logs, and alerting using SNMP.
How to Dumping credential from IPMI services
Enumeration
We can enumerate scan all ports on our target service to find out if the IPMI service is active.
nmap -sC -sV -Pn -p- 10.xxx.xxx.xxxIf on your target you see port 623(default) active, then that’s where the ipmi service is running, you can use nmap’s script.nse to enumerate more details from IPMI services.
nmap -sU --script ipmi-version -p 623 10.xxx.xxx.xxx
Dumping Hash
At this step, it will show how to dump hashes using metasploit. we can use the IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval module to perform dumping hash.
Cracking Hash with Hashcat
parsing the hash part into a txt file so that it can be read by hashcat
we can find the hashmode that can be used to crack the IPMI hash with this command :
hashcat -h | grep "IPMI"then we can do the cracking using the right hash mode, in this cracking process I used the rockyou wordlist.
hashcat -m 7300 ipmihash.txt /usr/share/wordlists/rockyou.txt
You can use credentials that have been cracked on other services. usually companies use the same credentials in each service.
That’s all, I hope it’s useful for you. thanks for reading!
