Attacks on IPMI
Cipher suite zero authentication bypass
In IPMI, the authentication, confidentiality, and integrity mechanisms are done through cipher suites, specifically suites 1–14. Cipher suite 0 is the most insecure of the cipher suites because it lacks authentication, confidentiality, and integrity. Cipher Suite 0 should be disabled.
If IPMI on the server supports cipher suite zero then we can connect to it even if we don’t know the password:
ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P pass -C 0
Then you can do whatever you can: turn on and off power, configure a firewall, settings etc.
IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval
the authentication process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the requested user’s password to the client, prior to the client authenticating
Yep. That’s right. The server will tell you the password of any existing user. We can use
ipmi_dumphashes in Metasploit to exploit this:
Then we can crack them using
hashcat -m 7300 --username lists/hashes.list lists/passwords.list