Intelligent Platform Management Interface

Footprinting The Service

Nmap

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

Default Credentials

Product	Username	Password
Dell iDRAC	root	calvin
HP iLO	Administrator	randomized 8-character string consisting of numbers and uppercase letters
Supermicro IPMI	ADMIN	ADMIN

Metasploit Dumping Hashes

We can turn to a flaw in the RAKP protocol in IPMI 2.0 with Metasploit's IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval module