Crucially, different vendors format this data slightly differently. Supermicro, Dell (iDRAC), and HP (iLO) all have slightly different implementations, though the core flaw remains the same. Tools like Metasploit and the specialized Python scripts (like the ipmi.pl script included with JtR) handle these nuances automatically.
For example: Administrator:1:aabbccdd11223344:e9b89f4a40b8f2d2...
Once you have the hash string, the cracking process is straightforward. Because it uses a single round of HMAC-SHA1, modern GPUs can calculate billions of these hashes per second. A password that might take years to crack against a modern bcrypt hash might fall in seconds against IPMI.
The IPMI 2.0 specification includes a flaw in the RAKP (Remote Authenticated Key Exchange Protocol) process. When a client attempts to authenticate with a BMC (Baseboard Management Controller), the server sends an HMAC-SHA1 hash of the user's password to the client the client even proves they know the password.
Several tools are available for IPMI hash cracking:
A popular method involves using the ipmi_dumphashes module in the Metasploit Framework.
IPMI uses a challenge-response authentication mechanism to verify user credentials. When a user attempts to access an IPMI interface, the system generates a random challenge and sends it to the user's client. The client then generates a response based on the challenge and the user's password. The response is sent back to the IPMI system, which verifies it against a locally stored hash of the user's password.
IPMI hash cracking serves as a stark reminder that physical and out-of-band management interfaces are often the weakest link in an enterprise environment. The ability to pull hashes without authentication, combined with a weak hashing algorithm (HMAC-SHA1), creates a perfect storm for attackers.
IPMI 2.0 uses with HMAC-SHA1. During authentication, the client and server exchange usernames , nonces , and a hash . The key material is derived from the user’s password + a system-generated key (often known as the “key” or “K_g” ).
Hashcat is the heavy lifter for GPU cracking. IPMI hashes are supported in Hashcat via mode 7300 (IPMI2 RAKP).