ipmi

Overview ¶

Package ipmi implements the `enumerate ipmi` command.

Three pre-auth probes against UDP/623, in sequence:

1. Get-Channel-Authentication-Capabilities. Same probe the discover plugin runs; we re-run it here so the enumerate report stands on its own (an operator may invoke `enumerate ipmi` directly without first running discover, and the deep probes need to know whether IPMI 2.0 is supported anyway).

2. Cipher Zero Open Session (CVE-2013-4031). A BMC that returns status 0x00 to an RMCP+ Open Session Request with cipher suite 0 (no auth / no integrity / no confidentiality) is critically misconfigured — any subsequent IPMI commands will run as the named user without authentication.

3. RAKP HMAC-SHA1 disclosure (CVE-2013-4786). For each guessed username in DefaultUsernameGuesses we complete an Open Session + RAKP-1/RAKP-2 round-trip. RAKP-2 carries an HMAC-SHA1 keyed with the user's password material — offline-crackable as hashcat -m 7300. A non-zero status from RAKP-2 indicates the username does not exist on the BMC; the deep probe records which guesses returned a hash so the operator gets both the existence oracle and the crackable blob in one signal.

The probes are gated on IPMI-2.0 support reported by the auth-caps banner — sending RMCP+ to a v1.5-only BMC just times out.