ipmi_dumphashes silently fails with IPv6 addresses

[bert128]

Steps to reproduce

How'd you do it?

1. Host fe80::9af2:b3ff:fe3a:a823 is an HP iLO device which is susceptible to hash dumping via IPMI. It is reachable in the local ethernet segment from a Kali system and has the default username "administrator" present.
2. Use the module "scanner/ipmi/ipmi_dumphashes" from msfconsole
3. set RHOSTS fe80::9af2:b3ff:fe3a:a823
4. set verbose true
5. run
6. set RHOSTS fe80::9af2:b3ff:fe3a:a823%eth0
7. run

Expected behavior

The scanner should send the IPMI probes to the supplied IPv6 targets and receive a response.

Current behavior

No traffic is sent when specifying any IPv6 address with or without the interface scope.
It does not work with link-local addresses or global scope addresses.
Running tcpdump confirms that no traffic is being generated.
No error is displayed by msfconsole, so the user is left falsely believing the host is not vulnerable.

Metasploit version

Framework: 6.1.14-dev
Console: 6.1.14-dev

Additional Information

Modern IPMI devices support IPv6 by default, and will be reachable via the link-local address in the local segment. On some models of device, it is not possible to turn off IPv6 support.
It is not uncommon for an IPMI device to only be reachable via IPv6, for instance where legacy IP has been turned off or the device resides in a segment with no DHCP server.

NMap is able to detect the IPMI service:

Nmap scan report for ipmi1 (fe80::9af2:b3ff:fe3a:a823)
Host is up (0.00076s latency).

PORT    STATE SERVICE  VERSION
623/udp open  asf-rmcp
| ipmi-version:
|   Version:
|     IPMI-2.0
|   UserAuth:
|   PassAuth: auth_user, non_null_user
|_  Level: 2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port623-UDP:V=7.91%I=7%D=12/16%Time=61BB2E59%P=x86_64-pc-linux-gnu%r(ip
SF:mi-rmcp,1E,"\x06\0\xff\x07\0\0\0\0\0\0\0\0\0\x10\x81\x1cc\x20\x008\0\x0
SF:2\x80\x14\x02\0\0\0\0\x10");
MAC Address: 98:F2:B3:3A:A8:23 (Hewlett Packard Enterprise)

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/ui/console]
ActiveModule=auxiliary/scanner/ipmi/ipmi_dumphashes
 
[scanner/ipmi/ipmi_dumphashes]
WORKSPACE=
VERBOSE=true
RHOSTS=fe80::9af2:b3ff:fe3a:a823
THREADS=1
ShowProgress=true
ShowProgressPercent=10
RPORT=623
USER_FILE=/usr/share/metasploit-framework/data/wordlists/ipmi_users.txt
PASS_FILE=/usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt
OUTPUT_HASHCAT_FILE=
OUTPUT_JOHN_FILE=
CRACK_COMMON=true
SESSION_RETRY_DELAY=5
SESSION_MAX_ATTEMPTS=5
loglevel=3

History

The following commands were ran during the session and before this issue occurred:

Collapse

22     use scanner/ipmi/ipmi_dumphashes
23     set rhosts fe80::9af2:b3ff:fe3a:a823
24     set verbose true
25     run
26     version
27     set loglevel 3
28     run
29     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

[03/18/2021 13:43:06] [e(0)] core: Failed to connect to the database: No database YAML file
[03/18/2021 13:43:06] [d(0)] core: Created user based module store
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[03/18/2021 13:43:08] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 06:00:36] [e(0)] core: Failed to connect to the database: No database YAML file
[12/16/2021 06:00:36] [d(0)] core: Updated user based module store
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 06:00:44] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 06:00:46] [d(0)] core: HistoryManager.push_context name: :msfconsole
[12/16/2021 08:23:27] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[12/16/2021 08:24:22] [e(0)] core: Failed to connect to the database: No database YAML file
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:34] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[12/16/2021 08:24:40] [d(0)] core: HistoryManager.push_context name: :msfconsole
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[12/16/2021 08:24:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.1.14-dev
Ruby: ruby 2.7.3p183 (2021-04-05 revision 6847ee089d) [x86_64-linux-gnu]
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[bert128]

not stale, bug still present

[thuyazawnaing]

I do experience the same problem.