ipmi_default_dumphashes

Explanation

IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System. IPMI is known to have several security weaknesses. One such weakness allows an attacker to dump encrypted hashes of user's passwords, which can then be cracked offline. This NDM detects the specific network traffic pattern created by running the "ipmi_dumphashes" Metasploit module with the default username list against a host running IPMI.

What to Look For

The use of Metasploit modules on your network could be an indicator of compromise. Examine the source IP address and determine if Metasploit is supposed to be running from that host.

Related MITRE ATT&CK Categories

Brute Force, Technique T1110 - Enterprise