# ipmi\_default\_dumphashes

**Explanation**

IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System. IPMI is known to have several security weaknesses. One such weakness allows an attacker to dump encrypted hashes of user's passwords, which can then be cracked offline. This NDM detects the specific network traffic pattern created by running the "ipmi\_dumphashes" Metasploit module with the default username list against a host running IPMI.

**What to Look For**

The use of Metasploit modules on your network could be an indicator of compromise. Examine the source IP address and determine if Metasploit is supposed to be running from that host.

**Related MITRE ATT\&CK Categories**

[Credential Access: Brute Force, Technique T1110 - Enterprise](https://attack.mitre.org/techniques/T1110)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/ipmi_default_dumphashes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.