The Shadowserver Foundation

Open IPMI Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at IPMI.

The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have the Intelligent Platform Management Interface (IPMI) accessible and answering IPMI control queries. The goal of this project is to identify openly accessible IPMI devices and report them back to the network owners for remediation.

Devices with IPMI exposed have the potential to be completely compromised at Baseboard Management Controller (BMC) level by miscreants and we would like to remove the ability of miscreants that would misuse and abuse these devices.

Servers that are configured this way have been incorporated into our reports and are being reported on a daily basis.

A good primer on IPMI security issues can be found here and an alert from US-CERT (TA13-207A) on IPMI security can be found here.

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 623/udp with an IPMI Get Channel Authentication Capabilities packet and parsing the response. We intend no harm, but if we are causing problems, please contact us at dnsscan [at] shadowserver [dot] org

If you would like to test your own device to see if it supports the NONE authentication method, run "ipmitool -A NONE -H [IP] bmc info". If the device does support the NONE method, you should see information about the devices Baseboard Management Controller. See http://linux.die.net/man/1/ipmitool for more information about the ipmitool command.

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://ipmiscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on current run


All IPMI (v1.5 and v2.0)

All IPMI

(Click image to enlarge)

If you would like to see more regions click here

IPMI v1.5

IPMI v1.5 only

(Click image to enlarge)

If you would like to see more regions click here

IPMI v2.0

IPMI v2.0 only

(Click image to enlarge)

If you would like to see more regions click here

All IPMI (v1.5 and v2.0)

All IPMI

(Click image to enlarge)

IPMI v1.5

IPMI v1.5 only

(Click image to enlarge)

IPMI v2.0

IPMI v2.0 only

(Click image to enlarge)



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation