I am stack with second question. Metasploit does not crack the hash. Default passwords are’t match. Using hashcat even with the -O -w 3 flags gives an operating time of about one day. Maybe I’m missing something? Could someone give a hint?
Maybe try with a wordlist instead of suggested password rule for hashcat
3 Likes
Oh, it was stupid not to try the common password lists not related to IPMI. Thank you.
hi i used possible that every time I have a different hash? admin: etc etc the hash with hashcat do I do it with the word list provided by HTB? or rockyou?
I used the wordlist that is used all the time (rockyou) and hashcat. What I have seen several times now is that the machine would not be so stable over time->Reconnect to Academy VPN and spawning the machine again often helps 
1 Like
The hash is always different because salts are added to it (hashcat mode 7300 designed specifically for hash with salt).
I used one password list from seclist and got the password in clear text. It does not relate to ipmi.
1 Like
I used the “Hashcat” tool and the “rockyou.txt” dictionary and got the password. You have to modify the command (the options) of “Hashcat” to make it work with a wordlist
1 Like
I can’t get the hashcat to work it is not even running. i need help :(((((((((((((((((
Just use another worlist at the auxiliary options and that’s it… rockyou.txt works well
1 Like
So I did have issues getting hashcat to work properly with this hash but, I will say a tool like “GitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashes” was able to do it far more efficient and didnt even have to use Metasploit. Neat little tool I found while trying to troubleshoot why hashcat was being a pain with the ipmi hash.
EDIT: the wordlist was not the issue it was complaining about format of hash. It used to be a known issue with Hashcat but, came accross above tool and was like meh it works so whatever.
3 Likes
Please can someone help me? I tried using the MSF auxiliary scanner because the IP is not active. i tried to ping it. even footprint the IPMI IP address with nmap. it now showing as active I have restarted it many times.
None of this really helped for me. Once I got the hash from metasploit. Then I created a file in my home directory called hash and pasted the hash to it.Also copied the rockyou.txt to the home directory also. I then ran hashcat -m 7300 -a 0 --show /hash /rockyou.txt
2 Likes
I’ve tried everything that’s been suggested. I can get the hash, but nothing I’ve used has been able to crack it and give me the plain text. Does anyone have another suggestion?
Never mind. I figured it out. John really is your best friend along with the rockyou.txt.
1 Like
I have used a wordlist from SecLists in the Leaked-Databases directory.
I’m new to the hacking space but your rockyou.txt suggestion was great help. Something I’ll better remember now for future pass cracking use lol. Thanks mate!
No god but one god who has no son nor a partner .
If anyone is still having issues, I also used john with a password list from SecList. Got the tip from @lefanzizou.
I found a very quick solution of the last question:
In msfconsole, I just changed the default PASS_FILE path to /usr/share/metasploit-framework/data/wordlists/password.lst
Concept:
I manually browsed to above path and checked the password files and choose the password.lst as it have fairly similar passwords that may be set in IPMI as explained in the module.
And then hit run. DONE
8 Likes