I am stack with second question. Metasploit does not crack the hash. Default passwords are’t match. Using hashcat even with the -O -w 3 flags gives an operating time of about one day. Maybe I’m missing something? Could someone give a hint?
Maybe try with a wordlist instead of suggested password rule for hashcat
Oh, it was stupid not to try the common password lists not related to IPMI. Thank you.
hi i used auxiliary / scanner / ipmi / ipmi_dumphashes possible that every time I have a different hash? admin: etc etc the hash with hashcat do I do it with the word list provided by HTB? or rockyou?
I used the wordlist that is used all the time (rockyou) and hashcat. What I have seen several times now is that the machine would not be so stable over time->Reconnect to Academy VPN and spawning the machine again often helps
The hash is always different because salts are added to it (hashcat mode 7300 designed specifically for hash with salt).
I used one password list from seclist and got the password in clear text. It does not relate to ipmi.
I used the “Hashcat” tool and the “rockyou.txt” dictionary and got the password. You have to modify the command (the options) of “Hashcat” to make it work with a wordlist
I can’t get the hashcat to work it is not even running. i need help :(((((((((((((((((
Just use another worlist at the auxiliary options and that’s it… rockyou.txt works well
So I did have issues getting hashcat to work properly with this hash but, I will say a tool like “GitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashes” was able to do it far more efficient and didnt even have to use Metasploit. Neat little tool I found while trying to troubleshoot why hashcat was being a pain with the ipmi hash.
EDIT: the wordlist was not the issue it was complaining about format of hash. It used to be a known issue with Hashcat but, came accross above tool and was like meh it works so whatever.
Please can someone help me? I tried using the MSF auxiliary scanner because the IP is not active. i tried to ping it. even footprint the IPMI IP address with nmap. it now showing as active I have restarted it many times.
Direct Two Answers in one step
use auxiliary/scanner/ipmi/ipmi_dumphashes
set save hash as john format
john --wordlist /usr/share/wordlists/rockyou.txt [hashfile]
None of this really helped for me. Once I got the hash from metasploit. Then I created a file in my home directory called hash and pasted the hash to it.Also copied the rockyou.txt to the home directory also. I then ran hashcat -m 7300 -a 0 --show /hash /rockyou.txt
I’ve tried everything that’s been suggested. I can get the hash, but nothing I’ve used has been able to crack it and give me the plain text. Does anyone have another suggestion?
Never mind. I figured it out. John really is your best friend along with the rockyou.txt.
I have used a wordlist from SecLists in the Leaked-Databases directory.
Hi, where do the hash files get saved to, i could not find them?
sorry i forgot
@stheboy It will be saved as whatever you specified in the OUTPUT_HASHCAT_FILE or OUTPUT_JOHN_FILE options. If you didn’t specify a path then it should be in your current working directory provided you specified a file name.