Footprinting IPMI

I am stack with second question. Metasploit does not crack the hash. Default passwords are’t match. Using hashcat even with the -O -w 3 flags gives an operating time of about one day. Maybe I’m missing something? Could someone give a hint?

Maybe try with a wordlist instead of suggested password rule for hashcat


Oh, it was stupid not to try the common password lists not related to IPMI. Thank you.


hi i used auxiliary / scanner / ipmi / ipmi_dumphashes possible that every time I have a different hash? admin: etc etc the hash with hashcat do I do it with the word list provided by HTB? or rockyou?

I used the wordlist that is used all the time (rockyou) and hashcat. What I have seen several times now is that the machine would not be so stable over time->Reconnect to Academy VPN and spawning the machine again often helps :frowning:

1 Like

The hash is always different because salts are added to it (hashcat mode 7300 designed specifically for hash with salt).
I used one password list from seclist and got the password in clear text. It does not relate to ipmi.

1 Like

I used the “Hashcat” tool and the “rockyou.txt” dictionary and got the password. You have to modify the command (the options) of “Hashcat” to make it work with a wordlist

1 Like

I can’t get the hashcat to work :frowning: it is not even running. i need help :(((((((((((((((((

Just use another worlist at the auxiliary options and that’s it… rockyou.txt works well

So I did have issues getting hashcat to work properly with this hash but, I will say a tool like “GitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashes” was able to do it far more efficient and didnt even have to use Metasploit. Neat little tool I found while trying to troubleshoot why hashcat was being a pain with the ipmi hash.

EDIT: the wordlist was not the issue it was complaining about format of hash. It used to be a known issue with Hashcat but, came accross above tool and was like meh it works so whatever.


Please can someone help me? I tried using the MSF auxiliary scanner because the IP is not active. i tried to ping it. even footprint the IPMI IP address with nmap. it now showing as active I have restarted it many times.

Direct Two Answers in one step
use auxiliary/scanner/ipmi/ipmi_dumphashes
set save hash as john format
john --wordlist /usr/share/wordlists/rockyou.txt [hashfile]


None of this really helped for me. Once I got the hash from metasploit. Then I created a file in my home directory called hash and pasted the hash to it.Also copied the rockyou.txt to the home directory also. I then ran hashcat -m 7300 -a 0 --show /hash /rockyou.txt

I’ve tried everything that’s been suggested. I can get the hash, but nothing I’ve used has been able to crack it and give me the plain text. Does anyone have another suggestion?

Never mind. I figured it out. John really is your best friend along with the rockyou.txt.

1 Like

I have used a wordlist from SecLists in the Leaked-Databases directory.

Hi, where do the hash files get saved to, i could not find them?

sorry i forgot

@stheboy It will be saved as whatever you specified in the OUTPUT_HASHCAT_FILE or OUTPUT_JOHN_FILE options. If you didn’t specify a path then it should be in your current working directory provided you specified a file name.