I am stack with second question. Metasploit does not crack the hash. Default passwords are’t match. Using hashcat even with the -O -w 3 flags gives an operating time of about one day. Maybe I’m missing something? Could someone give a hint?
Maybe try with a wordlist instead of suggested password rule for hashcat
3 Likes
Oh, it was stupid not to try the common password lists not related to IPMI. Thank you.
hi i used auxiliary / scanner / ipmi / ipmi_dumphashes possible that every time I have a different hash? admin: etc etc the hash with hashcat do I do it with the word list provided by HTB? or rockyou?
I used the wordlist that is used all the time (rockyou) and hashcat. What I have seen several times now is that the machine would not be so stable over time->Reconnect to Academy VPN and spawning the machine again often helps 
1 Like
The hash is always different because salts are added to it (hashcat mode 7300 designed specifically for hash with salt).
I used one password list from seclist and got the password in clear text. It does not relate to ipmi.
1 Like
I used the “Hashcat” tool and the “rockyou.txt” dictionary and got the password. You have to modify the command (the options) of “Hashcat” to make it work with a wordlist
1 Like
I can’t get the hashcat to work it is not even running. i need help :(((((((((((((((((
Just use another worlist at the auxiliary options and that’s it… rockyou.txt works well
So I did have issues getting hashcat to work properly with this hash but, I will say a tool like “GitHub - c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashes” was able to do it far more efficient and didnt even have to use Metasploit. Neat little tool I found while trying to troubleshoot why hashcat was being a pain with the ipmi hash.
EDIT: the wordlist was not the issue it was complaining about format of hash. It used to be a known issue with Hashcat but, came accross above tool and was like meh it works so whatever.
2 Likes
Please can someone help me? I tried using the MSF auxiliary scanner because the IP is not active. i tried to ping it. even footprint the IPMI IP address with nmap. it now showing as active I have restarted it many times.
Direct Two Answers in one step
use auxiliary/scanner/ipmi/ipmi_dumphashes
set save hash as john format
john --wordlist /usr/share/wordlists/rockyou.txt [hashfile]
3 Likes
None of this really helped for me. Once I got the hash from metasploit. Then I created a file in my home directory called hash and pasted the hash to it.Also copied the rockyou.txt to the home directory also. I then ran hashcat -m 7300 -a 0 --show /hash /rockyou.txt
I’ve tried everything that’s been suggested. I can get the hash, but nothing I’ve used has been able to crack it and give me the plain text. Does anyone have another suggestion?
Never mind. I figured it out. John really is your best friend along with the rockyou.txt.
1 Like
I have used a wordlist from SecLists in the Leaked-Databases directory.
Hi, where do the hash files get saved to, i could not find them?
sorry i forgot
@stheboy It will be saved as whatever you specified in the OUTPUT_HASHCAT_FILE or OUTPUT_JOHN_FILE options. If you didn’t specify a path then it should be in your current working directory provided you specified a file name.