Footprinting IPMI

props to you bro, i was looking for a way to specifically do this entirely within the MSF and this was IT. i appreciate your input.

1 Like

Thank you!

hm… nothing work for me … I tried
$ hashcat -a 0 -m 0 crackhash.txt rockyou.txt
but I get this …

Hashfile ‘crackhash.txt’ on line 1 (hash): Token length exception
Hashfile ‘crackhash.txt’ on line 2 (hash): Token length exception

if I try
hashcat -m 7300 -a 3 ./crackhash.txt rockyou.txt
I get as resault…
Hashfile ‘./crackhash.txt’ on line 1 (hash): Separator unmatched
No hashes loaded.

Can anyone help me?

Spoiler
I’m not sure how to protect against exploiters like other forum users do, but I’d like to point out that it’s also possible to achieve this using the following approach:

hashcat -m 7300 myhash.txt -a 0 /usr/share/wordlists/rockyou.txt --show
1 Like

Had the same issue with token length exception.
Tip: use --username as a parameter in the hashcat command. It defines that there is a username in the hash you are trying to crack.

After that it solved the issue.

Just use metasploit scanner/ipmi/ipmi_dumphashes and in options choose wordlist /usr/share/wordlists/rockyou.txt you will get answer you should check by default rockyou.txt not extracted so extract it and use

You the boss

1 Like

Hashcat doesnt seem like the easiest to use. I was stuck on this until I found your comment. Thank you!

1 Like

I was stuck on this lab for a few days. After reading ALOT of everyone post, thought id just provide some clear guidance. This can be completed via hashcat or Metasploit, and I’m sure a lot of other ways. If you utilize msfconsole as instructed, and run the IPMI_DUMPHASHES module, you can easily get the cleartext password. Set your RHOSTS and change your pass file if the default pass_file is not working. Earlier in the footprinting series, we installed Seclist. Id recommend navigating to that folder, and identifying the Password directory. Maybe you’ll see something related to hashes in there. Hope this helps!

1 Like

I used metasploit but the dictionary provided did not give me the key in plain text, I changed the dictionary for another one and it did.

1 Like

Hey all. I simply changed the pass_file to rockyou then some patience needed and clear text password appeared. Be patient and you’ll get it show up after few minutes.

Man, this was perfect. Thanks mate!

1 Like

I solved it.

Read this link it will help you.