In the IPMI of Footprinting Module, how to get the plaintext from the hash recieved?

how to get the account’s cleartext password?

I used use auxiliary/scanner/ipmi/ipmi_dumphashes described procedure from IPMI unit, I only got the hash but not the plain text. I tried to use the provided wordlist in the resources in the msfconsole in PASS_FILE but it didn’t work.

Also I am unable to understand what kind of hash is this → 2ee7d91f820000001534c8561509b3f18f191c0959a2dbea21bcec8c4227f74aed5498ae071c4e3aa123456789abcdefa123456789abcdef140561646d696e:82825ee3d73543936b9c5f2d2b5a5880fa145290
I wasn’t able to get plaintext using hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u in the module. I made the ipmi.txt file and wrote this hash in this, it showed me error.
Please guide me where I am going wrong.

what was the content of the error message? I just ran hashcat and even with CUDA it will take 2.5 hours.

Session..........: hashcat
Status...........: Running
Hash.Mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
Hash.Target......: 7bbe153982000000ea81569eaef653f51e7eedaeed1117bfe12...64da8a
Time.Started.....: Thu May 30 09:24:31 2024 (10 mins, 14 secs)
Time.Estimated...: Thu May 30 11:55:14 2024 (2 hours, 20 mins)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?d?u, -2 Undefined, -3 Undefined, -4 Undefined 
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   312.0 MH/s (9.74ms) @ Accel:8 Loops:128 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 190624825344/2821109907456 (6.76%)
Rejected.........: 0/190624825344 (0.00%)
Restore.Point....: 4079616/60466176 (6.75%)
Restore.Sub.#1...: Salt:0 Amplifier:11648-11776 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: RQBH5RUL -> 339I8Q67
Hardware.Mon.#1..: Temp: 57c Util: 97% Core:1126MHz Mem:2505MHz Bus:16

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s

Do you solve it
it gives me every time new hash

yes this password is not a standard password, in msfconsole just provide a rockyou wordlist as an option and it will find the password ez.

Yes, after MSF exploded, there was an admin:6b2a....646d696e:b33d2d....5079c5168723b. Store it in a file and use hashcat -m 7300 /tmp/1 /usr/share /wordlists/rockyou.txt will show the clear text password

set the output file to a specific location in MSF that you define /tmp/hashcat then use that path when using hashcat. Also, utilzing the --username right in front of hashcat helped speed it up for me. -7300 was the wrong structure in my box on footprinting IPMI

thx . I got the answer from the rockyou.txt

but where is the hint ask us to get word list from rockyou.txt?