Beacon Object File (BOF) to capture an IPMI 2.0 RAKP password hash from a remote BMC.
Load ipmi-hash.cna in Cobalt Strike (or ipmi-hash_bof.s1.py for Outflank C2).
beacon> ipmi-hash <username> <ip[:port]>
Output is compatible with hashcat, mode 7300:
$ hashcat -m 7300 --username <hashfile> <wordlist>
- https://github.com/nixerr/ipmicd - IPMI packet structures reference
- https://nvd.nist.gov/vuln/detail/CVE-2013-4786 - IPMI 2.0 RAKP authentication design flaw