[Tool] keimpx: Check for the usefulness of credentials across a network over SMB
- From: "Bernardo Damele A. G." <bernardo.damele@xxxxxxxxx>
- Date: Thu, 11 Feb 2010 00:12:56 +0000
I am glad to release keimpx version 0.2.
keimpx is an open source tool, released under a modified version of
Apache License 1.1.
It can be used to quickly check for the usefulness of credentials
across a network over SMB. Credentials can be:
* Combination of user / plain-text password.
* Combination of user / NTLM hash.
* Combination of user / NTLM logon session token.
If any valid credentials has been discovered across the network after
its attack phase, the user is asked to choose which host to connect to
and which valid credentials to use, then he will be prompted with an
interactive SMB shell where the user can:
* Spawn an interactive command prompt.
* Navigate through the remote SMB shares: list, upload, download
files, create, remove files, etc.
* Deploy and undeploy his own service, for instance, a backdoor
listening on a TCP port for incoming connections.
* List users details, domains and password policy.
* More to come, see http://code.google.com/p/keimpx/issues/list.
* Stable version: http://keimpx.googlecode.com/files/keimpx-0.2.zip
* Development version: http://code.google.com/p/keimpx/source/checkout
* Usage: http://code.google.com/p/keimpx/wiki/Usage
* Examples: http://code.google.com/p/keimpx/wiki/Examples
* Frequently Asked Questions: http://code.google.com/p/keimpx/wiki/FAQ
* License: http://code.google.com/p/keimpx/wiki/License
For the scepticals and trolls
Aren't you reinventing the wheel?
As far as I know, there exist publicly three similar tools:
* PsExec can be used to login via a single pair of user/password to
a remote machine over SMB and execute commands. Single executable
file, it works on any Windows system. It does not offer the ability to
login by providing NTLM hashes.
* smbshell is a pre-compiled NASL script and it requires the nasl
interpreter and a bunch of other Nessus libraries to run, not very
convenient. Nevertheless, an advantage over PsExec is that it accepts
also the NTLM hash of the password. Like PsExec, it can be used to
login onto one system at a time.
* Metasploit's psexec auxiliary module can be used to login via a
single pair of user/password or user/NTLM hash to a remote machine
over SMB and execute commands. It is an enhanced version of the
original standalone PsExec, but it requires to have direct access
between the attacker machine and the target network (you could always
pivot traffic through the owned Windows system via a Meterpreter
session route option though) which is not always feasible, for
instance, in a Citrix break-out where the back-end system is masked by
a Citrix MetaFrame web interface. Like PsExec and smbshell, it can be
used to login onto one system at a time.
keimpx can be used to login over SMB onto a single target (like
previous tools) or a list of targets by providing either a pair of
user/password (like previous tools), a pair of user/NTLM hash (like
smbshell and Metasploit's psexec), a list with the dumped hashes and
eventually the cracked passwords. If valid credentials are detected on
any of the targets, it can be used to enumerate shares, users,
domains, password policy, execute commands and access the Windows
registry (soon). The advantage over smbshell and Metasploit's psexec
module is that it is a single Python script that requires the Python
interpreter only to work, moreover the tool can be converted into a
single executable file, then uploaded to the owned Windows system and
run from there from command line, like PsExec. The other advantage
over all the other tools is that it can primarily be used to check for
the usefulness of a list of credentials, as in pairs of user/password,
user/NTLM hash and user/NTLM session token, across the whole Windows
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
- Prev by Date: Source code auditing
- Next by Date: Re: Pentesting lab
- Previous by thread: Source code auditing
- Next by thread: Medusa 2.0 Release