keimpx: Check for the usefulness of credentials across a network over SMB

Introduction

============

keimpx is an open source tool, released under a modified version of

Apache License 1.1.

It can be used to quickly check for the usefulness of credentials

across a network over SMB. Credentials can be:

* Combination of user / plain-text password.

* Combination of user / NTLM hash.

* Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after

its attack phase, the user is asked to choose which host to connect to

and which valid credentials to use, then he will be prompted with an

interactive SMB shell where the user can:

* Spawn an interactive command prompt.

* Navigate through the remote SMB shares: list, upload, download

files, create, remove files, etc.

* Deploy and undeploy his own service, for instance, a backdoor

listening on a TCP port for incoming connections.

* List users details, domains and password policy.

Download

========

(Subversion repository)

Documentation

=============

(recommended reading)

For the scepticals and trolls

=============================

Aren't you reinventing the wheel?[1]

As far as I know, there exist publicly three similar tools:

* PsExec[2] can be used to login via a single pair of user/password to

a remote machine over SMB and execute commands. Single executable

file, it works on any Windows system. It does not offer the ability to

login by providing NTLM hashes.

* smbshell[3] is a pre-compiled NASL script and it requires the nasl

interpreter and a bunch of other Nessus libraries to run, not very

convenient. Nevertheless, an advantage over PsExec is that it accepts

also the NTLM hash of the password. Like PsExec, it can be used to

login onto one system at a time.

* Metasploit's psexec auxiliary module[4] can be used to login via a

single pair of user/password or user/NTLM hash to a remote machine

over SMB and execute commands. It is an enhanced version of the

original standalone PsExec, but it requires to have direct access

between the attacker machine and the target network (you could always

pivot traffic through the owned Windows system via a Meterpreter

session route option though) which is not always feasible, for

instance, in a Citrix break-out where the back-end system is masked by

a Citrix MetaFrame web interface. Like PsExec and smbshell, it can be

used to login onto one system at a time.

keimpx can be used to login over SMB onto a single target (like

previous tools) or a list of targets by providing either a pair of

user/password (like previous tools), a pair of user/NTLM hash (like

smbshell and Metasploit's psexec), a list with the dumped hashes and

eventually the cracked passwords. If valid credentials are detected on

any of the targets, it can be used to enumerate shares, users,

domains, password policy, execute commands and access the Windows

registry (soon). The advantage over smbshell and Metasploit's psexec

module is that it is a single Python script that requires the Python

interpreter only to work, moreover the tool can be converted into a

single executable file, then uploaded to the owned Windows system and

run from there from command line, like PsExec. The other advantage

over all the other tools is that it can primarily be used to check for

the usefulness of a list of credentials, as in pairs of user/password,

user/NTLM hash and user/NTLM session token, across the whole Windows

network.