keimpx: Check for the usefulness of credentials across a network over SMB

Introduction
============

keimpx is an open source tool, released under a modified version of
Apache License 1.1.
It can be used to quickly check for the usefulness of credentials
across a network over SMB. Credentials can be:

* Combination of user / plain-text password.
* Combination of user / NTLM hash.
* Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after
its attack phase, the user is asked to choose which host to connect to
and which valid credentials to use, then he will be prompted with an
interactive SMB shell where the user can:

* Spawn an interactive command prompt.
* Navigate through the remote SMB shares: list, upload, download
files, create, remove files, etc.
* Deploy and undeploy his own service, for instance, a backdoor
listening on a TCP port for incoming connections.
* List users details, domains and password policy.
* More to come, see http://code.google.com/p/keimpx/issues/list.

Download
========

* Stable version: http://keimpx.googlecode.com/files/keimpx-0.2.zip
* Development version: http://code.google.com/p/keimpx/source/checkout
(Subversion repository)

Documentation
=============

* Usage: http://code.google.com/p/keimpx/wiki/Usage
* Examples: http://code.google.com/p/keimpx/wiki/Examples
* Frequently Asked Questions: http://code.google.com/p/keimpx/wiki/FAQ
(recommended reading)
* License: http://code.google.com/p/keimpx/wiki/License

For the scepticals and trolls
=============================

Aren't you reinventing the wheel?[1]

As far as I know, there exist publicly three similar tools:

* PsExec[2] can be used to login via a single pair of user/password to
a remote machine over SMB and execute commands. Single executable
file, it works on any Windows system. It does not offer the ability to
login by providing NTLM hashes.
* smbshell[3] is a pre-compiled NASL script and it requires the nasl
interpreter and a bunch of other Nessus libraries to run, not very
convenient. Nevertheless, an advantage over PsExec is that it accepts
also the NTLM hash of the password. Like PsExec, it can be used to
login onto one system at a time.
* Metasploit's psexec auxiliary module[4] can be used to login via a
single pair of user/password or user/NTLM hash to a remote machine
over SMB and execute commands. It is an enhanced version of the
original standalone PsExec, but it requires to have direct access
between the attacker machine and the target network (you could always
pivot traffic through the owned Windows system via a Meterpreter
session route option though) which is not always feasible, for
instance, in a Citrix break-out where the back-end system is masked by
a Citrix MetaFrame web interface. Like PsExec and smbshell, it can be
used to login onto one system at a time.

keimpx can be used to login over SMB onto a single target (like
previous tools) or a list of targets by providing either a pair of
user/password (like previous tools), a pair of user/NTLM hash (like
smbshell and Metasploit's psexec), a list with the dumped hashes and
eventually the cracked passwords. If valid credentials are detected on
any of the targets, it can be used to enumerate shares, users,
domains, password policy, execute commands and access the Windows
registry (soon). The advantage over smbshell and Metasploit's psexec
module is that it is a single Python script that requires the Python
interpreter only to work, moreover the tool can be converted into a
single executable file, then uploaded to the owned Windows system and
run from there from command line, like PsExec. The other advantage
over all the other tools is that it can primarily be used to check for
the usefulness of a list of credentials, as in pairs of user/password,
user/NTLM hash and user/NTLM session token, across the whole Windows
network.

[0] http://code.google.com/p/keimpx/
[1] http://code.google.com/p/keimpx/wiki/FAQ#Aren't_you_reinventing_the_wheel?
[2] http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
[3] http://cgi.tenablesecurity.com/tenable/smbshell.php
[4] http://metasploit.com/framework/