keimpx: Check for the usefulness of credentials across a network over SMB

简介: Introduction============keimpx is an open source tool, released under a modified version ofApache License 1.

Introduction
============

keimpx is an open source tool, released under a modified version of
Apache License 1.1.
It can be used to quickly check for the usefulness of credentials
across a network over SMB. Credentials can be:

* Combination of user / plain-text password.
* Combination of user / NTLM hash.
* Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after
its attack phase, the user is asked to choose which host to connect to
and which valid credentials to use, then he will be prompted with an
interactive SMB shell where the user can:

* Spawn an interactive command prompt.
* Navigate through the remote SMB shares: list, upload, download
files, create, remove files, etc.
* Deploy and undeploy his own service, for instance, a backdoor
listening on a TCP port for incoming connections.
* List users details, domains and password policy.
* More to come, see http://code.google.com/p/keimpx/issues/list.

Download
========

* Stable version: http://keimpx.googlecode.com/files/keimpx-0.2.zip
* Development version: http://code.google.com/p/keimpx/source/checkout
(Subversion repository)

Documentation
=============

* Usage: http://code.google.com/p/keimpx/wiki/Usage
* Examples: http://code.google.com/p/keimpx/wiki/Examples
* Frequently Asked Questions: http://code.google.com/p/keimpx/wiki/FAQ
(recommended reading)
* License: http://code.google.com/p/keimpx/wiki/License

For the scepticals and trolls
=============================

Aren't you reinventing the wheel?[1]

As far as I know, there exist publicly three similar tools:

* PsExec[2] can be used to login via a single pair of user/password to
a remote machine over SMB and execute commands. Single executable
file, it works on any Windows system. It does not offer the ability to
login by providing NTLM hashes.
* smbshell[3] is a pre-compiled NASL script and it requires the nasl
interpreter and a bunch of other Nessus libraries to run, not very
convenient. Nevertheless, an advantage over PsExec is that it accepts
also the NTLM hash of the password. Like PsExec, it can be used to
login onto one system at a time.
* Metasploit's psexec auxiliary module[4] can be used to login via a
single pair of user/password or user/NTLM hash to a remote machine
over SMB and execute commands. It is an enhanced version of the
original standalone PsExec, but it requires to have direct access
between the attacker machine and the target network (you could always
pivot traffic through the owned Windows system via a Meterpreter
session route option though) which is not always feasible, for
instance, in a Citrix break-out where the back-end system is masked by
a Citrix MetaFrame web interface. Like PsExec and smbshell, it can be
used to login onto one system at a time.

keimpx can be used to login over SMB onto a single target (like
previous tools) or a list of targets by providing either a pair of
user/password (like previous tools), a pair of user/NTLM hash (like
smbshell and Metasploit's psexec), a list with the dumped hashes and
eventually the cracked passwords. If valid credentials are detected on
any of the targets, it can be used to enumerate shares, users,
domains, password policy, execute commands and access the Windows
registry (soon). The advantage over smbshell and Metasploit's psexec
module is that it is a single Python script that requires the Python
interpreter only to work, moreover the tool can be converted into a
single executable file, then uploaded to the owned Windows system and
run from there from command line, like PsExec. The other advantage
over all the other tools is that it can primarily be used to check for
the usefulness of a list of credentials, as in pairs of user/password,
user/NTLM hash and user/NTLM session token, across the whole Windows
network.

[0] http://code.google.com/p/keimpx/
[1] http://code.google.com/p/keimpx/wiki/FAQ#Aren't_you_reinventing_the_wheel?
[2] http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
[3] http://cgi.tenablesecurity.com/tenable/smbshell.php
[4] http://metasploit.com/framework/

目录
相关文章
|
2月前
|
canal Kubernetes Perl
Network Policy及应用
文章主要介绍了如何在Kubernetes中使用Network Policy进行网络策略配置,包括如何部署Calico网络模型来支持网络策略,以及如何通过设置不同的网络策略来控制不同命名空间下Pods之间的访问权限。
44 4
Network Policy及应用
|
数据安全/隐私保护
remote: Support for password authentication was removed on August 13, 2021
remote: Support for password authentication was removed on August 13, 2021
187 0
|
关系型数据库 MySQL
nodejs.ER_NOT_SUPPORTED_AUTH_MODEError: ER_NOT_SUPPORTED_AUTH_MODE:
nodejs.ER_NOT_SUPPORTED_AUTH_MODEError: ER_NOT_SUPPORTED_AUTH_MODE:
115 0
|
区块链
Error: No network specified. Cannot determine current network异常
Error: No network specified. Cannot determine current network异常
156 0
|
安全 Shell 开发工具
|
安全 Shell 开发工具
下一篇
无影云桌面