Skip to content

Check for valid credentials across a network over SMB

License

Notifications You must be signed in to change notification settings

nccgroup/keimpx

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Introduction

keimpx is an open source tool, released under the Apache License 2.0.

It can be used to quickly check for valid credentials across a network over SMB. Credentials can be:

  • Combination of user / plain-text password.
  • Combination of user / NTLM hash.
  • Combination of user / NTLM logon session token.

If any valid credentials are discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use. They will then be provided with an interactive SMB shell where the user can:

  • Spawn an interactive command prompt.
  • Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
  • Deploy and undeploy their own services, for instance, a backdoor listening on a TCP port for incoming connections.
  • List users details, domains and password policy.
  • More to come, see the issues page.

Dependencies

keimpx is currently developed using Python 3.8 and makes use of the excellent Impacket library from SecureAuth Corporation for much of its functionality. keimpx also makes use of the PyCryptodome library for cryptographic functions.

Installation

To install keimpx, first install Python 3.8. On Windows, you can find the installer at this link. For Linux users, many distributions provide Python 3 and make it available via your package manager (usual package names include python3 and python).

On Linux systems, you may also need to install pip and openssl-dev using your package manager for the next step.

Once you have Python 3.8 installed, use pip to install the required dependencies using this command:

pip install -r requirements.txt

keimpx can then be executed by running on Linux systems:

./keimpx.py [options]

Or if this doesn't work:

python keimpx.py [options]
python3 keimpx.py [options]

On Windows systems, you may need to specify the full path to your Python 3.8 binary, for example:

C:\Python37\bin\python.exe keimpx.py [options]

Please ensure you use the correct path for your system, as this is only an example.

Usage

Let's say you are performing an infrastructure penetration test of a large network, you owned a Windows workstation, escalated your privileges to Administrator or LOCAL SYSTEM and dumped password hashes.

You also enumerated the list of machines within the Windows domain via net command, ping sweep, ARP scan and network traffic sniffing.

Now, what if you want to check for the validity of the dumped hashes without the need to crack them across the whole Windows network over SMB? What if you want to login to one or more system using the dumped NTLM hashes then surf the shares or even spawn a command prompt?

Fire up keimpx and let it do the work for you!

Another scenario where it comes handy is discussed in this blog post.

Help message

keimpx 0.5.1-rc
by Bernardo Damele A. G. <[email protected]>
    
Usage: keimpx.py [options]

Options:
  --version       show program's version number and exit
  -h, --help      show this help message and exit
  -v VERBOSE      Verbosity level: 0-2 (default: 0)
  -t TARGET       Target address
  -l LIST         File with list of targets
  -U USER         User
  -P PASSWORD     Password
  --nt=NTHASH     NT hash
  --lm=LMHASH     LM hash
  -c CREDSFILE    File with list of credentials
  -D DOMAIN       Domain
  -d DOMAINSFILE  File with list of domains
  -p PORT         SMB port: 139 or 445 (default: 445)
  -n NAME         Local hostname
  -T THREADS      Maximum simultaneous connections (default: 10)
  -b              Batch mode: do not ask to get an interactive SMB shell
  -x EXECUTELIST  Execute a list of commands against all hosts

For examples see this wiki page.

Frequently Asked Questions

See this wiki page.

License

Copyright 2009-2020 Bernardo Damele A. G. [email protected]

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contributors

Thanks to:

  • deanx - for developing polenum and some classes ripped from him.
  • Wh1t3Fox - for updating polenum to make it compatible with newer versions of Impacket.
  • frego - for his Windows service bind-shell executable and help with the service deploy/undeploy methods.
  • gera, beto and the rest of the SecureAuth Corporation guys - for developing such amazing Python library and providing it with examples.
  • NEXUS2345 - for updating and maintaining keimpx.