Hi guys,
Today I thought I'd put up a post about a little known tool called Keimpx. In a nutshell it's a python script that allows you to login to multiple machines via SMB using either plain username/password or NTLM hashes.
I had originally tried to use the Metasploit psexec module (exploit/windows/smb/psexec) however I was receiving error messages every time I launched the module. After some research I found out that the issue was related to the "Simple File Sharing" option. Specifically, if this option is enabled then psexec won't work. To disable this option go to Tools -> Folder Options -> View -> "Use simple file sharing", and untick, then restart. Magically psexec will now work!
However, I was looking for some way to try multiple hashes across multiple machines and the Metasploit module doesn't support this by default. It is possible to use a Metasploit script to do this but to save time I did a quick Google and stumbled upon Keimpx.
Keimpx is included in BackTrack 5 by default, alternatively it can be downloaded from http://code.google.com/p/keimpx/ . The basic command I used most often was:
./keimpx.py -c hashes.txt -l servers.txt -v 2
Where hashes.txt contains your NTLM hashes and servers.txt contains your list of targets. The v is for verbose.
If you know the username and password of a user:
./keimpx.py -t 192.168.1.1 -U bob -P bobpass -v 2
Where -t is a single target, -U is the username and -P the password.
Here's a quick example of me running this in the offensive security lab:
Once you've successfully logged in via SMB Keimpx supports a number of useful enumeration features, file system access as well as the ability to drop into a command shell. This is definitely a tool you should try out if you're looking to blitz multiple machines with harvested hashes.
It's worth mentioning that there is a ton of different ways to perform pass the hash. CG gave a good outline of these at DerbyCon2012:
http://carnal0wnage.attackresearch.com/2012/10/derbycon-media.html
PwnDizzle