Tuesday 3 April 2012

Metasploit psexec vs Keimpx

[Updated 26/10/12]

Hi guys,

Today I thought I'd put up a post about a little known tool called Keimpx. In a nutshell it's a python script that allows you to login to multiple machines via SMB using either plain username/password or NTLM hashes.

I had originally tried to use the Metasploit psexec module (exploit/windows/smb/psexec) however I was receiving error messages every time I launched the module. After some research I found out that the issue was related to the "Simple File Sharing" option. Specifically, if this option is enabled then psexec won't work. To disable this option go to Tools -> Folder Options -> View -> "Use simple file sharing", and untick, then restart. Magically psexec will now work!

However, I was looking for some way to try multiple hashes across multiple machines and the Metasploit module doesn't support this by default. It is possible to use a Metasploit script to do this but to save time I did a quick Google and stumbled upon Keimpx. 

Keimpx is included in BackTrack 5 by default, alternatively it can be downloaded from http://code.google.com/p/keimpx/ . The basic command I used most often was:

./keimpx.py -c hashes.txt -l servers.txt -v 2

Where hashes.txt contains your NTLM hashes and servers.txt contains your list of targets. The v is for verbose.

If you know the username and password of a user:

./keimpx.py -t -U bob -P bobpass -v 2

Where -t is a single target, -U is the username and -P the password.

Here's a quick example of me running this in the offensive security lab:

Once you've successfully logged in via SMB Keimpx supports a number of useful enumeration features, file system access as well as the ability to drop into a command shell. This is definitely a tool you should try out if you're looking to blitz multiple machines with harvested hashes.

It's worth mentioning that there is a ton of different ways to perform pass the hash. CG gave a good outline of these at DerbyCon2012: