Tuesday, 3 April 2012

Metasploit psexec vs Keimpx

[Updated 26/10/12]

Hi guys,

Today I thought I'd put up a post about a little known tool called Keimpx. In a nutshell it's a python script that allows you to login to multiple machines via SMB using either plain username/password or NTLM hashes.

I had originally tried to use the Metasploit psexec module (exploit/windows/smb/psexec) however I was receiving error messages every time I launched the module. After some research I found out that the issue was related to the "Simple File Sharing" option. Specifically, if this option is enabled then psexec won't work. To disable this option go to Tools -> Folder Options -> View -> "Use simple file sharing", and untick, then restart. Magically psexec will now work!

However, I was looking for some way to try multiple hashes across multiple machines and the Metasploit module doesn't support this by default. It is possible to use a Metasploit script to do this but to save time I did a quick Google and stumbled upon Keimpx. 

Keimpx is included in BackTrack 5 by default, alternatively it can be downloaded from http://code.google.com/p/keimpx/ . The basic command I used most often was:

./keimpx.py -c hashes.txt -l servers.txt -v 2

Where hashes.txt contains your NTLM hashes and servers.txt contains your list of targets. The v is for verbose.

If you know the username and password of a user:

./keimpx.py -t 192.168.1.1 -U bob -P bobpass -v 2

Where -t is a single target, -U is the username and -P the password.

Here's a quick example of me running this in the offensive security lab:



Once you've successfully logged in via SMB Keimpx supports a number of useful enumeration features, file system access as well as the ability to drop into a command shell. This is definitely a tool you should try out if you're looking to blitz multiple machines with harvested hashes.


It's worth mentioning that there is a ton of different ways to perform pass the hash. CG gave a good outline of these at DerbyCon2012:
http://carnal0wnage.attackresearch.com/2012/10/derbycon-media.html



PwnDizzle

4 comments:

  1. Hi....
    The psexec Metasploit module is often used to obtain access to a system by entering a password or simply just specifying the hash values to "pass the hash".
    You are also read more Online Business Loan in India

    ReplyDelete
  2. TGM Gaming Macro is a tiny tool aimed at users who require better control over their games. Adding macros is a walk in the park as long as you know what you're doing, but be careful, some developers are not happy with these types of tools. And even if this is not a cheat, make sure you go over the game's policies before starting to use any macros.

    ReplyDelete