Tuesday 3 April 2012

Metasploit psexec vs Keimpx

[Updated 26/10/12]

Hi guys,

Today I thought I'd put up a post about a little known tool called Keimpx. In a nutshell it's a python script that allows you to login to multiple machines via SMB using either plain username/password or NTLM hashes.

I had originally tried to use the Metasploit psexec module (exploit/windows/smb/psexec) however I was receiving error messages every time I launched the module. After some research I found out that the issue was related to the "Simple File Sharing" option. Specifically, if this option is enabled then psexec won't work. To disable this option go to Tools -> Folder Options -> View -> "Use simple file sharing", and untick, then restart. Magically psexec will now work!

However, I was looking for some way to try multiple hashes across multiple machines and the Metasploit module doesn't support this by default. It is possible to use a Metasploit script to do this but to save time I did a quick Google and stumbled upon Keimpx. 

Keimpx is included in BackTrack 5 by default, alternatively it can be downloaded from http://code.google.com/p/keimpx/ . The basic command I used most often was:

./keimpx.py -c hashes.txt -l servers.txt -v 2

Where hashes.txt contains your NTLM hashes and servers.txt contains your list of targets. The v is for verbose.

If you know the username and password of a user:

./keimpx.py -t 192.168.1.1 -U bob -P bobpass -v 2

Where -t is a single target, -U is the username and -P the password.

Here's a quick example of me running this in the offensive security lab:



Once you've successfully logged in via SMB Keimpx supports a number of useful enumeration features, file system access as well as the ability to drop into a command shell. This is definitely a tool you should try out if you're looking to blitz multiple machines with harvested hashes.


It's worth mentioning that there is a ton of different ways to perform pass the hash. CG gave a good outline of these at DerbyCon2012:
http://carnal0wnage.attackresearch.com/2012/10/derbycon-media.html



PwnDizzle

7 comments:

  1. Hi....
    The psexec Metasploit module is often used to obtain access to a system by entering a password or simply just specifying the hash values to "pass the hash".
    You are also read more Online Business Loan in India

    ReplyDelete
  2. TGM Gaming Macro is a tiny tool aimed at users who require better control over their games. Adding macros is a walk in the park as long as you know what you're doing, but be careful, some developers are not happy with these types of tools. And even if this is not a cheat, make sure you go over the game's policies before starting to use any macros.

    ReplyDelete
  3. Thank you for sharing this information. Guys if you are a gamer and suffering from bugs then download Hw monitor

    ReplyDelete
  4. Thank you for sharing this information. It is very helpful. CPU-Z Download

    ReplyDelete
  5. Loan apps have become increasingly popular in recent years due to their convenience and accessibility. They allow individuals to easily apply for loans without the need for lengthy paperwork or visiting a physical bank branch. Belk cardholders may be eligible for special promotions and discounts when they make payments on their card. You can view your Belk card balance and payment history online or through the Belk mobile app.

    ReplyDelete
  6. Want to take your love life to the next level? Dating for hookups
    offers a variety of features and tools to help you find the right person.

    ReplyDelete
  7. The article provides a compelling analysis of contemporary environmental challenges, offering innovative solutions. Its informative content and engaging style make it a must-read for anyone passionate about sustainability.Blue Prism Course

    ReplyDelete