keimpx is an open source tool, released under the Apache License 2.0.
It can be used to quickly check for valid credentials across a network over SMB. Credentials can be:
- Combination of user / plain-text password.
- Combination of user / NTLM hash.
- Combination of user / NTLM logon session token.
If any valid credentials are discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use. They will then be provided with an interactive SMB shell where the user can:
- Spawn an interactive command prompt.
- Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
- Deploy and undeploy their own services, for instance, a backdoor listening on a TCP port for incoming connections.
- List users details, domains and password policy.
- More to come, see the issues page.
keimpx is currently developed using Python 3.8 and makes use of the excellent Impacket library from SecureAuth Corporation for much of its functionality. keimpx also makes use of the PyCryptodome library for cryptographic functions.
To install keimpx, first install Python 3.8. On Windows, you can find the installer at this link. For Linux users, many distributions provide Python 3 and make it available via your package manager (usual package names include python3 and python).
On Linux systems, you may also need to install pip and openssl-dev using your package manager for the next step.
Once you have Python 3.8 installed, use pip to install the required dependencies using this command:
pip install -r requirements.txt
keimpx can then be executed by running on Linux systems:
Or if this doesn’t work:
python keimpx.py [options]
python3 keimpx.py [options]
On Windows systems, you may need to specify the full path to your Python 3.8 binary, for example:
C:\Python37\bin\python.exe keimpx.py [options]
Please ensure you use the correct path for your system, as this is only an example.
Let’s say you are performing an infrastructure penetration test of a large network, you owned a Windows workstation, escalated your privileges to
LOCAL SYSTEM and dumped password hashes.
You also enumerated the list of machines within the Windows domain via
net command, ping sweep, ARP scan and network traffic sniffing.
Now, what if you want to check for the validity of the dumped hashes without the need to crack them across the whole Windows network over SMB? What if you want to login to one or more system using the dumped NTLM hashes then surf the shares or even spawn a command prompt?
Fire up keimpx and let it do the work for you!
Another scenario where it comes handy is discussed in this blog post.
<div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="keimpx 0.5.1-rc by Bernardo Damele A. G. Usage: keimpx.py [options] Options: –version show program’s version number and exit -h, –help show this help message and exit -v VERBOSE Verbosity level: 0-2 (default: 0) -t TARGET Target address -l LIST File with list of targets -U USER User -P PASSWORD Password –nt=NTHASH NT hash –lm=LMHASH LM hash -c CREDSFILE File with list of credentials -D DOMAIN Domain -d DOMAINSFILE File with list of domains -p PORT SMB port: 139 or 445 (default: 445) -n NAME Local hostname -T THREADS Maximum simultaneous connections (default: 10) -b Batch mode: do not ask to get an interactive SMB shell -x EXECUTELIST Execute a list of commands against all hosts “>
by Bernardo Damele A. G. <[email protected]>
Usage: keimpx.py [options]
--version show program's version number and exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-2 (default: 0)
-t TARGET Target address
-l LIST File with list of targets
-U USER User
-P PASSWORD Password
--nt=NTHASH NT hash
--lm=LMHASH LM hash
-c CREDSFILE File with list of credentials
-D DOMAIN Domain
-d DOMAINSFILE File with list of domains
-p PORT SMB port: 139 or 445 (default: 445)
-n NAME Local hostname
-T THREADS Maximum simultaneous connections (default: 10)
-b Batch mode: do not ask to get an interactive SMB shell
-x EXECUTELIST Execute a list of commands against all hosts