keimpx: Check for valid credentials across a network over SMB

by do son · September 19, 2020

keimpx

keimpx is an open-source tool, released under the Apache License 2.0.

It can be used to quickly check for valid credentials across a network over SMB. Credentials can be:

Combination of user / plain-text password.
Combination of user / NTLM hash.
Combination of user / NTLM login session token.

If any valid credentials are discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use. They will then be provided with an interactive SMB shell where the user can:

Spawn an interactive command prompt.
Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
Deploy and undeploy their own services, for instance, a backdoor listening on a TCP port for incoming connections.
List users details, domains, and password policy.
More to come, see the issues page.

Install

git clone https://github.com/nccgroup/keimpx.git
cd keympx
pip3 install -r requirementx.txt

Use

Let’s say you are performing an infrastructure penetration test of a large network, you owned a Windows workstation, escalated your privileges to Administrator or LOCAL SYSTEM and dumped password hashes.

You also enumerated the list of machines within the Windows domain via net command, ping sweep, ARP scan, and network traffic sniffing.

Now, what if you want to check for the validity of the dumped hashes without the need to crack them across the whole Windows network over SMB? What if you want to login to one or more system using the dumped NTLM hashes then surf the shares or even spawn a command prompt?