My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
FAQ  

Phase-Support, Featured
Updated Feb 10, 2010 by bernardo.damele

Frequently Asked Questions

What is this tool about

Please, refer to this and this wiki pages.

It basically takes in a single pair of credentials or a list of credentials (plain-text passwords or as NTLM hashes outputted by Pass-The-Hash Toolkit, PWDumpX and similar tools), a single host or a list of hosts. It will then try off combinations of the user credentials and hosts to see where they work.

When is it useful?

It comes handy when you are in front of a large Windows network, have owned one of the workstations (or a server) and you want to check on which other systems you can login with the dumped hashes or cracked plain-text passwords. More on the reasons behind this tool here and here.

Is it a sniffer or a password cracker?

No, neither of them. Refer to the previous answers.

Does it exploit any security vulnerability?

No, it is a post-exploitation tool.

Ok, but how do I get these password hashes?

Once you are a high privileged user on a Windows system, you can dumps user's password hashes (Security Accounts Manager), LSA secrets, passwords cache, protected storage, reversible encryption storage, passwords history and current logon sessions tokens.

Save all the dumped hashes on a text file and use it as the credentials file for this tool.

What if I am not a high privileged user on the Windows system?

You can escalate your privileges to Administrator or SYSTEM before dumping the password hashes.

Aren't you reinventing the wheel?

As far as I know, there exist publicly three similar tools:

  • PsExec can be used to login via a single pair of user/password to a remote machine over SMB and execute commands. Single executable file, it works on any Windows system. It does not offer the ability to login by providing NTLM hashes.
  • smbshell is a pre-compiled NASL script and it requires the nasl interpreter and a bunch of other Nessus libraries to run, not very convenient. Nevertheless, an advantage over PsExec is that it accepts also the NTLM hash of the password. Like PsExec, it can be used to login onto one system at a time.
  • Metasploit's psexec auxiliary module can be used to login via a single pair of user/password or user/NTLM hash to a remote machine over SMB and execute commands. It is an enhanced version of the original standalone PsExec, but it requires to have direct access between the attacker machine and the target network (you could always pivot traffic through the owned Windows system via a Meterpreter session route option though) which is not always feasible, for instance, in a Citrix break-out where the back-end system is masked by a Citrix MetaFrame web interface. Like PsExec and smbshell, it can be used to login onto one system at a time.

keimpx can be used to login over SMB onto a single target (like previous tools) or a list of targets by providing either a pair of user/password (like previous tools), a pair of user/NTLM hash (like smbshell and Metasploit's psexec), a list with the dumped hashes and eventually the cracked passwords. If valid credentials are detected on any of the targets, it can be used to enumerate shares, users, domains, password policy, execute commands and access the Windows registry (soon). The advantage over smbshell and Metasploit's psexec module is that it is a single Python script that requires the Python interpreter only to work, moreover the tool can be converted into a single executable file, then uploaded to the owned Windows system and run from there from command line, like PsExec. The other advantage over all the other tools is that it can primarily be used to check for the usefulness of a list of credentials, as in pairs of user/password, user/NTLM hash and user/NTLM session token, across the whole Windows network.

More questions

If you have any question, feel free to ask.


Sign in to add a comment
Powered by Google Project Hosting