Usage

Let's say you are performing an infrastructure penetration test of a large network, you owned a Windows workstation, escalated your privileges to Administrator or LOCAL SYSTEM and dumped password hashes, password history, current logon session tokens, etc.

You also enumerated the list of machines within the Windows domain via net command, ping sweep, ARP scan and network traffic sniffing.

Now, what if you want to check for the usefulness of the dumped hashes without the need to crack them across the whole Windows network over SMB? What if you want to login to one or more system using the dumped NTLM hashes then surf the shares or even spawn a command prompt?

Fire up keimpx and let it do the work for you!

Another scenario where it comes handy is discussed in this blog post.

Help message

$ python keimpx.py -h

    keimpx 0.3-dev
    by Bernardo Damele A. G. <bernardo.damele@gmail.com>
    
Usage: keimpx.py [options]

Options:
  --version       show program's version number and exit
  -h, --help      show this help message and exit
  -v VERBOSE      Verbosity level: 0-2 (default: 0)
  -t TARGET       Target address
  -l LIST         File with list of targets
  -U USER         User
  -P PASSWORD     Password
  --nt=NTHASH     NT hash
  --lm=LMHASH     LM hash
  -c CREDSFILE    File with list of credentials
  -D DOMAIN       Domain
  -d DOMAINSFILE  File with list of domains
  -p PORT         SMB port: 139 or 445 (default: 445)
  -n NAME         Local hostname
  -T THREADS      Maximum simultaneous connections (default: 10)
  -b              Batch mode: do not ask to get an interactive SMB shell
  -x EXECUTELIST  Execute a list of commands against all hosts

For examples of usage see this wiki page.