Beginner’s Guide to Impacket Tool kit (Part 1)

While solving CTF challenges, several times I had to use this amazing tool “Impacket”. It is a collection of Python classes for working with network protocols. In fact, some of its python classes are added to the Metasploit framework for taking remote session.

Table of Contents

  • Introduction to Impacket
  • Lab set-up Requirement
  • Remote Code Execution
  • SMB/MRC
  • Kerberos
  • Windows Secrets
  • Server Tools/MITM Attacks
  • WMI
  • Known Vulnerabilities
  • MSSQL / TDS
  • File Formats
  • Others

Introduction to Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.
Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

The following protocols are featured in Impacket:

  • Ethernet, Linux “Cooked” capture.
  • IP, TCP, UDP, ICMP, IGMP, ARP.
  • IPv4 and IPv6 Support.
  • NMB and SMB1, SMB2 and SMB3 (high-level implementations).
  • MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS, and HTTP.
  • Plain, NTLM and Kerberos authentication, using password/hashes/tickets/keys.
  • Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
  • Portions of TDS (MSSQL) and LDAP protocol implementations.

Lab set-up Requirement

For the following practical we will require two systems,

  • A Windows Server with Domain Controller Configured
  • A Kali Linux

Here, in our lab scenario, we have configured the following settings on our systems.

Windows Server Details

  • Domain: Pentest.local
  • Username: Administrator
  • Password: [email protected]
  • IP Address: 192.168.1.103

Now let’s install the Impacket tools from GitHub. Firstly, clone the git, and then install the Impacket using the following the commands :

 This will install Impacket on your Kali Linux. After installation let’s take a look at the tools that Impacket have in its box.

I have placed all script in the same category which is performing the same task.

  • Remote code Execution : atexec.py, dcomexec.py, psexec.py, smbexec.py and wmiexec.py
  • SMB/MSRPC : getArch.py, ifmap.py, lookupsid.py, samrdump.py, services.py, netview.py, smbclient.py, opdump.py, rpcdump.py and reg.py
  • Kerberos: GetST.py, GetPac.py, GetUserSPNs.py, GetNPUsers.py, ticketer.py and raiseChild.py
  • Windows Secret: mimikatz.py
  • Server Tools/MiTM Attacks: karmaSMB.py and smbserver.py
  • WMI: wmipersist.py
  • Known Vulnerabilities: sambaPipe.py and sambaPipe.py
  • MSSQL / TDS: mssqlclient.py
  • File Formats: ntfs-read.py and registry-read.py.
  • Others: mqtt_check.py, rdp_check.py, sniffer.py, ping.py, and ping6.py

In this tutorial guide, we have elaborated two categories (Remote Code Execution & SMB/MSRPC) in a brief description.

Remote Code Execution

atexec.py: This script executes the command on the target machine through the Task Scheduler service and returns the output as shown in the image below :

dcomexec.py: This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects.

psexec.py: On running psexec script, RemComSvc script is running in the background and providing the functionality.

What is RemCom? : RemCom is a small (10KB upx packed) remoteshell/telnet replacement that lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software. On local machines it is also able to impersonate so can be used as a silent replacement for Runas command.

Source: https://github.com/kavika13/RemCom

smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. Our implementation goes further than initiating a local smbserver to receive the output of the commands. This is useful in the situations where the target machine does NOT have a writable share available.

wmiexec.py: This script provides a semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. It runs with elevated privileges. The working of this script is Highly stealthy.

SMB/MSRPC

getArch.py: This script will connect to a target (or list of targets) machine/s and gather the OS architecture type installed by using a documented MSRPC feature and doesn’t require any authentication at all.

Note: Remember this trick will not work if the target system is running Samba.

ifmap.py: This script will bind to the target’s MGMT interface to get a list of interface IDs. It will use that list on top of another list of interface and will try to bind each interface and reports whether the interface is listed and/or listening.

lookupsid.py: This script allows you to bruteforce the Windows SID through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

 

samrdump.py: An application that communicates with the Security Account Manager(SAM) Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

From the given image you can observe that it extracts the usernames along with UIDs and complete account details such as password complexity and so on.

services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.

As you can observe from the given image that it dumps the list of all services running or stopped.

netview.py: This script extracts a list of the sessions opened at the remote hosts and keeps track of them by looping over the hosts found and keeping track of who logged in/out from remote servers.

As we know that the netview command is used to identify the sessions opened at the remote hosts and keep track and from the given image you can observe that it is keeping the track of target machine whenever it is active or logged off.

z

smbclient.py: This script lets you list the files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It’s an excellent example to see how to use impacket.smb in action.

From the given image you can observe, it is showing all shares directory of the target machine.

opdump.py: This script binds to the given hostname: port and MSRPC interface. Then, it tries to call each of the 256 operation numbers in turn and reports the outcome of each call.

To run this command you have to give MSRPC interface and for that first, you need to run ./ifmap.py command and then from its output result choose UUID for which you want to run opdump.py script.

rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.

reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.

Reference Source: https://www.secureauth.com/labs/open-source-tools/impacket

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

1 Comment Beginner’s Guide to Impacket Tool kit (Part 1)

Leave a Reply

Your email address will not be published. Required fields are marked *