Beginner’s Guide to Impacket Tool kit (Part 1)

While solving CTF challenges, serveral times I have to use the most amazing tool “Impacket” which is a collection of Python classes for working with network protocols, Infact some of its python classes are added to metasploit framework for taking remote session.

Table of Content  

  • Introduction to Impacket
  • Lab set-up Requirement
  • Remote code Execution
  • SMB/MSRPC
  • Kerberos
  • Windows Secrets
  • Server Tools/MiTM Attacks
  • WMI
  • Known Vulnerabilities
  • MSSQL / TDS
  • File Formats
  • Others

Introduction to Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.
Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

The following protocols are featured in Impacket:

  • Ethernet, Linux “Cooked” capture.
  • IP, TCP, UDP, ICMP, IGMP, ARP.
  • IPv4 and IPv6 Support.
  • NMB and SMB1, SMB2 and SMB3 (high-level implementations).
  • MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
  • Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
  • Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
  • Portions of TDS (MSSQL) and LDAP protocol implementations.

Lab set-up Requirement

For the following practical we will require two systems,

A Windows Server with Domain Controller Configured

A Kali Linux

Here, in our lab scenario we have configured the following settings on our systems.

Windows Server Details

  • Domain: Pentest.local
  • User: Administrator
  • Password: [email protected]
  • IP Address: 192.168.1.103

Now let’s install the Impacket tools from GitHub. Firstly, clone the git, and then install the Impacket as shown in the screenshot.

 

 This will install Impacket on your Kali Linux, now after installation let’s look at what different tools does Impacket have in its box.

There are several python classes as shown in the below image, in this article I had place all script in a same category which are preforming same task.

  • Remote code Execution :py, dcomexec.py, psexec.py, smbexec.py and wmiexec.py
  • SMB/MSRPC :py, ifmap.py, lookupsid.py, samrdump.py, services.py, netview.py, smbclient.py, opdump.py, rpcdump.py and reg.py
  • Kerberos:py, GetST.py, GetPac.py, GetUserSPNs.py, GetNPUsers.py, ticketer.py and raiseChild.py
  • Windows Secret:py and mimikatz.py
  • Server Tools/MiTM Attacks:py, karmaSMB.py and smbserver.py
  • WMI:py and wmipersist.py
  • Known Vulnerabilities:py, sambaPipe.py and sambaPipe.py
  • MSSQL / TDS: py and mssqlclient.py
  • File Formats: py, ntfs-read.py and registry-read.py.
  • Others:py, mqtt_check.py, rdp_check.py, sniffer.py, ping.py and ping6.py

In this tutorial guide we have elaborated two category (Remote Code Execution & SMB/MSRPC) in brief description.

Remote code Execution

atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, Shell Windows and Shell Browser Window objects.

psexec.py: PSEXEC like functionality example using RemComSvc.

What is RemCom : RemCom is a small (10KB upx packed) remoteshell / telnet replacement that lets you execute processes on remote windows systems, copy files on remote systems, process there output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software. On local machines it is also able to impersonate so can be used as a silent replacement for Runas command.

Source: https://github.com/kavika13/RemCom

smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.

wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.

SMB/MSRPC

getArch.py: This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab) using a documented MSRPC feature and doesn’t require any authentication at all.

Note: Remember this trick will not work if the target system is running Samba.

ifmap.py: This script will bind to the target’s MGMT interface to get a list of interface IDs. It will used that list on top of another list of interface UUIDs seen in the wild trying to bind to each interface and reports whether the interface is listed and/or listening.

lookupsid.py: A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

 

samrdump.py: An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

If you will notice the image given below then you will observe that username along with uid and complete account details such password complexity and so on.

services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.

As you can observe from the given below image that it has dump list of all services running or stopped.

netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers.

As we all know netview command identify the sessions opened at the remote hosts and keep track and from the given below image you can observe it is keep on tracking whenever target machine is active or logged off.

smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It’s an excellent example to see how to use impacket.smb in action.

From the given below image you can observe, it is showing all shares directory of the target machine.

opdump.py: This binds to the given hostname:port and MSRPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.

To run this command you have to give MSRPC interface and for that first you need to run ./ifmap.py command and then from its output result choose UUID for which you want to run opdump.py script.

rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.

reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.

Reference Source: https://www.secureauth.com/labs/open-source-tools/impacket

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

1 Comment Beginner’s Guide to Impacket Tool kit (Part 1)

Leave a Reply

Your email address will not be published. Required fields are marked *