Fun with network protocols, using Python and Impacket

Impacket is a collection of Python classes, developed by Core Security, for working with network protocols, which provides a low-level programmatic access to the packets and, for some protocols such us SMB1-3 and MSRPC, the protocol implementation itself.

The library provides object oriented API that makes it simple construct packets from scratch, as well as parsed from raw data.
The following protocols are supported:

  • IP, TCP, UDP, ICMP, IGMP, ARP.
  • IPv4 and IPv6 Support.
  • NMB and SMB1, SMB2 and SMB3 (high-level implementations).
  • MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
  • Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
  • Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD,
  • LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
  • Portions of TDS (MSSQL) and LDAP protocol implementations.

Furthermore, a set of precooked tools as examples is provided:

Remote Execution

  • psexec.py: PSEXEC like functionality example using RemComSvc.
  • smbexec.py: A similar approach to PSEXEC w/o using RemComSvc.
  • atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
  • wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation.
  • dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.

Kerberos

  • GetTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
  • GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache.
  • GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials.
  • GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts.
  • GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.
  • ticketer.py: This script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, ExtraSids, duration, etc.
  • raiseChild.py: This script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids.

Windows Secrets

  • secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there.
  • mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.

Server Tools/MiTM Attacks

  • ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.).
  • karmaSMB.py: A SMB Server that answers specific file contents regardless of the SMB share and pathname specified.
  • smbserver.py: A Python implementation of an SMB server. Allows to quickly set up shares and user accounts.

WMI

  • wmiquery.py: It allows to issue WQL queries and get description of WMI objects at the target system (e.g. select name from win32_account).
  • wmipersist.py: This script creates/removes a WMI Event Consumer/Filter and link between both to execute Visual Basic based on the WQL filter or timer specified.

Known Vulnerabilities

  • goldenPac.py: Exploit for MS14-068. Saves the golden ticket and also launches a PSEXEC session at the target.
  • sambaPipe.py: This script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
  • smbrelayx.py: Exploit for CVE-2015-0005 using a SMB Relay Attack.

SMB/MSRPC

  • smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination.
  • getArch.py: This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
  • rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target.
  • ifmap.py: This script will bind to the target’s MGMT interface to get a list of interface IDs. It will used that list on top of another list of interface UUIDs seen in the wild trying to bind to each interface and reports whether the interface is listed and/or listening.
  • opdump.py: This binds to the given hostname:port and MSRPC interface.
  • samrdump.py: An application that communicates with the Security Account Manager Remote interface from the MSRPC suite.
  • services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface.
  • netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers
  • reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface.
  • lookupsid.py: A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

MSSQL / TDS

  • mssqlinstance.py: Retrieves the MSSQL instances names from the target host.
  • mssqlclient.py: An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS.

File Formats

  • esentutl.py: An Extensibe Storage Engine format implementation.
  • ntfs-read.py: NTFS format implementation.
  • registry-read.py: A Windwows Registry file format implementation. It allows to parse offline registry hives.

Other

  • GetADUsers.py: This script will gather data about the domain’s users and their corresponding email addresses.
  • mqtt_check.py: Simple MQTT example aimed at playing with different login options. Can be converted into a account/password brute forcer quite easily.
  • rdp_check.py: [MS-RDPBCGR] and [MS-CREDSSP] partial implementation just to reach CredSSP auth. This example test whether an account is valid on the target host.
  • sniff.py: Simple packet sniffer that uses the pcapy library to listen for packets in # transit over the specified interface.
  • sniffer.py: Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.
  • ping.py: Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.
  • ping6.py: Simple IPv6 ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host.

Installation

Download the latest release and unpack, or clone the git repository:

git clone https://github.com/CoreSecurity/impacket.git

Then execute:

python setup.py install

or

pip install .

References and further readings

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.