Published on January 19th, 2016 📆 | 6567 Views ⚑0
Impacket — Python classes for working with network protocols
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
The following protocols are featured in Impacket
- Ethernet, Linux “Cooked” capture.
- IP, TCP, UDP, ICMP, IGMP, ARP.
- NMB and SMB1/2/3 (high-level implementations).
- DCE/RPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
- Multiple ways of doing SMB tree_connect, file open, read, write.
- SMB “fragmentation”, SMB AndX command chaining.
- Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
- Portions/full implementation of the following DCE/RPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
- DCERPC Alternate contexts, Multi-bind requests, Endianness selection
- DCERPC NTLM, NETLOGON and Kerberos authentication, integrity checking and encryption.
Grab the latest stable release, unpack it and run python setup.py install from the directory where you placed it. Isn’t that easy?
- A Python interpreter. Versions 2.0.1 and newer are known to work.
- If you want to run the examples and you have Python < 2.7, you will need to install the argparse package for them to work.
- For Kerberos support you will need pyasn1 package
- For cryptographic operations you will need pycrypto package
- For some examples you will need pyOpenSSL (rdp_check.py)
- If you’re under Windows, you will need pyReadline
- A recent release of Impacket.
In order to install the source execute the following command from the directory where the Impacket’s distribution has been unpacked: python setup.py install. This will install the classes into the default Python modules path; note that you might need special permissions to write there. For more information on what commands and options are available from setup.py, run python setup.py –help-commands.
The following tools are featured in Impacket
A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp dir) and read the rest of the data from there. For NTDS.dit, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec approach. The scripts initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.
This script creates/removes a WMI Event Consumer/Filter and link between both to execute Visual Basic based on the WQL filter or timer specified.
MS14-068 exploit. Saves the golden ticket and also launches a psexec session at the target.
PSEXEC like functionality example using RemComSvc (https://github.com/kavika13/RemCom)
It allows to issue WQL queries and get description of WMI objects at the target system (e.g. select name from win32_account).
[MS-SCMR] use to manipulate windows services. It supports start, stop, delete, status, config, list, create and change.
An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS
Retrieves the MSSQL instances names from the target host
Allows dumping catalog, pages and tables of ESE databases (e.g. NTDS.dit)
Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers
Mini shell for browsing an NTFS volume
A Windwows SID brute forcer example, aiming at finding remote users/groups
This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.
This module performs the SMB Relay attacks originally discovered by cDc. It receives a list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first to try authenticate against the client connecting to us. It is implemented by invoking a SMB and HTTP Server, hooking to a few functions and then using the smbclient portion. It is supposed to be working on any LM Compatibility level. The only way to stop this attack is to enforce on the server SPN checks and or signing. If the authentication against the targets succeed, the client authentication success as well and a valid connection is set against the local smbserver. It’s up to the user to set up the local smbserver functionality. One option is to set up shares with whatever files you want to the victim thinks it’s connected to a valid SMB server. All that is done through the smb.conf file or programmatically.
[MS-RDPBCGR] and [MS-CREDSSP] partial implementation just to reach CredSSP auth. This example test whether an account is valid on the target host.
A Windows offline registry Reader example
A similar approach to psexec w/o using RemComSvc. The technique is described here https://blog.accuvant.com/rdavisaccuvant/owning-computers-without-shell-access/.
Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
An application that communicates with the Endpoint Mapper interface from the DCE/RPC suite. This can be used to list services that are remotely available through DCE/RPC.
An application that communicates with the Security Account Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It’s an excellent example to see how to use impacket.smb in action.
A python implementation of an SMB server.
A SMB Server that answers specific file contents regardless of the SMB share and pathname specified.
First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is listed and/or listening.
This example executes a command on the target machine through the Task Scheduler service. Returns the output of such command