Skip to content

Latest commit

 

History

History
87 lines (56 loc) · 3.18 KB

impacket-toolkit.md

File metadata and controls

87 lines (56 loc) · 3.18 KB
description
The coolest toolkit in the world

Impacket Toolkit

Introduction

  • Impacket provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python
  • This tool is well maintained and has many contributors

psexec.py

  • This is one of the most useful tools
  • This is a clone of the Sysinternals psexece executable but works slightly different
  • The tool works by creating a remote service by uploading a randomly-named executable to the ADMIN$ share on the host
  • It then registers the service via RPC
  • Once established, communication occurs over a pipe, allowing for an interactive shell as SYSTEM on the victim
psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125

wmiexec.py

  • wmiexec.py utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation or WMI
  • It does not drop any files or executables on the target host and generates fewer logs than other modules
  • Once connected, it will run the local admin user we connected with
    • This is good because it is must stealthier than seeing SYSTEM executing commands
wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5

Windapsearch.py

  • This is a tool that can be used to enumerate users, groups, and computers from a Windows admin by utilizing LDAP queries

Domain Admins

Enumerate all Domain Admins:

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da

Privileged Users

Enumerate all privileged users:

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU

BloodHound.py

Similar to the BloodHound and SharpHound duo, this is an all-in-one package that allows a remote attacker with valid domain credentials to be able to enumerate the entire AD domain!

Help:

bloodhound-python -h

Collection Method "all":

sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all

  • After the command completes, you will see four .json files

  • We need to upload these into BloodHound, but the easiest way is to zip them and just place one zip file in BloodHound
zip -r domain_BH_info.zip *.json
  • This will zip up all of the .json files and we can upload this data into BloodHound!