Impacket Tools

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

A description of some of the tools can be found at: http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket

The classes and example tools can be downloaded from: https://github.com/CoreSecurity/impacket

This is a talk filled with demos for some of the most common example implementations of the Impacket collection of classes. At the least, the following examples will be covered:
1. lookupsid.py: A Windwows SID brute forcer example, aiming at finding remote users/groups
2. smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excellent example to see how to use impacket.smb in action.
3. samrdump.py: An application that communicates with the Security Account Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
4. smbexec.py: A similar approach to psexec w/o using RemComSvc. The technique is described here http://blog.accuvant.com/rdavisaccuvant/owning-computers-without-shell-access. This implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
5. secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp dir) and read the rest of the data from there. For NTDS.dit, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec approach. The scripts initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.

I will talk from my several experiences when using these tools. If you are planning to do your OSCP, perform network penetration tests or simply are the curious type, this talk is for you.


Riyaz Walikar

I like photography, stargazing, collecting stamps and fishing.


Starts at Saturday April 22 2017, 09:00 AM. The sessions runs for 30 minutes.