Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself.
Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
The following protocols are featured in Impacket
- Ethernet, Linux "Cooked" capture.
- IP, TCP, UDP, ICMP, IGMP, ARP.
- NMB and SMB1/2/3 (high-level implementations).
- DCE/RPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
- Multiple ways of doing SMB tree_connect, file open, read, write.
- SMB "fragmentation", SMB AndX command chaining.
- Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
- Portions/full implementation of the following DCE/RPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
- DCERPC Alternate contexts, Multi-bind requests, Endianness selection
- DCERPC NTLM, NETLOGON and Kerberos authentication, integrity checking and encryption.
- Take a look at this document for an explanation of the advanced SMB and DCERPC features(outdated for the current version :-/)
The following tools are featured in Impacket
A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp dir) and read the rest of the data from there. For NTDS.dit, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec approach. The scripts initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.
This script creates/removes a WMI Event Consumer/Filter and link between both to execute Visual Basic based on the WQL filter or timer specified.
MS14-068 exploit. Saves the golden ticket and also launches a psexec session at the target.
PSEXEC like functionality example using RemComSvc(https://github.com/kavika13/RemCom)
It allows to issue WQL queries and get description of WMI objects at the target system (e.g. select name from win32_account).
[MS-SCMR] use to manipulate windows services. It supports start, stop, delete, status, config, list, create and change.
An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS
Retrieves the MSSQL instances names from the target host
Allows dumping catalog, pages and tables of ESE databases (e.g. NTDS.dit)
Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers
Mini shell for browsing an NTFS volume
This module performs the SMB Relay attacks originally discovered by cDc. It receives a list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first to try authenticate against the client connecting to us.
It is implemented by invoking a SMB and HTTP Server, hooking to a few functions and then using the smbclient portion. It is supposed to be working on any LM Compatibility level. The only way to stop this attack is to enforce on the server SPN checks and or signing. If the authentication against the targets succeed, the client authentication success as well and a valid connection is set against the local smbserver. It's up to the user to set up the local smbserver functionality. One option is to set up shares with whatever files you want to the victim thinks it's connected to a valid SMB server. All that is done through the smb.conf file or programmatically.
[MS-RDPBCGR] and [MS-CREDSSP] partial implementation just to reach CredSSP auth. This example test whether an account is valid on the target host.
A Windows offline registry Reader example
A similar approach to psexec w/o using RemComSvc. The technique is described here http://blog.accuvant.com/rdavisaccuvant/owning-computers-without-shell-access/.
Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
An application that communicates with the Endpoint Mapper interface from the DCE/RPC suite. This can be used to list services that are remotely available through DCE/RPC.
An application that communicates with the Security Account Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excellent example to see how to use impacket.smb in action.
A python implementation of an SMB server.
A SMB Server that answers specific file contents regardless of the SMB share and pathname specified.
First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is listed and/or listening.
A Windwows SID brute forcer example, aiming at finding remote users/groups
This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.
This example executes a command on the target machine through the Task Scheduler service. Returns the output of such command
- You can check out trunk (devel version) at https://github.com/CoreSecurity/impacket
- 0.9.15, updated on Jun 28th, 2016 - gzip'd tarball
- 0.9.14, updated on Jan 7th, 2016 - gzip'd tarball,
- 0.9.13, updated on May 4th, 2015 - gzip'd tarball,
- 0.9.12, updated on July 20th, 2014 - gzip'd tarball,
- 0.9.11, updated on Feb 3, 2014 - gzip'd tarball,
- 0.9.10, updated on May 6, 2013 - gzip'd tarball,
- 0.9.9.9, updated on July 20, 2012 - gzip'd tarball, zip file
- 0.9.6.0, updated on May 23, 2006 - gzip'd tarball
- 0.9.5.2, updated on Apr 3, 2006 - gzip'd tarball, zip file
- 0.9.5.1, updated on Dec 16, 2003 - gzip'd tarball, zip file
- Quick start: Click the following link to obtain the latest version gzip'd tarbal
- Requirements: Python interpreter. Versions 2.5 and higher. pyOpenSSL and PyCrypto also required
- Installing: In order to install the code, execute
python setup.py install
from the directory where Impacket's distribution has been placed. This will install the classes into the default Python's modules path (you might need special permissions to write there). For more information on what commands and options are available from setup.py, run
python setup.py --help-commands
Most documentation is included in the source as Python's doc comments, but were are some examples upon which you can base your own programs:
- A simple ping implementation.
- Two network sniffers,one that uses pcap and one that uses raw sockets.
- A pcap capture files splitter.
- A DCE/RPC endpoint dumper and a user and shares lister.
This software is provided under a slightly modified version of the Apache Software License. Feel free to review it here and compare it to the official Apache Software License.
Whether you want to report a bug, send a patch or give some suggestions on this package, drop us a few lines at oss- at -coresecurity.com.
Release date: 2003