acrypthash

A place where I can post security-related long-form thoughts, notes, and articles

Impacket and Kali Purple Hello again,

I wanted to provide an update on some things related to my career that I am super grateful and excited for. Yesterday I had my first review at my place of work and the team can't be more happy with the work that I have contributed. As a rebuttal, I feel the exact same way. It has been a great experience and I am learning so much every day. Okay enough of the mooshy stuff.

I have been putting in time on Kali Linux Purple (let's call it kalip for short) and so far it's been enjoyable. For whatever reason, after I started using kalip, I was attracted to the preloaded impacket library :D. For those of you who don't know, Impacket is a collection of Python classes that provides low-level programmatic access to network protocols like TCP, UDP, SMB, and NTLM. This is where my fun started.

I did my testing based off of the assumption that the end point is in a post compromise state. We use EDR, so the assumption will be made that hook was made or AMSI patch was done to elude detection. There were four scripts of interest: impacket-smbexec

impacket-wmiexec

impacket-ntlmrelayx

impacket-samrdump

impacket-smbexec is first. After you obtain either hashes or credentials, you can run this against an endpoint and have SYSTEM access. A very useful tool. I did find that while playing with an endpoint over smbexec, I caused the session to crash wile simultaneously running ntlmrelayx. Oddly and unrelated enough, I ended up not getting ntlmrelayx to work properly even after trying SMB authentication... That will be a work in progress.

Something that I am still trying to understand is why none of this traffic from smbexec was captured when I ran wireshark. Oddly enough, the IP of my attack machine was no where in the PCAP. I even confirmed network card and network settings were correct. I still have yet to trace any IoCs, but I am curious to see if there are any.

According to ChatGPT there are some to look into: – Network traffic: Impacket-smbexec may generate unusual network traffic that can be identified through packet capture analysis. This could include requests to unusual ports, unusual protocols, or to destinations that are not typically accessed by the user or system. – Process activity: Impacket-smbexec may spawn unusual processes on the system, or may run with unusual privileges or access levels that could suggest malicious activity. – Registry changes: Impacket-smbexec may modify the Windows Registry, which can be monitored for unusual changes or activity. – File system changes: Impacket-smbexec may create or modify files on the system, which can be monitored for unusual activity.

impacket-wmiexec has definitely been the most reliable and while utilizing WMI, it helps with not being traced. I haven't done much more than directory traversal with this tool, but this could help a TA none the less. A flaw that I found with this is you are also accessing the system at whatever privilege is set for the account that is authenticating with WMI. Privilege escalation would need to be done here, but this could be a useful form of lateral movement.

I am going to loop back when I have more time to write about the last two tools and clean up what I have already written. Cheers! ^–^

Inspiration from Conferences and Other Information Outlets

This is my first post on here, but I hope to use this tool as good practice for my end goal of writing a 2600 article. This post is going to just briefly touch on some inspiration behind what is motivating me to work towards the goal I just mentioned.

The next two months are quite busy in relation to security conferences. I attended BSides Harrisburg last weekend, PancakesCON is this upcoming weekend, and next month I am going to be attending SecureWorld. As a result of attending these conferences and continuing to read things like 2600 magazine, I found myself motivated to try and contribute where I can. This will help the security community by being another source of knowledge as well as help me better articulate my writing and thought process.

A subject that I haven't seemed to see much light on is data driven defenses and prioritization for Blue Teams. By learning and understanding things like the exploit-response cycle and risk misalignment, security teams can better manage their environment vulnerabilities and create action items based on tangible data. My goal of my brief article is going to help describe this for people and what we as defenders can do by utilizing more than just a high rated CVSS score.

After I wrote this I realized that I never made a whoami post on here. I will write one in a different blog post. Cheers! ^–^