Impacket and Kali Purple

March 21, 2023

Impacket and Kali Purple Hello again,

I wanted to provide an update on some things related to my career that I am super grateful and excited for. Yesterday I had my first review at my place of work and the team can't be more happy with the work that I have contributed. As a rebuttal, I feel the exact same way. It has been a great experience and I am learning so much every day. Okay enough of the mooshy stuff.

I have been putting in time on Kali Linux Purple (let's call it kalip for short) and so far it's been enjoyable. For whatever reason, after I started using kalip, I was attracted to the preloaded impacket library :D. For those of you who don't know, Impacket is a collection of Python classes that provides low-level programmatic access to network protocols like TCP, UDP, SMB, and NTLM. This is where my fun started.

I did my testing based off of the assumption that the end point is in a post compromise state. We use EDR, so the assumption will be made that hook was made or AMSI patch was done to elude detection. There were four scripts of interest: impacket-smbexec

impacket-wmiexec

impacket-ntlmrelayx

impacket-samrdump

impacket-smbexec is first. After you obtain either hashes or credentials, you can run this against an endpoint and have SYSTEM access. A very useful tool. I did find that while playing with an endpoint over smbexec, I caused the session to crash wile simultaneously running ntlmrelayx. Oddly and unrelated enough, I ended up not getting ntlmrelayx to work properly even after trying SMB authentication... That will be a work in progress.

Something that I am still trying to understand is why none of this traffic from smbexec was captured when I ran wireshark. Oddly enough, the IP of my attack machine was no where in the PCAP. I even confirmed network card and network settings were correct. I still have yet to trace any IoCs, but I am curious to see if there are any.

According to ChatGPT there are some to look into: – Network traffic: Impacket-smbexec may generate unusual network traffic that can be identified through packet capture analysis. This could include requests to unusual ports, unusual protocols, or to destinations that are not typically accessed by the user or system. – Process activity: Impacket-smbexec may spawn unusual processes on the system, or may run with unusual privileges or access levels that could suggest malicious activity. – Registry changes: Impacket-smbexec may modify the Windows Registry, which can be monitored for unusual changes or activity. – File system changes: Impacket-smbexec may create or modify files on the system, which can be monitored for unusual activity.

impacket-wmiexec has definitely been the most reliable and while utilizing WMI, it helps with not being traced. I haven't done much more than directory traversal with this tool, but this could help a TA none the less. A flaw that I found with this is you are also accessing the system at whatever privilege is set for the account that is authenticating with WMI. Privilege escalation would need to be done here, but this could be a useful form of lateral movement.

I am going to loop back when I have more time to write about the last two tools and clean up what I have already written. Cheers! ^–^