First published in SecureAuth.com
Hi everyone! I’m Leandro (@0xdeaddood), a researcher at SecureAuth’s Innovation Labs and one of the primary maintainers of Impacket, the collection of Python classes for working with network protocols, and I’m very pleased to announce a new release of this wonderful open source initiative.
Impacket version 0.9.22 is already out and brings a bunch of new features, examples, and improvements we want to tell you about. The implementation of RPC over HTTP v2, a new NTLM relay server of ADWS (WCF) connections and support for new scenarios of Kerberoasting are some examples.
Let’s take a look at everything that’s changed in this release.
What’s new?
Many things have happened since the last release. Undoubtedly, the Zerologon vulnerability has stood out, catching the attention of many, especially in the Active Directory world. Of course, Impacket didn’t stay out of it. So, let’s start with this.
A new way to exploit Zerologon
CVE-2020-1472 a.k.a. Zerologon has been in the spotlight in recent months. This is one of the most critical vulnerabilities we’ve seen in a while. Why? Because it allows privilege escalation to Domain Admin without credentials! Zerologon was patched by Microsoft in August, and after that we started to see a lot of PoCs, many of them using the Impacket library 😉 (such as this one, or this other).
In a nutshell, the vulnerability takes advantage of a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol. The original attack resets the password of the Domain Controller account to an empty string. This allows an attacker to impersonate any computer, including the Domain Controller itself.
Back to Impacket, @_dirkjan explored a new way to exploit this vulnerability avoiding the risks present in the original attack, that means, without having to reset a computer account. The result: a DCSync Relay Client (PR #959). This client can relay authentication attempts to the RPC endpoint of the DSRUAPI protocol directly. It requires signing and sealing, therefore it needs to invoke the Zerologon vulnerability to impersonate the Domain Controller and get, with the help of CVE-2015-0005, the session key over Netlogon. To exploit it, we must relay a machine account, so we can use the printer bug to trigger an NTLM authentication of any machine that has the SpoolService enabled. Once we get it on ntlmrelayx.py, the server will relay it and we obtain all hashes.
If you are interested in knowing more technical details about this exploitation you can check out the great @_dirkjan’s post here!
Remote Procedure Call protocol enhancements
Continuing with more fun, one of the biggest contributions of this release was the implementation of RPC over HTTPv2 [MS-RPCH] by @_mohemiv (PR#813). Do you want to know what this protocol involves? From the Microsoft specification:
The Remote Procedure Call (RPC) over HTTP Protocol tunnels RPC network traffic from an RPC client to an RPC server through a network agent referred to as an RPC over HTTP proxy. The protocol is applicable to network topologies where the use of an HTTP-based or HTTPS-based transport is necessary and the application or computer systems communicating over the topology require the use of the RPC Protocol.
Subsequently, we implemented several protocols for communication with MS Exchange that use RPC over HTTPv2: [MS-NSPI], [MS-OXNSPI], and [MS-OXABREF] (PR#912).
Both PRs brought with them two new examples:
- rpcmap.py: a new scan for listening DCE/RPC interfaces. This tool works via the Remote Management Interface. If it’s available, it can show all interfaces offered by the RPC Server.
- exchanger.py: a tool for connecting to MS Exchange via RPC over HTTP v2 and extracting useful data and objects from Active Directory such as AD records, also known as LDAP records, and Address Books.
That’s not all! @_mohemiv also added relaying to RPC support in ntlmrelayx.py. That involves adding a rpcrelayclient.py and rpcattack.py, which currently allows, for example, Remote Code Execution against vulnerable MS Exchange via Exchange Trusted Subsystem group in conjunction with the printer bug.
These contributions opened the door to many more new features. For example, it was used in the alternative exploitation of Zerologon mentioned before.
Wow, that was a huge job. Kudos to @_mohemiv!
A new brand relay server
What about a new relay server in Impacket? Well, that was the contribution of @cnotin for this release (PR#944). Ladies and gentlemen, let me introduce you to the wcfrelayserver.py. This is a brand new server protocol to relay incoming NTLM auth connections used in ADWS.
So, you are probably wondering what ADWS means. ADWS is the acronym for Active Directory Web Services. ADWS is a Windows service that provides an interface to interact with directory service instances such as Active Directory domains and Active Directory Lightweight Directory Services instances. It’s built upon NetTcpBinding WCF (Windows Communication Foundation) and is used by client applications, such as the Active Directory module for Windows PowerShell.
Want to know more? Take a look at this post of @cnotin!
Kerberoasting everywhere
Kerberoasting is a post-exploitation technique that consists in obtaining the plain-text passwords of user accounts with servicePrincipalName (SPN) values, for example, the service accounts.
How do we achieve it? Requesting Service Tickets to these SPNs via Kerberos, and then, since a part of the service ticket is encrypted with the key derived from the user account’s password, we can attempt an offline brute force attack to crack the plain-text passwords. Impacket has the GetUserSPNs.py tool to perform the Kerberoasting attack.
It sounds easy, doesn’t it? But not everything is a bed of roses. Sometimes you’ll encounter scenarios where SPNs cannot be used. For example: when accounts have duplicate or incorrect SPNs, when for some reason we don’t have access to LDAP, or when accounts in another domain have SPNs with a NetBIOS Name via a forest trust. To address these situations, @_mohemiv issued PR #923 and changed the default behavior of GetUserSPNs.py from using Service Principal Names to using SAM Account Names.
Interested in knowing more about Kerberoasting without SPNs? Check this post of @_mohemiv!
What else?
As I told you before, this release is full of new features, improvements, and of course, a lot of fun. If you want to see a fully detailed list of all new stuff, please check the release notes here.
Getting Impacket
If you want to know more about these examples and library functionality, you can find it at the Impacket site. You can also get the latest stable release directly from GitHub:
To install, execute the following command from the directory where you unpacked the Impacket’s distribution:
- For Python 3.x: pip3 install .
- For Python 2.x: pip install .
This will install the classes into the default Python modules path; note that you might need special permissions to write there.
Final Notes
As always, thanks a lot to all these contributors that shared their knowledge and constantly make this library better every day. Since last version:
@_mohemiv @cnotin @_dirkjan @tshmul @Romounet @franferrax @fuzzKitty @rmaksimov @cclauss @vbersier @5alt @mubix @ThePirateWhoSmellsOfSunflowers @HackAndDo @Dliv3 @AaronRobson @mpgn_x64 @spinenkoia @ABCIFOGeowi40 @_MrGag @phefley
We love your feedback and PRs! Contributions from the community are the mainstay of this open source initiative!
If you have any doubts, questions, or suggestions, don’t hesitate to contact me at @0xdeaddood or drop me a few lines at 0xdeaddood@protonmail.com
We hope you enjoy this new release! Happy hacking!