What is Impacket?

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

The following protocols are featured in Impacket

• Ethernet, Linux "Cooked" capture.
• IP, TCP, UDP, ICMP, IGMP, ARP.
• NMB and SMB (high-level implementations).
• DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP.
• Multiple ways of doing SMB tree_connect, file open, read, write.
• SMB "fragmentation", SMB AndX command chaining.
• Plain, NT and LM v1 authentications, using password and hashes only.
• Portions of the following DCE/RPC interfaces: Conv, DCOM, EPM, SAMR, SvcCtl, WinReg.
• DCERPC Alternate contexts, Multi-bind requests, Endianness selection
• DCERPC NT and LM v1 authentication, integrity checking and encryption.
• DCERPC v4 and v5 fragmentation, DCERPC v4 idempotent requests.
• Take a look at this document for an explanation of the advanced SMB and DCERPC features.

The following tools are featured in Impacket

RPCDump

An application that communicates with the Endpoint Mapper interface from the DCE/RPC suite. This can be used to list services that are remotely available through DCE/RPC, such as Windows Messenger.

SAMRDump

An application that communicates with the Security Account Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

Tracer

An application (written using Tkinter) that displays a parallel coordinates graph of captured traffic. With this type of graph it is easy to detect unexpected network usage patterns. Tracer currently supports TCP and UDP traffic, but can be easily extended to handle other protocols.

Split

A tool that can divide any pcap supported capture file into several smaller files. This application was developed to manage megabytes of captured traffic. Split currently supports TCP streams, but can be easily extended to handle other stream-oriented protocols.

smbclient.py

A generic SMB client (writen using Impacket) that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excelent example to see how to use impacket.smb in action.

chain.py, oochain.py, loopchain.py and crapchain.py

Four different examples of how to chain SMB commands. The first one simply chains four commands. oochain will chain the same four commands, but send them out of order in the packet. loopchain will chain 2 commands in a loop, making the SMB server act like if receiving more than 200 commands. crapchain will chain the same four commands, but adding bogus data between them.

exploit.py and smb05-039-crash.py

exploit.py is the implementation of the class DCERPCExploit, which can be used as base to create DCERPC exploits. When doing an exploit based on this class, it will automatically have support to let the user tweak how the DCERPC traffic is sent. For example, you can configure the maximum fragment size, either for the transport (TCP/SMB/etc) or for DCERPC, it lets you select how you want the data to be read and writen, etc. ms05-039-crash.py is an example implementation of a crash (exploit only crashing the server) for the vulnerability described in Microsoft's advisory MS05-039.

Source code

• Latest stable release
  0.9.6.0, updated on May 23, 2006 – gzip'd tarball, zip file
• 0.9.5.2, updated on Apr 3, 2006 – gzip'd tarball, zip file
• 0.9.5.1, updated on Dec 16, 2003 – gzip'd tarball, zip file
• 0.9.5, updated on Dec 10, 2003 – gzip'd tarball, zip file
• 0.9.4, updated on Nov 14, 2003 – gzip'd tarball, zip file
• 0.9.3, updated on Oct 30, 2003 – gzip'd tarball, zip file
• 0.9.2, updated on Oct 28, 2003 – gzip'd tarball, zip file
• 0.9.1, updated on Oct 27, 2003 – gzip'd tarball, zip file

Setup

Quick start: Click the following link to obtain the latest stable release.

Requirements: A Python interpreter. Versions 2.0.1 and higher.

Installing: In order to install the code, execute python setup.py installfrom the directory where Impacket's distribution has been placed. This will install the classes into the default Python's modules path (you might need special permissions to write there). For more information on what commands and options are available from setup.py, run python setup.py --help-commands.

Documentation

Most documentation is included in the source as Python's __doc__ comments, but were are some examples upon which you can base your own programs:

• A simple ping implementation.
• Two network sniffers, one that uses pcap and one that uses raw sockets.
• A pcap capture files splitter.
• A pcap based parallel coordinates network traffic graphic generator.
• A DCE/RPC endpoint dumper and a user and shares lister.

Licensing

This software is provided under a slightly modified version of the Apache Software License. Feel free to review it here and compare it to the official Apache Software License.

Contact Us

Whether you want to report a bug, send a patch or give some suggestions on this package, drop us a few lines at oss@coresecurity.com.

Core Security Technologies © 1998-2008  |  All rights reserved