Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
*Ethernet, Linux “Cooked” capture.
* IP, TCP, UDP, ICMP, IGMP, ARP. (IPv4 and IPv6)
* NMB and SMB1/2/3 (high-level implementations).
* DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP.
* Portions of the following DCE/RPC interfaces: Conv, DCOM (WMI, OAUTH), EPM, SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC.
* A Python interpreter. Versions 2.0.1 and newer are known to work.
* If you want to run the examples and you have Python < 2.7, you will need to install the argparse package for them to work.
* For Kerberos support you will need pyasn1 package
* For cryptographic operations you will need pycrypto package
* For some examples you will need pyOpenSSL (rdp_check.py)
* If you’re under Windows, you will need pyReadline
Download from GitHub.
git clone https://github.com/CoreSecurity/impacket
python setup.py install
This will install the classes into the default Python modules path; note that you might need special permissions to write there. For more information on what commands and options are available from setup.py, run
python setup.py --help-commands
Simple packet sniffer:
#!/usr/bin/python # Copyright (c) 2003 CORE Security Technologies # # This software is provided under under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # Simple packet sniffer. # # This packet sniffer uses the pcap library to listen for packets in # transit over the specified interface. The returned packages can be # filtered according to a BPF filter (see tcpdump(3) for further # information on BPF filters). # # Note that the user might need special permissions to be able to use pcap. # # Authors: # Maximiliano Caceres <email@example.com> # Javier Kohen <firstname.lastname@example.org> # # Reference for: # pcapy: findalldevs, open_live. # ImpactDecoder. import sys from threading import Thread import pcapy from pcapy import findalldevs, open_live from impacket.ImpactDecoder import EthDecoder, LinuxSLLDecoder class DecoderThread(Thread): def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj Thread.__init__(self) def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. # Display the packet in human-readable form. print self.decoder.decode(data) def getInterface(): # Grab a list of interfaces that pcap is able to listen on. # The current user will be able to listen from all returned interfaces, # using open_live to open them. ifs = findalldevs() # No interfaces available, abort. if 0 == len(ifs): print "You don't have enough permissions to open any interface on this system." sys.exit(1) # Only one interface available, use it. elif 1 == len(ifs): print 'Only one interface present, defaulting to it.' return ifs # Ask the user to choose an interface from the list. count = 0 for iface in ifs: print '%i - %s' % (count, iface) count += 1 idx = int(raw_input('Please select an interface: ')) return ifs[idx] def main(filter): dev = getInterface() # Open interface for catpuring. p = open_live(dev, 1500, 0, 100) # Set the BPF filter. See tcpdump(3). p.setfilter(filter) print "Listening on %s: net=%s, mask=%s, linktype=%d" % (dev, p.getnet(), p.getmask(), p.datalink()) # Start sniffing thread and finish main thread. DecoderThread(p).start() # Process command-line arguments. Take everything as a BPF filter to pass # onto pcap. Default to the empty filter (match all). filter = '' if len(sys.argv) > 1: filter = ' '.join(sys.argv[1:]) main(filter)