A bunch of scripts to reduce friction when pentesting Active Directory from Linux.
First clone the repository.
git clone --depth 1 https://github.com/dadevel/impacket-shell-integration.git ~/.local/share/impacket-shell-integrationThen append the following snippet to your ~/.bashrc or ~/.zshrc:
source ~/.local/share/impacket-shell-integration/krbconf.sh
source ~/.local/share/impacket-shell-integration/proxyconf.shIf you are using Bash with ble.sh you get additional prompt elements.
Your ~/.bashrc should look like this:
source ~/.local/share/impacket-shell-integration/krbconf.sh
source ~/.local/share/impacket-shell-integration/proxyconf.sh
source ~/.local/share/impacket-shell-integration/ble.bash
source ~/.local/share/blesh/ble.sh --attach=none
...
# left prompt
PS1='\q{krbconf}$ '
# right prompt
bleopt prompt_rps1='\q{proxyconf}\q{tunnel}'
...
[[ ! "${BLE_VERSION-}" ]] || ble-attachIf you are using ZSH with Powerlevel10k you get additional prompt elements as well.
Your powerlevel10k.zsh should look like this:
...
() {
...
typeset -g POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(
...
krbconf
...
)
typeset -g POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(
...
proxyconf
tunnel
...
)
source ~/.local/share/impacket-shell-integration/powerlevel10k.zsh
...
}()
...The prompts rely on icons from Nerd Fonts.
If you are using any shell supported by Starship you get additional prompt elements as well.
Your starship.toml should look like this:
right_format = "${custom.krbconf}${custom.proxyconf}"
[custom.krbconf]
command = '[ -n "$KRB5CCNAME_HOST" ] && echo "$KRB5CCNAME_DOMAIN/$KRB5CCNAME_USER@$KRB5CCNAME_HOST" || echo "$KRB5CCNAME_DOMAIN/$KRB5CCNAME_USER"'
when = '[ -n "$KRB5CCNAME" ] && [ -n "$KRB5CCNAME_DOMAIN" ] && [ -n "$KRB5CCNAME_USER" ]'
symbol = ""
style = "fg:blue"
format = '[$symbol $output]($style) '
[custom.proxyconf]
command = 'echo "$PROXYCHAINS_ENDPOINT"'
when = '[ -n "$PROXYCHAINS_ENDPOINT" ] && [ "$LD_PRELOAD" = /usr/lib/libproxychains4.so ]'
symbol = ""
style = "fg:green"
format = '[$symbol $output]($style) 'Configure a SOCKS proxy in the current shell with the help of proxychains-ng. The network traffic of all following commands will be tunneled over the proxy (as long as they link against libc).
proxyconf set socks5 127.0.0.1 1080
nc -vz dc01.corp.local 445Stop tunneling traffic over the proxy.
proxyconf unsetTell subsequent tools to use a specific Kerberos TGT or ST by setting the $KRB5CCNAME environment variable.
krbconf set ./jdoeadm.ccache
impacket-smbclient -k -no-pass srv01.corp.localIf you additionally specify the hostname or FQDN of a domain controller with -K / --kdc, a suitable $KRB5_CONFIG is configured in the environment as well (thanks @mpgn for the idea).
This is required for some tools that use GSSAPI like evil-winrm.
krbconf set ./jdoeadm.ccache -K dc01
evil-winrm -r $KRB5CCNAME_DOMAIN -i srv01.corp.localStop using the ticket.
krbconf unsetExecute a one-off command in the context of a given ticket.
krbconf exec ./jdoeadm.ccache impacket-smbclient -k -no-pass srv01.corp.localImport a ticket in Kirbi format from Windows (e.g. from Rubeus).
krbconf import ./jdoe.kirbi
krbconf import base64:doIFrTCCBamgAwIB...