Impacket ZSH Integration

A bunch of scripts to reduce friction when pentesting Active Directory from Linux.

Setup

Clone the repository.

git clone --depth 1 https://github.com/dadevel/impacket-zsh-integration.git ~/.local/share/impacket-zsh-integration

Append the following snippet to your ~/.zshrc:

source ~/.local/share/impacket-zsh-integration/krbconf.zsh
source ~/.local/share/impacket-zsh-integration/proxyconf.zsh

Find your Powerlevel10k config and modify it to look something like this:

...
() {
    ...
    typeset -g POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(
        ...
        krbconf
        proxyconf
    )

    source ~/.local/share/impacket-zsh-integration/powerlevel10k.zsh
    ...
}()
...

Configure your terminal to use Nerd Fonts or change the icons in powerlevel10k.zsh.

Usage

Configure a SOCKS proxy in the current shell with the help of proxychains-ng. The network traffic of following commands will be tunneled over the proxy.

proxyconf set socks5 127.0.0.1 1080
nc -vz dc01.corp.local 445

Stop tunneling traffic over the proxy.

proxyconf unset

Tell subsequent tools to use a specific Kerberos TGT or ST by setting the $KRB5CCNAME environment variable.

krbconf set ./jdoeadm.ccache
impacket-smbclient -k -no-pass srv01.corp.local

If you additionally specify the hostname or FQDN of a domain controller with -K / --kdc, a suitable $KRB5_CONFIG is configured in the environment as well (thanks @mpgn for the idea). This is required for certain tools like evil-winrm.

krbconf set ./jdoeadm.ccache -K dc01
evil-winrm -r $KRB5CCNAME_DOMAIN -i srv01.corp.local

Stop using the ticket.

krbconf unset

Execute a one-off command in the context of a given ticket.

krbconf exec ./jdoeadm.ccache impacket-smbclient -k -no-pass srv01.corp.local

Import a ticket in Kirbi format from Windows (e.g. from Rubeus).

krbconf import ./jdoe.kirbi
krbconf import base64:doIFrTCCBamgAwIB...