ShadowPath is a smart internal network pivoting toolkit designed for offensive security professionals. It automates post-exploitation tasks—such as SMB share enumeration, remote command execution, NTLM/DNS relaying, and Active Directory mapping—to help you "live off the land" in enterprise environments.
-
Credential Harvesting
Enumerate SMB shares on a target using impacket's SMBConnection (supports anonymous and authenticated logins) to gather useful share information. -
Remote Execution
Execute commands on remote Windows hosts via WMI/SMB. ShadowPath wraps impacket’swmiexec.pytool to deliver commands and capture output. -
NTLM/DNS Relay
Leverage NTLM relaying by wrapping impacket’sntlmrelayx.pyto pivot further into internal networks (future enhancements planned). -
Active Directory Mapping
Query Active Directory via LDAP (using the ldap3 library) to retrieve and map computer objects, thereby providing an up-to-date network inventory. -
Robust Logging & Error Handling
All operations are logged with timestamps, and errors are handled gracefully to ensure you get actionable feedback during engagements. -
Modular & Extensible
ShadowPath is organized into subcommands (harvest,exec,relay,admap) for easy extension and integration with other red team tools. -
Debian/PEP 668 Compliant
The tool is packaged as a Debian package and uses a local Python virtual environment for its dependencies, ensuring smooth deployment on Debian 12 and similar systems.
ShadowPath is also available as a .deb package. To install:
sudo dpkg -i shadowpath_0.1_all.debThe executable will be installed to /usr/local/bin/shadowpath.
ShadowPath requires an apt-based Linux distribution (e.g., Debian, Ubuntu). It installs its required system packages via apt. Ensure you have the following installed (the deb package will install missing ones automatically):
tcpdumptsharknmaparp-scanavahi-utilsffmpegcurljqcutycaptpython3python3-venvpython3-pip
It also relies on the impacket suite (specifically wmiexec.py and ntlmrelayx.py) and ldap3.
-
Clone the Repository:
git clone https://github.com/John0n1/ShadowPath.git cd ShadowPath -
Make the Script Executable:
chmod +x shadowpath.py mv shadowpath.py shadowpath
-
Run the Tool:
ShadowPath requires root privileges. Run it using sudo:
sudo ./shadowpath <subcommand> [options]
On first run, ShadowPath will automatically create a local Python virtual environment (
./watchtower_venv) and install its Python dependencies (wsdiscovery,scapy,onvif-zeep).
ShadowPath is organized into four main subcommands. Below are some examples:
Attempt to enumerate SMB shares (and possibly harvest credentials) from a target.
sudo shadowpath harvest 10.0.0.5 -u DOMAIN\\user -p passwordIf credentials are not provided, an anonymous login is attempted.
Execute a remote command on a Windows host via WMI/SMB.
sudo shadowpath exec 10.0.0.10 -u DOMAIN\\user -p password -c "ipconfig /all"This command wraps impacket's wmiexec.py to run the command on the target.
Set up an NTLM relay to pivot into the network.
sudo shadowpath relay http://10.0.0.5 --listen-port 80Note: This module currently wraps ntlmrelayx.py. Make sure impacket is installed and configured.
Query an Active Directory domain controller for computer objects.
sudo shadowpath admap ldap://dc.example.com -u DOMAIN\\user -p password -b "DC=example,DC=com"This will output a list of computer objects retrieved via LDAP.
Contributions are welcome! If you have ideas, improvements, or bug fixes, please open an issue or submit a pull request.
ShadowPath is licensed under the MIT License. See the LICENSE file for details.
- Impacket GitHub Repository
- ldap3 Documentation
- Nmap Network Scanning Guide
- WS-Discovery for Python
- PEP 668: Externally Managed Environments
Disclaimer: Use ShadowPath only on networks and systems for which you have explicit authorization. Unauthorized use is illegal and unethical.
Happy Pivoting!