OFFSITE.DARK
← Tools
  • ad
  • python

Market

Impacket

Overview

Impacket is a Python collection implementing network protocols (SMB, MSRPC, Kerberos, LDAP, etc.) with both library APIs and example scripts used heavily in Windows/AD pentesting. Scripts live under examples/ and install as CLI tools on Kali.

secretsdump.py remotely extracts SAM, LSA secrets, and NTDS.dit via DRSUAPI or VSS shadow copy—core technique for DCSync-style credential harvesting when admin rights exist. psexec.py and wmiexec.py provide semi-interactive shells over SMB/WinRM.

Kerberos tooling: getTGT.py, getST.py (S4U2self/S4U2proxy), ticketer.py for golden/silver tickets. ntlmrelayx.py relays captured NTLM auth to targets lacking SMB signing.

Most scripts accept -hashes for pass-the-hash, -k for Kerberos tickets, and -no-pass for implicit auth on Windows when run from domain context.

Primary use cases

  • Domain credential extraction after obtaining DA or DCSync rights
  • Lateral movement via WMI, SMB, or WinRM with stolen hashes
  • Kerberoasting (GetUserSPNs.py) and AS-REP roasting (GetNPUsers.py)
  • NTLM relay attacks combined with Responder poisoning
  • PetitPotam/PrinterBug coercion to force auth to relay target

Key commands

Remote secrets dump

secretsdump.py CORP/administrator@dc01.corp.local -hashes :ntlmhash

Kerberoastable SPNs

GetUserSPNs.py corp.local/user:password -request -outputfile tickets.txt

NTLM relay (multi-target)

ntlmrelayx.py -tf targets.txt -smb2support -c 'whoami'

WMI semi-interactive shell

wmiexec.py -hashes :HASH corp.local/admin@10.0.0.50

Notable modules / features

  • Library modules: smb, smb3, ldap, kerberos, ntlm, dcerpc
  • Golden ticket: ticketer.py with krbtgt hash
  • smbclient.py, lookupsid.py, rpcdump.py for enumeration
  • atexec.py, dcomexec.py alternative execution vectors

Detection / defense notes

  • Enable SMB signing on all hosts; EPA on LDAP/AD CS
  • Tier-0 credential hygiene; monitor DCSync replication events (4662)
  • Detect unusual Kerberos TGS-REQ volume (Kerberoasting)
  • Disable NTLM where possible; enforce LDAP signing/channel binding

Related tools

  • BloodHoundAD attack path analysis. Ingests ACL/ACE and group membership into a graph of privilege escalation routes.
  • responderLLMNR/NBT-NS/mDNS poisoner. Captures NetNTLM hashes on local networks.
  • crackmapexecSwiss army knife for AD pentesting. SMB, WinRM, LDAP, MSSQL lateral movement.
→ official site