Impacket Toolkit

Impacket is an expansive toolkit that provides us with many different ways to enumerate and interact with Windows protocols.

Psexec.py

One of the most useful tools in Impacket is psexec.py. The tool is a clone of Sysinternals psexec executable.

Using psexec.py

To connect to a host with psexec.py, we need credentials for a user with local administrator privileges.

attacker@kali$ psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125

Wmiexec.py

Utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation. It does NOT drop any files or executables on the target host and generates fewer logs than other modules. IMPORTANT: This is a more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.

attacker@kali$ wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5

GetUserNPs.py

We can check for AS-REP Roasting with or without credentials depending on the configuration of the Domain Controller.

attacker@kali$ impacket-GetNPUsers -dc-ip htb.local -request 'htb.local/'

Previousrpcclient NextBloodhound

Last updated 9 months ago