Impacket is a collection of Python classes designed for working with network protocols, allowing for low-level, programmatic access to packets. It is widely used by security professionals, penetration testers, and red teams for security auditing, as well as by threat actors for lateral movement and credential theft in Windows environments.
Key Aspects of Impacket: Protocol Support: It includes native implementations of protocols such as Server Message Block (SMB)1-3, MSRPC, New Technology LAN Manager (NTLM), Kerberos, WMI, LDAP, and DNS. Packet Manipulation: Users can construct packets from scratch or parse them from raw data. Dual-Use Toolset: While used for legitimate network administration and auditing, it is frequently leveraged in malicious attacks. Pre-installed: It is available by default on security-focused operating systems like Kali Linux.
Commonly Used Impacket Tools:
wmiexec.py: A stealthy tool for executing commands on remote Windows systems using Windows Management Instrumentation. psexec.py: A tool that provides a shell on a remote Windows host, similar to the Sysinternals PsExec. secretsdump.py: A tool for dumping secrets (NTLM hashes, SAM, LSA, and NTDS.dit files) from remote machines. ntlmrelayx.py: A tool for performing NTLM relay attacks, allowing for authentication interception and redirection. smbclient.py: A tool for connecting to SMB shares, allowing file management and interaction.
Common Attack Scenarios: Impacket is frequently used for credential harvesting, password dumping, remote command execution, and lateral movement within Active Directory environments.
Lateral Movement: Attackers use tools like psexec.py or smbexec.py to move across a network. Pass-the-Hash: It is often used to execute commands with stolen NTLM hashes. Detection and Mitigation: Detection: Security teams can monitor for abnormal Server Message Block (SMB) traffic, excessive authentication failures, and specific command-line arguments that indicate Impacket use (e.g., cmd.exe spawning from wmiprvse.exe). Mitigation: Key defenses include disabling administrative shares (e.g., ADMIN$), enforcing strong password policies, and restricting lateral movement.
The GetUserSPNs.py script (part of Impacket) is used in Kerberoasting attacks. It requests Service Principal Names (SPNs) for users with associated services, retrieves TGS (Ticket Granting System), and then allows offline cracking of those tickets.