1. Home
  2. Software
  3. Impacket

Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[1]

ID: S0357
Type: TOOL
Platforms: Linux, macOS, Windows
Contributors: Jacob Wilkin, Trustwave, SpiderLabs
Version: 1.2
Created: 31 January 2019
Last Modified: 07 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.[1]
Enterprise T1040 Network Sniffing

Impacket can be used to sniff network traffic via an interface or raw socket.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[1]
.002 OS Credential Dumping: Security Account Manager

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[1]
.003 OS Credential Dumping: NTDS

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.[1]
.004 OS Credential Dumping: LSA Secrets

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[1]
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.[1]
Enterprise T1569 .002 System Services: Service Execution

Impacket contains various modules emulating other service execution tools such as PsExec.[1]
Enterprise T1047 Windows Management Instrumentation

Impacket's wmiexec module can be used to execute commands through WMI.[1]

Groups That Use This Software

ID Name References
G0074 Dragonfly 2.0

[2][3][4]
G0045 menuPass

[5]
G0027 Threat Group-3390

[6]
G0116 Operation Wocao

[7]
G0061 FIN8

[8]

References

  1. SecureAuth. (n.d.). Retrieved January 15, 2019.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  4. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  1. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  2. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.