Register to stream ATT&CKcon 2.0 October 29-30


Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[1]

ID: S0357
Type: TOOL
Platforms: Linux, macOS, Windows
Contributors: Jacob Wilkin, Trustwave, SpiderLabs
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information. [1]
Enterprise T1208 Kerberoasting Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat. [1]
Enterprise T1171 LLMNR/NBT-NS Poisoning and Relay Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution. [1]
Enterprise T1040 Network Sniffing Impacket can be used to sniff network traffic via an interface or raw socket. [1]
Enterprise T1035 Service Execution Impacket contains various modules emulating other service execution tools such as PsExec. [1]
Enterprise T1047 Windows Management Instrumentation Impacket's wmiexec module can be used to execute commands through WMI. [1]

Groups That Use This Software

ID Name References
G0074 Dragonfly 2.0 [2] [3] [4]
G0045 menuPass [5]
G0027 Threat Group-3390 [6]