impacket-sniff

View documentation for the original command

$ tldr sniff.py

impacket-sniff [-h] [-i ] [-t ] [-f ] [-o ] [sniffing_options]

-h
    Show a help message and exit.

-i
    Specify the network interface to listen on (e.g., eth0, wlan0).

-t
    Define the type of traffic to sniff. Common options include ALL, SMB, KRB5, NETLOGON.

-f
    Apply a BPF (Berkeley Packet Filter) expression to filter captured packets.

-o
    Write extracted information (hashes, etc.) to a specified file.

--output-pcap
    Save captured raw packets to a PCAP file for offline analysis.

--output-json
    Save parsed output in JSON format to a specified file.

--no-smb-info
    Do not display verbose SMB information.

--no-netlogon
    Do not display verbose NetLogon information.

--no-krb-hash
    Do not display extracted Kerberos hashes.

--no-smb-hash
    Do not display extracted SMB (NTLM) hashes.

--netlogon-rdc
    Enable support for Netlogon Remote Differential Compression (RDC).

--skip-useless-smb
    Skip displaying SMB information deemed less useful for credential extraction.

--skip-useless-krb
    Skip displaying Kerberos information deemed less useful for credential extraction.

impacket-sniff is a powerful network sniffing tool that is part of the widely-used Impacket library. Its primary function is to intercept and analyze network traffic, with a particular focus on Windows authentication protocols such as SMB, MSRPC, NetLogon, and Kerberos.

While it can capture general network packets, its specialized parsers make it exceptionally effective at extracting sensitive information like NTLM hashes, Kerberos tickets, and other credentials transmitted over the network. This makes it an invaluable utility for penetration testers, security auditors, and red teamers who need to identify and exploit weaknesses in network authentication mechanisms.

The tool operates by listening on a specified network interface, applying optional BPF filters, and then parsing the captured data to highlight relevant authentication attempts and extracted credentials. It can output information directly to the console or save it to files in various formats, including PCAP for later analysis with tools like Wireshark, or JSON for programmatic processing.

Using impacket-sniff often requires root privileges or equivalent capabilities to access raw network sockets. Ethical considerations are paramount; this tool should only be used on networks where you have explicit authorization. Its effectiveness in modern environments can be limited by the widespread use of TLS/SSL encryption, which prevents direct credential sniffing unless man-in-the-middle techniques are employed. Network segmentation and secure authentication protocols can also mitigate its impact.

Unlike general-purpose sniffers, impacket-sniff includes built-in parsers designed to recognize and extract NTLM hashes from SMB authentication, Kerberos hashes from Kerberos authentication, and other sensitive data from protocols like NetLogon. This direct focus on authentication mechanisms makes it highly efficient for identifying credentials in transit, often presenting them in formats suitable for offline cracking.

The tool's strength lies in its deep understanding of Windows-specific protocols. While it can capture any packet, its detailed output for SMB, MSRPC, and Kerberos conversations sets it apart, providing insights into domain authentication flows that are critical for understanding and exploiting Windows environments.

impacket-sniff is an integral part of the Impacket toolkit, a collection of Python classes developed by SecureAuth (now Fortra). Impacket was created to programmatically construct and decode network packets, with a strong emphasis on Windows network protocols. Since its inception, Impacket has become a de facto standard in offensive security for interacting with Windows services, and impacket-sniff specifically leverages this capability to perform highly targeted network traffic analysis for credential harvesting.

tcpdump(1), wireshark(1), tshark(1), nmap(1)