Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md

gopacket

By Jacob Paullus (@psycep_)

A complete Go implementation of Impacket - 63 tools and 24 library packages for Windows network protocol interaction, Active Directory enumeration, and attack execution. Built as a native Go framework so you can compile once and run anywhere without Python dependencies.

Beta Release - Highly Experimental. gopacket is under active development. Core tools have been tested against Active Directory lab environments, but edge cases and protocol quirks are expected. If something isn't working, please test the same operation with Impacket side-by-side and include both outputs in your bug report. This helps us quickly identify whether it's a gopacket-specific issue or a shared protocol limitation.

Installation

git clone https://github.com/mandiant/gopacket
cd gopacket

# Default: Linux/macOS build + install to /usr/local/bin
./install.sh

# Run with no flags and it prompts you through the choices interactively.
# Or pick a target directly:
./install.sh --target portable   # static Linux binaries in ./dist/portable/
./install.sh --target windows    # Windows .exe cross-compiles in ./dist/windows/
./install.sh --target all        # build every target in one run

# Build without installing (native only)
./install.sh --build-only

# Or build with make
make build

The default (--target native) build needs Go 1.24.13+, GCC, and libpcap development headers (apt install build-essential libpcap-dev on Debian/Ubuntu/Kali, yum install gcc libpcap-devel on RHEL/CentOS, or brew install libpcap on macOS). The portable and windows targets only need the Go toolchain; sniff and split become stubs in those builds because they require libpcap. See Platform Support for the full matrix.

Platform Support

gopacket builds on Linux, macOS, and Windows. The set of working tools and available proxying paths depends on the build flags:

BuildTools availableProxying
Linux / macOS with cgo (default)All 63proxychains (LD_PRELOAD) and/or -proxy SOCKS5
Linux with CGO_ENABLED=061 (sniff, split become stubs)-proxy only (proxychains needs the libc hook)
Windows (GOOS=windows CGO_ENABLED=0)60 (sniff, split, sniffer stubs)-proxy only (no LD_PRELOAD on Windows)

sniff and split depend on libpcap via cgo; sniffer depends on Unix raw sockets. When a tool can't be built for the target, gopacket substitutes a stub that prints a clear message and exits 1, so go build ./... always succeeds and the install layout is consistent across platforms.

To uninstall:

./install.sh --uninstall

Proxy Support

gopacket supports two independent proxying paths. They can also be chained.

proxychains (LD_PRELOAD)

All gopacket tools work through proxychains. Go binaries normally bypass proxychains because Go's runtime handles DNS and networking internally, skipping the LD_PRELOAD hooks that proxychains relies on. gopacket works around this by linking against the system C library for network operations, allowing proxychains to intercept connections normally.

proxychains gopacket-secretsdump 'domain/user:password@target'
proxychains gopacket-smbclient -k -no-pass 'domain/user@dc.domain.local'

Internal SOCKS5 proxy (-proxy)

Every tool accepts -proxy to route outbound TCP through a SOCKS5 server without relying on LD_PRELOAD. Accepted schemes: socks5 and socks5h. When -proxy is unset, the ALL_PROXY / all_proxy environment variables are consulted as a fallback.

gopacket-secretsdump -proxy socks5h://127.0.0.1:1080 'domain/user:password@target'
ALL_PROXY=socks5h://127.0.0.1:1080 gopacket-smbclient 'domain/user:password@target'

UDP-dependent features are disabled under -proxy rather than silently leaking packets (SOCKS5 UDP ASSOCIATE is rarely supported by proxies, and bypassing the proxy for UDP would reveal the operator's real source IP). Affected features and their workarounds are documented in KNOWN_ISSUES.md.

Chaining: -proxy is compatible with proxychains. The TCP connection to the SOCKS5 proxy itself still goes through libc connect(), so proxychains → gopacket → -proxy → target works for nested routing scenarios.

Documentation

See the Library Developer Guide for full API documentation, code examples, and architecture overview for building custom tools on top of gopacket's 24 protocol packages.

Tools (63)

Remote Execution

ToolDescription
psexecRemote command execution via SMB service creation
smbexecRemote command execution via SMB (stealthier than psexec)
wmiexecRemote command execution via WMI
dcomexecRemote command execution via DCOM
atexecRemote command execution via Task Scheduler

Credential Dumping & DPAPI

ToolDescription
secretsdumpSAM/LSA/NTDS.dit extraction and DCSync (remote + offline)
dpapiDPAPI backup key extraction
esentutlOffline ESE database parser (NTDS.dit)
registry-readOffline Windows registry hive parser

Kerberos

ToolDescription
getTGTRequest a TGT with password, hash, or AES key
getSTRequest a service ticket with S4U2Self/S4U2Proxy
GetUserSPNsKerberoasting - find and request SPNs
GetNPUsersAS-REP roasting - find accounts without pre-auth
ticketerGolden/silver ticket forging
ticketConverterConvert between ccache and kirbi formats
describeTicketParse and decrypt Kerberos tickets
getPacRequest and parse PAC information
keylistattackKERB-KEY-LIST-REQ attack (RODC)
raiseChildChild-to-parent domain escalation via golden ticket

Active Directory Enumeration

ToolDescription
GetADUsersEnumerate domain users via LDAP
GetADComputersEnumerate domain computers via LDAP
GetLAPSPasswordRead LAPS passwords via LDAP
findDelegationFind delegation configurations
lookupsidSID brute-forcing via LSARPC
samrdumpEnumerate users via SAMR
rpcdumpDump RPC endpoints via epmapper
rpcmapScan for accessible RPC interfaces
netnet user/group/computer enumeration via SAMR/LSARPC
netviewEnumerate sessions, shares, and logged-on users
CheckLDAPStatusCheck LDAP signing and channel binding requirements
DumpNTLMInfoDump NTLM authentication info from SMB negotiation
getArchDetect remote OS architecture via RPC
machine_roleDetect machine role (DC, server, workstation)

Active Directory Attacks

ToolDescription
addcomputerCreate/modify/delete machine accounts (SAMR + LDAP)
rbcdResource-Based Constrained Delegation manipulation
dacleditRead/write DACLs on AD objects
ownereditRead/modify object ownership
sameditSAM account name spoofing (CVE-2021-42278/42287)
badsuccessorBadSuccessor / backup operator escalation
changepasswdChange/reset passwords via SAMR and LDAP

SMB Tools

ToolDescription
smbclientInteractive SMB client (shares, ls, get, put, etc.)
smbserverSMB server for file sharing
attribQuery/modify file attributes via SMB
filetimeQuery/modify file timestamps via SMB
servicesRemote service management via SVCCTL
regRemote registry operations via WINREG
Get-GPPPasswordExtract Group Policy Preferences passwords from SYSVOL
karmaSMBRogue SMB server for hash capture

NTLM Relay

ToolDescription
ntlmrelayxFull NTLM relay framework with multi-protocol support

ntlmrelayx supports:

  • Capture servers: SMB, HTTP/HTTPS, WCF (ADWS), RAW, RPC, WinRM
  • Relay clients: SMB, LDAP/LDAPS, HTTP/HTTPS, MSSQL, WinRM, RPC
  • Attacks: secretsdump, smbexec, ldapdump, RBCD delegation, ACL abuse, shadow credentials, ADCS ESC8, addcomputer, DNS manipulation, and more
  • Infrastructure: SOCKS5 proxy with protocol-aware plugins, interactive console, REST API, multi-target round-robin, WPAD serving

SQL Server

ToolDescription
mssqlclientInteractive MSSQL client with SQL/Windows/Kerberos auth
mssqlinstanceMSSQL instance discovery via SQL Browser

WMI

ToolDescription
wmiqueryInteractive WMI query shell
wmipersistWMI event subscription persistence

Terminal Services

ToolDescription
tstoolTerminal Services session and process enumeration

Other Protocols

ToolDescription
rdp_checkRDP authentication check
mqtt_checkMQTT authentication check
exchangerExchange Web Services client

Utilities

ToolDescription
ntfs-readOffline NTFS filesystem parser
ping / ping6ICMP ping
sniff / snifferNetwork packet capture
splitSplit large files

Authentication

All network tools support three authentication methods:

# Password
gopacket-secretsdump 'domain/user:password@target'

# NTLM hash (pass-the-hash)
gopacket-secretsdump -hashes ':nthash' 'domain/user@target'

# Kerberos (pass-the-ticket)
KRB5CCNAME=ticket.ccache gopacket-secretsdump -k -no-pass 'domain/user@target'

Common Flags

FlagDescription
-hashes LMHASH:NTHASHNTLM hash authentication (LM hash can be empty)
-kUse Kerberos authentication
-no-passDon't prompt for password (use with -k or -hashes)
-dc-ip IPIP address of the domain controller
-target-ip IPIP address of the target (when using hostname for Kerberos)
-port PORTTarget port (defaults vary by tool)
-proxy URLRoute outbound TCP through a SOCKS5 proxy (e.g. socks5h://127.0.0.1:1080). UDP features are disabled.
-debugEnable debug output

Quick Examples

# Dump domain hashes via DCSync
gopacket-secretsdump 'corp.local/admin:Password1@dc01.corp.local'

# Interactive SMB shell
gopacket-smbclient -hashes ':aabbccdd...' 'corp.local/admin@fileserver'

# Kerberoast
gopacket-getuserspns 'corp.local/user:pass@dc01.corp.local'

# Golden ticket
gopacket-ticketer -nthash <krbtgt_hash> -domain-sid S-1-5-21-... -domain corp.local admin

# NTLM relay with SOCKS proxy
sudo gopacket-ntlmrelayx -t smb://target -socks

# LDAP relay for RBCD
sudo gopacket-ntlmrelayx -t ldaps://dc01.corp.local --delegate-access

# Route all outbound traffic through a SOCKS5 proxy
gopacket-secretsdump -proxy socks5h://127.0.0.1:1080 'corp.local/admin:pass@dc01.corp.local'

Library

The pkg/ directory contains 24 reusable protocol packages that can be imported independently.

PackageDescription
smbSMB2/3 client with NTLM and Kerberos auth
ldapLDAP client with NTLM/Kerberos bind
dcerpcDCE/RPC client + 20 service implementations (DRSUAPI, SAMR, SVCCTL, LSARPC, WINREG, NETLOGON, DCOM, TSCH, EPMAPPER, etc.)
kerberosKerberos client, ticket forging (golden/silver), S4U2Self/S4U2Proxy
ntlmNTLM authentication protocol
relayNTLM relay framework (servers, clients, attacks, SOCKS)
tdsSQL Server TDS protocol
eseExtensible Storage Engine parser
registryWindows registry hive parser
ntfsNTFS filesystem parser
securitySecurity descriptors, ACLs, SIDs
dpapiDPAPI structures
mqttMQTT protocol client
sessionTarget/credential parsing (domain/user:pass@host)
flagsUnified CLI flag framework

Missing Features (vs Impacket)

gopacket aims for full Impacket parity. The following are not yet implemented:

Relay protocol clients:

  • IMAP relay client + attack (requires Exchange/IMAP server)
  • SMTP relay client (requires SMTP server)

Relay attack modules:

  • SCCM policies/DP attacks (requires SCCM infrastructure)

Standalone tools:

  • ifmap.py (DCOM interface mapping)
  • mimikatz.py (limited Mimikatz over RPC)
  • goldenPac.py (MS14-068 - obsolete on patched systems)
  • smbrelayx.py (superseded by ntlmrelayx)
  • kintercept.py (Kerberos interception)

These gaps are low priority - most require niche infrastructure to test or are obsoleted by newer techniques.

Known Limitations

These are protocol-level limitations shared with Impacket, not gopacket bugs:

  • SMB to LDAPS relay fails on patched DCs due to NTLM MIC validation (post-CVE-2019-1040). Use HTTP coercion instead.
  • WinRM relay blocked by EPA (Extended Protection for Authentication) on patched Server 2019+.
  • RPC relay attacks (tschexec, enum-local-admins) require PKT_INTEGRITY which is unavailable in relay sessions.
  • LDAP relay to port 389 fails on DCs requiring LDAP signing. Always relay to LDAPS (port 636).

See KNOWN_ISSUES.md for detailed information on each issue and workarounds.

Reporting Issues & Contributing

This is a beta release. Bugs are expected, and contributions are welcome.

Why we ask you to test with Impacket first

Because gopacket implements the same wire protocols as Impacket, a large fraction of "bugs" turn out to be environmental, not gopacket-specific - patched DCs, LDAP signing requirements, EPA, PKT_INTEGRITY, SMB signing, NTLM MIC validation post-CVE-2019-1040, missing SPNs, time skew, DNS quirks, firewall rules, and so on. Running the same operation with Impacket side by side removes the environment from the equation:

  • If Impacket fails the same way, the issue is almost always environmental and is likely already documented in KNOWN_ISSUES.md. No bug report needed.
  • If Impacket succeeds where gopacket fails, that's a real gopacket bug and exactly what we want to hear about.

This single triage step saves a lot of round-trips, so please don't skip it.

Filing a bug report

  1. Run the same operation with Impacket and note whether it succeeds or fails
  2. Re-run gopacket with -debug and capture the full output
  3. Anonymize anything sensitive before posting. GitHub issues are public. Strip or replace real hostnames, IP addresses, usernames, password hashes, Kerberos tickets, domain names, SIDs, and any output line that could be tied back to a real engagement. Replacing corp.internalexample.local and dc01.corp.internaldc01.example.local is fine - keep the structure of the data, just not the identifying values. If in doubt, redact it.
  4. Open a GitHub issue and include:
    • Both outputs (gopacket and Impacket), as text not screenshots, anonymized
    • The exact command line you ran (anonymized)
    • Target OS, AD functional level, and any relevant hardening (signing, EPA, channel binding, patch level)
    • gopacket version / commit hash

Feature requests

Open a GitHub issue describing the use case and the Impacket equivalent (if any). If the feature is on the "Missing Features" list above, mention which one - it helps us prioritize.

Pull requests

PRs are welcome. Before opening one:

  • Run go build ./..., go vet ./..., gofmt -l ., and go test ./... and make sure they all pass cleanly
  • Match the existing code style in the package you're touching
  • Keep changes focused - separate refactors from feature work
  • For non-trivial changes, open an issue first to discuss the approach

Why This Matters for Defenders

Threat actors are moving away from Python. Compiled Go and Rust tooling (Sliver, BRC4, Geacon, and bespoke loaders) is increasingly replacing Impacket in real-world intrusions. Most defensive tooling and detection logic was built around Impacket's Python-based network behavior, and that coverage is eroding as the attacker ecosystem shifts to compiled languages.

gopacket exists in part to help the security community get ahead of this shift. By providing an open-source, readable Go implementation of the same protocols and techniques, defenders and detection engineers can:

  • Study how Go-based tooling behaves on the wire rather than waiting to encounter it during an incident
  • Understand the protocol-level differences between Go and Python implementations that make existing signatures less effective
  • Run realistic purple team exercises using the same compiled, single-binary tooling that threat actors are adopting, rather than testing exclusively against Python scripts that behave differently at the network layer

The gap between attacker tooling and defender visibility is widest when new tooling stays private. Open-sourcing gopacket narrows that gap.

Notes

  • Kerberos authentication requires a valid ccache file (TGT or service ticket)
  • For Kerberos, use the FQDN hostname - not an IP address
  • If KRB5CCNAME is not set, tools will look for <username>.ccache in the current directory
  • All tools support both proxychains and an internal -proxy SOCKS5 flag (see Proxy Support)
  • This project is for authorized security testing and research purposes only

License

Released under the Apache License 2.0.

gopacket is a clean Go reimplementation of Impacket; see NOTICE for full third-party acknowledgments.

关于 About

Gopacket is a clean Go implementation of Impacket, a library intended for working with network protocols.

语言 Languages

Go99.0%
C0.5%
Shell0.4%
Makefile0.0%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
51
Total Commits
峰值: 31次/周
Less
More

核心贡献者 Contributors