[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-886":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":29,"discoverSource":30},886,"gopacket","mandiant\u002Fgopacket","mandiant","Gopacket is a clean Go implementation of Impacket, a library intended for working with network protocols.","",null,"Go",672,56,2,0,3,8,59,9,9.27,"Apache License 2.0",false,"main",true,[],"2026-06-12 02:00:20","# gopacket\n\nA complete Go implementation of [Impacket](https:\u002F\u002Fgithub.com\u002Ffortra\u002Fimpacket) - 63 tools and 24 library packages for Windows network protocol interaction, Active Directory enumeration, and attack execution. Built as a native Go framework so you can compile once and run anywhere without Python dependencies.\n\n> **Beta Release - Highly Experimental.** gopacket is under active development. Core tools have been tested against Active Directory lab environments, but edge cases and protocol quirks are expected. If something isn't working, please test the same operation with Impacket side-by-side and include both outputs in your bug report. This helps us quickly identify whether it's a gopacket-specific issue or a shared protocol limitation.\n\n## Installation\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fmandiant\u002Fgopacket\ncd gopacket\n\n# Default: Linux\u002FmacOS build + install to \u002Fusr\u002Flocal\u002Fbin\n.\u002Finstall.sh\n\n# Run with no flags and it prompts you through the choices interactively.\n# Or pick a target directly:\n.\u002Finstall.sh --target portable # static Linux binaries in .\u002Fdist\u002Fportable\u002F\n.\u002Finstall.sh --target windows # Windows .exe cross-compiles in .\u002Fdist\u002Fwindows\u002F\n.\u002Finstall.sh --target all # build every target in one run\n\n# Build without installing (native only)\n.\u002Finstall.sh --build-only\n\n# Or build with make\nmake build\n```\n\nThe default (`--target native`) build needs Go 1.24.13+, GCC, and libpcap\ndevelopment headers (`apt install build-essential libpcap-dev` on\nDebian\u002FUbuntu\u002FKali, `yum install gcc libpcap-devel` on RHEL\u002FCentOS, or\n`brew install libpcap` on macOS). The `portable` and `windows` targets only\nneed the Go toolchain; `sniff` and `split` become stubs in those builds\nbecause they require libpcap. See [Platform Support](#platform-support) for\nthe full matrix.\n\n### Platform Support\n\ngopacket builds on Linux, macOS, and Windows. The set of working tools and\navailable proxying paths depends on the build flags:\n\n| Build | Tools available | Proxying |\n|----------------------------------------|----------------------------------------|-----------------------------------------------------|\n| Linux \u002F macOS with cgo (default) | All 63 | proxychains (LD_PRELOAD) and\u002For `-proxy` SOCKS5 |\n| Linux with `CGO_ENABLED=0` | 61 (`sniff`, `split` become stubs) | `-proxy` only (proxychains needs the libc hook) |\n| Windows (`GOOS=windows CGO_ENABLED=0`) | 60 (`sniff`, `split`, `sniffer` stubs) | `-proxy` only (no `LD_PRELOAD` on Windows) |\n\n`sniff` and `split` depend on libpcap via cgo; `sniffer` depends on Unix raw\nsockets. When a tool can't be built for the target, gopacket substitutes a\nstub that prints a clear message and exits 1, so `go build .\u002F...` always\nsucceeds and the install layout is consistent across platforms.\n\nTo uninstall:\n```bash\n.\u002Finstall.sh --uninstall\n```\n\n## Proxy Support\n\ngopacket supports two independent proxying paths. They can also be chained.\n\n### proxychains (LD_PRELOAD)\n\nAll gopacket tools work through proxychains. Go binaries normally bypass proxychains because Go's runtime handles DNS and networking internally, skipping the `LD_PRELOAD` hooks that proxychains relies on. gopacket works around this by linking against the system C library for network operations, allowing proxychains to intercept connections normally.\n\n```bash\nproxychains gopacket-secretsdump 'domain\u002Fuser:password@target'\nproxychains gopacket-smbclient -k -no-pass 'domain\u002Fuser@dc.domain.local'\n```\n\n### Internal SOCKS5 proxy (`-proxy`)\n\nEvery tool accepts `-proxy` to route outbound TCP through a SOCKS5 server without relying on `LD_PRELOAD`. Accepted schemes: `socks5` and `socks5h`. When `-proxy` is unset, the `ALL_PROXY` \u002F `all_proxy` environment variables are consulted as a fallback.\n\n```bash\ngopacket-secretsdump -proxy socks5h:\u002F\u002F127.0.0.1:1080 'domain\u002Fuser:password@target'\nALL_PROXY=socks5h:\u002F\u002F127.0.0.1:1080 gopacket-smbclient 'domain\u002Fuser:password@target'\n```\n\nUDP-dependent features are **disabled** under `-proxy` rather than silently leaking packets (SOCKS5 UDP ASSOCIATE is rarely supported by proxies, and bypassing the proxy for UDP would reveal the operator's real source IP). Affected features and their workarounds are documented in [KNOWN_ISSUES.md](KNOWN_ISSUES.md).\n\n**Chaining:** `-proxy` is compatible with proxychains. The TCP connection to the SOCKS5 proxy itself still goes through libc `connect()`, so `proxychains → gopacket → -proxy → target` works for nested routing scenarios.\n\n## Documentation\n\nSee the [Library Developer Guide](https:\u002F\u002Fgithub.com\u002Fmandiant\u002Fgopacket\u002Fwiki) for full API documentation, code examples, and architecture overview for building custom tools on top of gopacket's 24 protocol packages.\n\n## Tools (63)\n\n### Remote Execution\n| Tool | Description |\n|------|-------------|\n| **psexec** | Remote command execution via SMB service creation |\n| **smbexec** | Remote command execution via SMB (stealthier than psexec) |\n| **wmiexec** | Remote command execution via WMI |\n| **dcomexec** | Remote command execution via DCOM |\n| **atexec** | Remote command execution via Task Scheduler |\n\n### Credential Dumping & DPAPI\n| Tool | Description |\n|------|-------------|\n| **secretsdump** | SAM\u002FLSA\u002FNTDS.dit extraction and DCSync (remote + offline) |\n| **dpapi** | DPAPI backup key extraction |\n| **esentutl** | Offline ESE database parser (NTDS.dit) |\n| **registry-read** | Offline Windows registry hive parser |\n\n### Kerberos\n| Tool | Description |\n|------|-------------|\n| **getTGT** | Request a TGT with password, hash, or AES key |\n| **getST** | Request a service ticket with S4U2Self\u002FS4U2Proxy |\n| **GetUserSPNs** | Kerberoasting - find and request SPNs |\n| **GetNPUsers** | AS-REP roasting - find accounts without pre-auth |\n| **ticketer** | Golden\u002Fsilver ticket forging |\n| **ticketConverter** | Convert between ccache and kirbi formats |\n| **describeTicket** | Parse and decrypt Kerberos tickets |\n| **getPac** | Request and parse PAC information |\n| **keylistattack** | KERB-KEY-LIST-REQ attack (RODC) |\n| **raiseChild** | Child-to-parent domain escalation via golden ticket |\n\n### Active Directory Enumeration\n| Tool | Description |\n|------|-------------|\n| **GetADUsers** | Enumerate domain users via LDAP |\n| **GetADComputers** | Enumerate domain computers via LDAP |\n| **GetLAPSPassword** | Read LAPS passwords via LDAP |\n| **findDelegation** | Find delegation configurations |\n| **lookupsid** | SID brute-forcing via LSARPC |\n| **samrdump** | Enumerate users via SAMR |\n| **rpcdump** | Dump RPC endpoints via epmapper |\n| **rpcmap** | Scan for accessible RPC interfaces |\n| **net** | net user\u002Fgroup\u002Fcomputer enumeration via SAMR\u002FLSARPC |\n| **netview** | Enumerate sessions, shares, and logged-on users |\n| **CheckLDAPStatus** | Check LDAP signing and channel binding requirements |\n| **DumpNTLMInfo** | Dump NTLM authentication info from SMB negotiation |\n| **getArch** | Detect remote OS architecture via RPC |\n| **machine_role** | Detect machine role (DC, server, workstation) |\n\n### Active Directory Attacks\n| Tool | Description |\n|------|-------------|\n| **addcomputer** | Create\u002Fmodify\u002Fdelete machine accounts (SAMR + LDAP) |\n| **rbcd** | Resource-Based Constrained Delegation manipulation |\n| **dacledit** | Read\u002Fwrite DACLs on AD objects |\n| **owneredit** | Read\u002Fmodify object ownership |\n| **samedit** | SAM account name spoofing (CVE-2021-42278\u002F42287) |\n| **badsuccessor** | BadSuccessor \u002F backup operator escalation |\n| **changepasswd** | Change\u002Freset passwords via SAMR and LDAP |\n\n### SMB Tools\n| Tool | Description |\n|------|-------------|\n| **smbclient** | Interactive SMB client (shares, ls, get, put, etc.) |\n| **smbserver** | SMB server for file sharing |\n| **attrib** | Query\u002Fmodify file attributes via SMB |\n| **filetime** | Query\u002Fmodify file timestamps via SMB |\n| **services** | Remote service management via SVCCTL |\n| **reg** | Remote registry operations via WINREG |\n| **Get-GPPPassword** | Extract Group Policy Preferences passwords from SYSVOL |\n| **karmaSMB** | Rogue SMB server for hash capture |\n\n### NTLM Relay\n| Tool | Description |\n|------|-------------|\n| **ntlmrelayx** | Full NTLM relay framework with multi-protocol support |\n\nntlmrelayx supports:\n- **Capture servers:** SMB, HTTP\u002FHTTPS, WCF (ADWS), RAW, RPC, WinRM\n- **Relay clients:** SMB, LDAP\u002FLDAPS, HTTP\u002FHTTPS, MSSQL, WinRM, RPC\n- **Attacks:** secretsdump, smbexec, ldapdump, RBCD delegation, ACL abuse, shadow credentials, ADCS ESC8, addcomputer, DNS manipulation, and more\n- **Infrastructure:** SOCKS5 proxy with protocol-aware plugins, interactive console, REST API, multi-target round-robin, WPAD serving\n\n### SQL Server\n| Tool | Description |\n|------|-------------|\n| **mssqlclient** | Interactive MSSQL client with SQL\u002FWindows\u002FKerberos auth |\n| **mssqlinstance** | MSSQL instance discovery via SQL Browser |\n\n### WMI\n| Tool | Description |\n|------|-------------|\n| **wmiquery** | Interactive WMI query shell |\n| **wmipersist** | WMI event subscription persistence |\n\n### Terminal Services\n| Tool | Description |\n|------|-------------|\n| **tstool** | Terminal Services session and process enumeration |\n\n### Other Protocols\n| Tool | Description |\n|------|-------------|\n| **rdp_check** | RDP authentication check |\n| **mqtt_check** | MQTT authentication check |\n| **exchanger** | Exchange Web Services client |\n\n### Utilities\n| Tool | Description |\n|------|-------------|\n| **ntfs-read** | Offline NTFS filesystem parser |\n| **ping** \u002F **ping6** | ICMP ping |\n| **sniff** \u002F **sniffer** | Network packet capture |\n| **split** | Split large files |\n\n## Authentication\n\nAll network tools support three authentication methods:\n\n```bash\n# Password\ngopacket-secretsdump 'domain\u002Fuser:password@target'\n\n# NTLM hash (pass-the-hash)\ngopacket-secretsdump -hashes ':nthash' 'domain\u002Fuser@target'\n\n# Kerberos (pass-the-ticket)\nKRB5CCNAME=ticket.ccache gopacket-secretsdump -k -no-pass 'domain\u002Fuser@target'\n```\n\n### Common Flags\n\n| Flag | Description |\n|------|-------------|\n| `-hashes LMHASH:NTHASH` | NTLM hash authentication (LM hash can be empty) |\n| `-k` | Use Kerberos authentication |\n| `-no-pass` | Don't prompt for password (use with `-k` or `-hashes`) |\n| `-dc-ip IP` | IP address of the domain controller |\n| `-target-ip IP` | IP address of the target (when using hostname for Kerberos) |\n| `-port PORT` | Target port (defaults vary by tool) |\n| `-proxy URL` | Route outbound TCP through a SOCKS5 proxy (e.g. `socks5h:\u002F\u002F127.0.0.1:1080`). UDP features are disabled. |\n| `-debug` | Enable debug output |\n\n### Quick Examples\n\n```bash\n# Dump domain hashes via DCSync\ngopacket-secretsdump 'corp.local\u002Fadmin:Password1@dc01.corp.local'\n\n# Interactive SMB shell\ngopacket-smbclient -hashes ':aabbccdd...' 'corp.local\u002Fadmin@fileserver'\n\n# Kerberoast\ngopacket-getuserspns 'corp.local\u002Fuser:pass@dc01.corp.local'\n\n# Golden ticket\ngopacket-ticketer -nthash \u003Ckrbtgt_hash> -domain-sid S-1-5-21-... -domain corp.local admin\n\n# NTLM relay with SOCKS proxy\nsudo gopacket-ntlmrelayx -t smb:\u002F\u002Ftarget -socks\n\n# LDAP relay for RBCD\nsudo gopacket-ntlmrelayx -t ldaps:\u002F\u002Fdc01.corp.local --delegate-access\n\n# Route all outbound traffic through a SOCKS5 proxy\ngopacket-secretsdump -proxy socks5h:\u002F\u002F127.0.0.1:1080 'corp.local\u002Fadmin:pass@dc01.corp.local'\n```\n\n## Library\n\nThe `pkg\u002F` directory contains 24 reusable protocol packages that can be imported independently.\n\n| Package | Description |\n|---------|-------------|\n| **smb** | SMB2\u002F3 client with NTLM and Kerberos auth |\n| **ldap** | LDAP client with NTLM\u002FKerberos bind |\n| **dcerpc** | DCE\u002FRPC client + 20 service implementations (DRSUAPI, SAMR, SVCCTL, LSARPC, WINREG, NETLOGON, DCOM, TSCH, EPMAPPER, etc.) |\n| **kerberos** | Kerberos client, ticket forging (golden\u002Fsilver), S4U2Self\u002FS4U2Proxy |\n| **ntlm** | NTLM authentication protocol |\n| **relay** | NTLM relay framework (servers, clients, attacks, SOCKS) |\n| **tds** | SQL Server TDS protocol |\n| **ese** | Extensible Storage Engine parser |\n| **registry** | Windows registry hive parser |\n| **ntfs** | NTFS filesystem parser |\n| **security** | Security descriptors, ACLs, SIDs |\n| **dpapi** | DPAPI structures |\n| **mqtt** | MQTT protocol client |\n| **session** | Target\u002Fcredential parsing (`domain\u002Fuser:pass@host`) |\n| **flags** | Unified CLI flag framework |\n\n## Missing Features (vs Impacket)\n\ngopacket aims for full Impacket parity. The following are not yet implemented:\n\n**Relay protocol clients:**\n- IMAP relay client + attack (requires Exchange\u002FIMAP server)\n- SMTP relay client (requires SMTP server)\n\n**Relay attack modules:**\n- SCCM policies\u002FDP attacks (requires SCCM infrastructure)\n\n**Standalone tools:**\n- `ifmap.py` (DCOM interface mapping)\n- `mimikatz.py` (limited Mimikatz over RPC)\n- `goldenPac.py` (MS14-068 - obsolete on patched systems)\n- `smbrelayx.py` (superseded by ntlmrelayx)\n- `kintercept.py` (Kerberos interception)\n\nThese gaps are low priority - most require niche infrastructure to test or are obsoleted by newer techniques.\n\n## Known Limitations\n\nThese are protocol-level limitations shared with Impacket, not gopacket bugs:\n\n- **SMB to LDAPS relay** fails on patched DCs due to NTLM MIC validation (post-CVE-2019-1040). Use HTTP coercion instead.\n- **WinRM relay** blocked by EPA (Extended Protection for Authentication) on patched Server 2019+.\n- **RPC relay attacks** (tschexec, enum-local-admins) require PKT_INTEGRITY which is unavailable in relay sessions.\n- **LDAP relay to port 389** fails on DCs requiring LDAP signing. Always relay to LDAPS (port 636).\n\nSee [KNOWN_ISSUES.md](KNOWN_ISSUES.md) for detailed information on each issue and workarounds.\n\n## Reporting Issues & Contributing\n\n> This is a beta release. Bugs are expected, and contributions are welcome.\n\n### Why we ask you to test with Impacket first\n\nBecause gopacket implements the same wire protocols as Impacket, a large\nfraction of \"bugs\" turn out to be **environmental**, not gopacket-specific -\npatched DCs, LDAP signing requirements, EPA, PKT_INTEGRITY, SMB signing,\nNTLM MIC validation post-CVE-2019-1040, missing SPNs, time skew, DNS quirks,\nfirewall rules, and so on. Running the same operation with Impacket side by\nside removes the environment from the equation:\n\n- **If Impacket fails the same way**, the issue is almost always\n environmental and is likely already documented in\n [KNOWN_ISSUES.md](KNOWN_ISSUES.md). No bug report needed.\n- **If Impacket succeeds where gopacket fails**, that's a real gopacket bug\n and exactly what we want to hear about.\n\nThis single triage step saves a lot of round-trips, so please don't skip it.\n\n### Filing a bug report\n\n1. Run the same operation with Impacket and note whether it succeeds or fails\n2. Re-run gopacket with `-debug` and capture the full output\n3. **Anonymize anything sensitive before posting.** GitHub issues are public.\n Strip or replace real hostnames, IP addresses, usernames, password hashes,\n Kerberos tickets, domain names, SIDs, and any output line that could be\n tied back to a real engagement. Replacing `corp.internal` → `example.local`\n and `dc01.corp.internal` → `dc01.example.local` is fine - keep the\n structure of the data, just not the identifying values. **If in doubt,\n redact it.**\n4. Open a [GitHub issue](https:\u002F\u002Fgithub.com\u002Fmandiant\u002Fgopacket\u002Fissues\u002Fnew) and include:\n - Both outputs (gopacket and Impacket), as text not screenshots, anonymized\n - The exact command line you ran (anonymized)\n - Target OS, AD functional level, and any relevant hardening\n (signing, EPA, channel binding, patch level)\n - gopacket version \u002F commit hash\n\n### Feature requests\n\nOpen a [GitHub issue](https:\u002F\u002Fgithub.com\u002Fmandiant\u002Fgopacket\u002Fissues\u002Fnew) describing the use case\nand the Impacket equivalent (if any). If the feature is on the\n\"Missing Features\" list above, mention which one - it helps us prioritize.\n\n### Pull requests\n\nPRs are welcome. Before opening one:\n\n- Run `go build .\u002F...`, `go vet .\u002F...`, `gofmt -l .`, and `go test .\u002F...`\n and make sure they all pass cleanly\n- Match the existing code style in the package you're touching\n- Keep changes focused - separate refactors from feature work\n- For non-trivial changes, open an issue first to discuss the approach\n\n## Why This Matters for Defenders\n\nThreat actors are moving away from Python. Compiled Go and Rust tooling\n(Sliver, BRC4, Geacon, and bespoke loaders) is increasingly replacing\nImpacket in real-world intrusions. Most defensive tooling and detection\nlogic was built around Impacket's Python-based network behavior, and that\ncoverage is eroding as the attacker ecosystem shifts to compiled languages.\n\ngopacket exists in part to help the security community get ahead of this\nshift. By providing an open-source, readable Go implementation of the\nsame protocols and techniques, defenders and detection engineers can:\n\n- **Study how Go-based tooling behaves on the wire** rather than waiting\n to encounter it during an incident\n- **Understand the protocol-level differences** between Go and Python\n implementations that make existing signatures less effective\n- **Run realistic purple team exercises** using the same compiled,\n single-binary tooling that threat actors are adopting, rather than\n testing exclusively against Python scripts that behave differently\n at the network layer\n\nThe gap between attacker tooling and defender visibility is widest when\nnew tooling stays private. Open-sourcing gopacket narrows that gap.\n\n## Notes\n\n- Kerberos authentication requires a valid ccache file (TGT or service ticket)\n- For Kerberos, use the FQDN hostname - not an IP address\n- If `KRB5CCNAME` is not set, tools will look for `\u003Cusername>.ccache` in the current directory\n- All tools support both proxychains and an internal `-proxy` SOCKS5 flag (see Proxy Support)\n- This project is for authorized security testing and research purposes only\n\n## License\n\nReleased under the [Apache License 2.0](LICENSE).\n\ngopacket is a clean Go reimplementation of [Impacket](https:\u002F\u002Fgithub.com\u002Ffortra\u002Fimpacket); see [NOTICE](NOTICE) for full third-party acknowledgments.\n","gopacket 是一个用 Go 语言实现的网络协议库,旨在提供与 Windows 网络协议交互、Active Directory 枚举和攻击执行等功能。该项目包含 63 个工具和 24 个库包,完全基于 Impacket 的功能进行重构,并且能够在没有 Python 依赖的情况下编译运行。它支持 Linux、macOS 和 Windows 平台,具有良好的跨平台兼容性。gopacket 适合需要在不同操作系统上进行网络安全测试和协议分析的场景使用,尤其是那些希望避免 Python 环境依赖的专业人士。需要注意的是,项目目前处于 Beta 阶段,核心工具已经过 Active Directory 实验室环境测试,但可能仍存在一些未覆盖的边缘情况。","2026-06-11 02:40:02","CREATED_QUERY"]